OVH Community, your new community space.

So I got my first hack attempt notification... My conerns...


HugeServer
30-06-2010, 17:07
Quote Originally Posted by fozl
I'll certainly suggest it, would be good to have a way to avoid another customer contacting us to report 500GB of porn has appeared on their server since they don't know when.
Could anybody translate this what Fozl said for me? I am unfortunately not able to understand it. Is that the answer of my question ?

fozl
30-06-2010, 09:26
Quote Originally Posted by HugeServer
You know that this Port "445" is a special port. and these port scannings from this port, are just because of a bug Windows servers ( VMs ). Why don't you want to help your customers?
I'll certainly suggest it, would be good to have a way to avoid another customer contacting us to report 500GB of porn has appeared on their server since they don't know when.

HugeServer
29-06-2010, 18:29
Quote Originally Posted by marks
we don't block anything (except port IRC). port scanning can be done from any port.
It's up to the administrator to block they don't want.
You know that this Port "445" is a special port. and these port scannings from this port, are just because of a bug Windows servers ( VMs ). Why don't you want to help your customers?

marks
29-06-2010, 16:52
Quote Originally Posted by HugeServer
I have an important question :

Why do not you " OVH " block out/in comming traffic on this port : 445 ? This port is usually the fact of portscanning in windows vms.

Could you please answer it ?
we don't block anything (except port IRC). port scanning can be done from any port.

It's up to the administrator to block they don't want.

HugeServer
29-06-2010, 16:41
Quote Originally Posted by fozl
Hm... well, I'll forward your suggestion.
Dear Fozl,

Did you get any reply for this suggestion? Could please OVH do it for us?

Andy
26-06-2010, 09:43
I'm using a bridged connection, the virtual machine is transparent to the host at all times. This is the point I'm trying to get across, the host machine can never be the issue.

freshwire
26-06-2010, 04:26
Quote Originally Posted by Andy
Clever malware can bypass firewalls. If it were blocked at a router level, they could not bypass it.
It is a virtual machine yes? Have your host OS act as firewall/gateway to your virtual machines. I would like to see your malware break out of the virtual machine and bypass host firewall

Andy
24-06-2010, 14:08
That's all I ask Thank you.

Remember firewalls are for professional use, not just blocking scans.

fozl
24-06-2010, 14:07
Quote Originally Posted by Andy
Not if you block based on MAC address like the IRC block does.
Hm... well, I'll forward your suggestion.

Andy
24-06-2010, 14:06
Not if you block based on MAC address like the IRC block does.

fozl
24-06-2010, 14:05
Quote Originally Posted by Andy
Clever malware can bypass firewalls. If it were blocked at a router level, they could not bypass it.
Blocking at the router level... that would affect other customers on the router. Perhaps you want to consider hardware firewalls?
http://forum.ovh.co.uk/showthread.php?t=4260

Or virtual racks...
http://www.ovh.co.uk/items/virtual_rack.xml

Andy
24-06-2010, 14:01
Clever malware can bypass firewalls. If it were blocked at a router level, they could not bypass it.

fozl
24-06-2010, 14:00
Quote Originally Posted by Andy
Marks - Would it not be an idea to let the customer be able to block ports they want to as well? Leave all open as default (except IRC) and allow up to, say, 10 ports to be blocked?

I know it's our fault but it's also your problem at the same time to have ways to prevent it. I know scanning isn't causing a network issue, it's the simple principle of it, so allow us a way to stop it from even happening to begin with?

Any word on whether you will only ever block the Virtual Machine IP and not the host?
We already only block vp IPs and not the host except in exceptional circumstances. Not sure I understand your point about customers being able to block ports, as you can do that already quite easily by configuring your firewall.

Andy
24-06-2010, 12:24
Marks - Would it not be an idea to let the customer be able to block ports they want to as well? Leave all open as default (except IRC) and allow up to, say, 10 ports to be blocked?

I know it's our fault but it's also your problem at the same time to have ways to prevent it. I know scanning isn't causing a network issue, it's the simple principle of it, so allow us a way to stop it from even happening to begin with?

Any word on whether you will only ever block the Virtual Machine IP and not the host?

marks
24-06-2010, 10:50
Quote Originally Posted by HugeServer
Hmmm,

Is there any answer of the questions, which we said? About blocking this port from Manager? Can OVH do that for the servers for getting better quallity in the network and less portscanning from the windows VMs?
what makno said is right: with give root non-restricted access to the server, that's the product we provide. And that's what most of the customers are looking for: something they can fully manage themselves.

There is only 1 exception for dedicated servers: the IRC port for the ridiculously high number of attacks done through it. For the minicould, port SMTP is also blocked. That's all.

Furthermore, there is no way to block scans, they can be done using any port, to any port, no matter what. The only thing we do is, as long as we detect this sort of traffic, we marked the server as hacked and contact the customer.

HugeServer
23-06-2010, 18:07
Hmmm,

Is there any answer of the questions, which we said? About blocking this port from Manager? Can OVH do that for the servers for getting better quallity in the network and less portscanning from the windows VMs?

Winit
21-06-2010, 21:48
Quote Originally Posted by Thelen
Further evidence that you, sir, are an *****. On anything exposed to the internet that runs windows or has windows API access to the system, you either need a FW or NAT with carefully controlled ports.
Ah, I agree. Windows firewall is enough. Server 2008 is even more of an improvement.

No need to splash out on third party products.

Myatu
20-06-2010, 17:53
Quote Originally Posted by makno
on a side note i got 2 emails from ovh stating that 2 of my failovr ips are sending excessive arp requests an none of them has windows machines running and actually one of them was unable to connect to the internet but still sending arp requests..i'm puzzled by that
Doesn't have to be Windows One of mine's being doing that without my knowledge, and it turns out to be a buggy firewall/router software that's unwilling to accept my gateway settings (so for *every* IP it sends out an ARP who-has request).

So double check your gateway settings to begin with. You can also monitor ARP traffic from the host machine with "tcpdump -ni eth0 arp" (or use "vmbr0" instead of "eth0" for Proxmox). You should see who-has requests for local IPs.

HugeServer
20-06-2010, 13:28
Quote Originally Posted by Andy
Yeah, but IRC port is blocked. Why not do the same for this port and give the same option as the IRC and allow you to unblock it if you want? It might stop some of the frustrations...
Yes, what you said is the best way to control this portscanning from the windows 2003 vms, as we can not check all of the vms for being sure that they are runnig firewall on the vms.

PS. I got one of my servers closed ( not ftp_rescure ) because of only one of this port scanning. ...

Andy
20-06-2010, 13:22
Yeah, but IRC port is blocked. Why not do the same for this port and give the same option as the IRC and allow you to unblock it if you want? It might stop some of the frustrations...

makno
20-06-2010, 13:21
i think the answer is simple: you get a dedicated server and you should be able to use every single aspect of it including ports even if they are vulnerable

HugeServer
20-06-2010, 13:19
I have an important question :

Why do not you " OVH " block out/in comming traffic on this port : 445 ? This port is usually the fact of portscanning in windows vms.

Could you please answer it ?

makno
20-06-2010, 12:29
on a side note i got 2 emails from ovh stating that 2 of my failovr ips are sending excessive arp requests an none of them has windows machines running and actually one of them was unable to connect to the internet but still sending arp requests..i'm puzzled by that

Thelen
20-06-2010, 12:26
Quote Originally Posted by Winit
You failed to patch the box before you browsed the WWW using IE6?
You ran an ActiveX control?
You can an executable?
Clearly staying on IE6 by definition means it would not be fully patched.

You are such a troll, you don't contribute anything but criticism and useless suggestions.

Quote Originally Posted by Winit
I give up. :P

A/V + F/W = unnecessary.
Further evidence that you, sir, are an *****. On anything exposed to the internet that runs windows or has windows API access to the system, you either need a FW or NAT with carefully controlled ports.

Winit
20-06-2010, 11:44
I give up. :P

A/V + F/W = unnecessary.

Andy
19-06-2010, 23:15
Yes I agree me not using anti virus or a firewall I deserved it, but it was a virtual machine for this exact purpose - if anything happened it wouldn't matter. However it does go to show how easy it is to be compromised simply by using IE and the spyware auto installing itself.

rickyday
19-06-2010, 21:02
That will teach you Andy, next time please use IE 5

freshwire
19-06-2010, 21:02
due to me not installing a firewall or anti virus/anti malware software
While the OVH policy is flawed the above makes me think you deserve what you got.

Pretty hard to secure a box from spyware picked up from an IE6 installation
Really? You pretty much got the right idea above. A decent firewall would block the outgoing connections.

Winit
19-06-2010, 20:13
Quote Originally Posted by Andy
Pretty hard to secure a box from spyware picked up from an IE6 installation...
You failed to patch the box before you browsed the WWW using IE6?
You ran an ActiveX control?
You can an executable?

Myatu
19-06-2010, 19:53
Quote Originally Posted by Neil
We DO block individual IPs, and have done for sometime. If your server is disabled completely then it is two reasons:

1) The Host os has been comprised.
2) More than 1 IP is performing attacks, like 4 or 5 showing the owner of the server has no knowledge or does not care what the server does.
To Neil's / OVH's credit, I did receive a warning about excessive ARP requests originating from one of my failover IPs, and didn't kill the whole server. Not compromised, just a buggy piece of firewall/router software, but still...

yonatan
19-06-2010, 19:32
Quote Originally Posted by Andy
Not hacked, compromised by whatever website was visited using it.
If you must keep the IE6 i recommend you use NOD32 as your protection , it has a great HTTP filter which keeps most of these buggers away.

Andy
19-06-2010, 18:57
Not hacked, compromised by whatever website was visited using it.

RapidSeeds
19-06-2010, 18:40
ie6 hacked after a week, why am i not surprised

Andy
18-06-2010, 20:10
Pretty hard to secure a box from spyware picked up from an IE6 installation... No machines I have use IE6 but I needed IE6 to check some sites, that being the only reason I installed it.

Winit
18-06-2010, 20:01
Tip) Learn to secure a box and avoid the OVH hassle entirely.

Neil
18-06-2010, 13:01
Quote Originally Posted by HandsomeChap
With regards to VMs surely its time to come into the 21st century?

Is this not like renting an entire rack pre-virtualisation, having one clients server be naughty and-then shutting down the entire rack as a response?

Obviously if an IP misbehaves then block the IP, inform the OVH client, wait for clients response, deem matter solved/unsolved and get on with life. I think 2 strikes and your out is excessive, if that is the case and OVH are unhappy at a less strict policy, perhaps at least if a misdemeanor happens then there could be a cooling off period, say 30 days which this info is held then the 'strike' is removed maybe? Just my thoughts.
We DO block individual IPs, and have done for sometime. If your server is disabled completely then it is two reasons:

1) The Host os has been comprised.
2) More than 1 IP is performing attacks, like 4 or 5 showing the owner of the server has no knowledge or does not care what the server does.

HandsomeChap
18-06-2010, 12:53
With regards to VMs surely its time to come into the 21st century?

Is this not like renting an entire rack pre-virtualisation, having one clients server be naughty and-then shutting down the entire rack as a response?

Obviously if an IP misbehaves then block the IP, inform the OVH client, wait for clients response, deem matter solved/unsolved and get on with life. I think 2 strikes and your out is excessive, if that is the case and OVH are unhappy at a less strict policy, perhaps at least if a misdemeanor happens then there could be a cooling off period, say 30 days which this info is held then the 'strike' is removed maybe? Just my thoughts.

Andy
18-06-2010, 12:33
Thank you marks, I knew I could count on you.

The root account was not "compromised", it simply had malware in some form installed through an IE6 vulnerability. It was scanning for machine it could compromise itself and spread. The machine and its disk have since been deleted.

However this was an accident due to me not installing a firewall or anti virus/anti malware software. I fail to see how a recurrence of an issue should determine if the host server is taken offline or not, when it's a virtual machine that is the problem.

Think of it this way, what if the virtual machine was a client of mine using it for whatever, and then later it was given to another client, unaware of previous problems. Should that new client then cause the entire host to go offline? No, it shouldn't.

In cases where the host machine is compromised I fully understand the issue, but when it's a virtual machine, a simple block and an e-mail stating it is blocked due to a hack attempt is as far as it needs to go.

Perhaps in the case of hackers using the machines for their purposes, a "time delay" should be added, so if a hack attempt occurs more than x times in x amount of days, then it can be decided that the host as a whole is a problem?

Please pass on my suggestions.

marks
18-06-2010, 12:17
The state Andy's machine was in is "semi-hacked", which is when the main server's root account has not been compromised. In your case, probably the root account of the virtual machine was compromised.

Before, this case was considered a full hack, not semi, so some modifications have already been made.

Now, it depends on several factors to block the host machine or not.

In your case, it was, though I make sure your example comes to the attention of our engineers, to consider acting differently in the future.

jonlewi5
18-06-2010, 11:56
Quote Originally Posted by Andy
TL;DR:-

Don't block the host machine when it's a virtual machine causing the issue. It's a step too far and isn't necessary. Also don't penalise YOUR client for an issue that was not necessarily their fault.
Thanks for the TL;DR

In my opinion, surley it would be better to block the offending ip rather than host, but meh what do i know

RapidSpeeds
18-06-2010, 11:54
They don't care - it's as simple as that - loyalty means nothing, and they have proven that time and time again.

Myatu
18-06-2010, 11:32
It's not the first time I've seen a story where the host machine (static IP) is blocked instead of the originating (virtual) IP. That's a no-no in my book, specifically for the reasons Andy already stated. This needs fixing!

Andy
18-06-2010, 11:14
Well it was bound to happen some time or other. Last night I got a hack notification, but it wasn't for my server, it was for a virtual machine running on the server.

I needed a Windows 2003 server running to use as an IE6 test bed at work so I set one up in a virtual machine. All was well for over a week then last night I got an e-mail stating the machine was "scanning" on port 445 lots of IP's. I instantly shut the machine down as I didn't want the host server taking offline (it's a production server and very important to me and the clients using it).

I e-mailed stating it was taken offline and all was well. The IP of the VM was unblocked and usable again. I was also told that because this was the first time it had happened I was OK, but next time the fact it had happened before would be taken into account.

I find it stupid that the host machine be taken offline when a simple blocking of the VM IP is all that is needed to stop the scans. Sure, send an e-mails stating the VM IP was blocked due to a hacking attempt but why should the host machine, which may be carrying numerous other virtual machines that are not committing any "crimes" be taken offline? It was ONE virtual machine whose IP can be blocked to stop the problem, why should it affect the host or the other machines this host may be running?

I understand that OVH is preventing scans on the network, I would too, but the methods are lousy and are causing problems for far too many people. I wouldn't normally complain but the e-mail I received was practically a "threat". I am a VERY loyal customer to OVH and have stood by them for a LONG time, only to be told "do it again and bye bye". I feel somewhat hurt in being told this.

I responded in less than 3 hours after receiving the hack attempt e-mail and in seconds of seeing it I took the offending machine offline, only to be greeted with a "wham bam thank you do it again and bye bye" style reply.

You seriously need to sort out the methods behind the blocking of servers. In this case, the host server was doing nothing wrong, the virtual machine was. Blocking the host machine is causing more problems than necessary. Blocking the virtual machine only is the correct solution and all that is needed to stop the problem at hand.

I would like Neil or Marc, or whoever else at UK support who see's this to make sure my concerns are voiced to Oles so he can understand the problem and how it can be fixed. I can't stress enough that blocking the host machine is a step too far when it's the virtual machine causing the issue. Think of how many people could suffer lost revenue if the host server were taken down. It's not just your client, but the clients of your client who could suffer! It's like a cascade effect.

Please think about it, especially you Oles. You're a great guy with a great company. Don't throw it away with little mistakes and oversights like this one.

TL;DR:-

Don't block the host machine when it's a virtual machine causing the issue. It's a step too far and isn't necessary. Also don't penalise YOUR client for an issue that was not necessarily their fault.


Thank you for all who have taken the time to read this. I hope my concerns are voiced enough for someone to listen.