OVH Community, your new community space.

ovh hacker


JakeMS
29-09-2013, 11:25
Quote Originally Posted by LinuxGam
The reason why I don't is the people scanning for port 22 have no chance or getting into my server. It gives me something fun to read in the logs. Anyone seriously attacking me would not be thrown by moving the port.

There are quite a few articles about the fact it stops the amount of attacks, but doesn't stop the ones that would have the skill to break in.
While what you say is true, I did also say, change port + keys instead of password.

This will pretty much stop

1) All random attempts
2) All proper attempts

(Unless they find a vuln in openssh, in which case, you're screwed either way)

But I will admit, when it comes to security, I'm borderline "paranoid" security level .

I do everything I possibly can to protect the server in every way possible.

But at the same time, I do have customers personal data to protect so, in a way I have to be.

But none-the-less, I was just trying to offer some advise .

LinuxGam
29-09-2013, 07:48
Quote Originally Posted by JakeMS
Hi,
Although, I would suggest changing the ssh port to an alternate port of your choice,
The reason why I don't is the people scanning for port 22 have no chance or getting into my server. It gives me something fun to read in the logs. Anyone seriously attacking me would not be thrown by moving the port.

There are quite a few articles about the fact it stops the amount of attacks, but doesn't stop the ones that would have the skill to break in.

JakeMS
29-09-2013, 07:40
Hi,

Yeah, my point was mainly: Do not rely on just one method of security.

Although, I would suggest changing the ssh port to an alternate port of your choice, to avoid it being the first port hit, and also disabling ssh passwords in favour of key based login instead.

But yeah, there is no such thing as a 100% secure server.. Heck even banks get hacked! Although often due to *****ic mistakes in security.

Just my 2p .

Edit why the heck is i d i o t censored? haha

LinuxGam
29-09-2013, 07:30
Quote Originally Posted by JakeMS
That entirely depends what's on your server doesn't it?

Also be aware, some 0day exploits are publicly released on 0day, with no updates from upstream, not all 0day exploits are "private".

Having the attitude of "they don't care about my server enough to hack it" is never a good attitude as it leads to skipping parts of security, and thus leaving doors open.

Some examples of public exploits, with no fixes from upstream when they were published:
http://localhost.re/p/solusvm-11303-vulnerabilities
http://localhost.re/p/solusvm-whmcs-...-vulnerability
http://localhost.re/p/zamfoo-120-vulnerability

And that's just a quick 1 minute search...

Moral of the story.. never assume you are secure just because your up to date.
If someone wants to hack your server they will if they are top class, even without 0 day exploits. What I was saying is keeping your passwords complex, disabling root accounts, having IP banning, firewalls and checking logs all cut down the chances.

On my VM's I only have port 80 and 22 facing the world, all other ports needed for MySQL etc etc are on an internal nic. Being as Apache and SSH(Linux) have been proved over time to be pretty safe, I'm ok with that.

The truth is, you can never be 100% secure as you say, but the odds of someone wanting to go to that expense and time to hack my server is unlikely. That was my point and I think what you were saying too.

It's possible, but you make it as difficult as you can.

K.Kode
28-09-2013, 22:49
Should probably have clarified that I meant the OVH systems would catch SSH but not web logins.

JakeMS
28-09-2013, 22:25
That entirely depends what's on your server doesn't it?

Also be aware, some 0day exploits are publicly released on 0day, with no updates from upstream, not all 0day exploits are "private".

Having the attitude of "they don't care about my server enough to hack it" is never a good attitude as it leads to skipping parts of security, and thus leaving doors open.

Some examples of public exploits, with no fixes from upstream when they were published:
http://localhost.re/p/solusvm-11303-vulnerabilities
http://localhost.re/p/solusvm-whmcs-...-vulnerability
http://localhost.re/p/zamfoo-120-vulnerability

And that's just a quick 1 minute search...

Moral of the story.. never assume you are secure just because your up to date.

LinuxGam
28-09-2013, 22:13
Quote Originally Posted by JakeMS
Anyone can end up with a hacked server no matter how well you secure it. Think 0day exploits.
)
0 day exploits cos 10K++++ why would they target your server? Good common sense will stop normal attacks. 0 day exploits are bought by the big boys that don't give a f**k about your server.

JakeMS
28-09-2013, 21:49
Quote Originally Posted by LinuxGam
I think if you own a dedicated linux server, you should have enough knowledge to protect it. If you can't and it is then used to attack other OVH servers, really that's your fault.
I agree, sadly, not everyone bothers to learn what they are doing.. they are just happy it works and leave it at that.

Quote Originally Posted by LinuxGam
The only thing that is unfair is if you get DDOS and they then cut you out... but they are doing something about that.
Yeah, I was glad to see OVH bring in an anti-ddos system.

It hopefully means no more "Hey, someones attacking you, you are now suspended for causing trouble please go elsewhere" with OVH as I always found it a little unfair how a victim some how was the bad guy.

As for people with hacked servers, should they be notified? Yes. Should they be suspended? No not the first time, if warned, and they do not fix it or it happens frequently, yeah suspend them.

Anyone can end up with a hacked server no matter how well you secure it. Think 0day exploits.

I do not believe someone should be punished for a crime they did not commit.

However repeat "offenders" should indeed be suspended as clearly, they are not doing their job of securing themselves for other netizens and are helping spread the problem.

But that's just my personal opinion

LinuxGam
28-09-2013, 19:47
I think if you own a dedicated linux server, you should have enough knowledge to protect it. If you can't and it is then used to attack other OVH servers, really that's your fault.

The only thing that is unfair is if you get DDOS and they then cut you out... but they are doing something about that.

LawsHosting
28-09-2013, 19:18
Quote Originally Posted by K.Kode
Might be able to detect specific attempts like SSH but not failed web logins.
You can with custom filters. Of course the failed attempts need to be logged somewhere.

Just as I replied above, just got some attempts to dovecot.. Coincidence? Hertzner server anyone?

LinuxGam
28-09-2013, 19:17
Quote Originally Posted by K.Kode
Might be able to detect specific attempts like SSH but not failed web logins.
Fail2ban can monitor Apache logs if you set it up to. Also if someone gets access to a website, it rarely compromises your whole system if it's written properly.

K.Kode
28-09-2013, 19:13
Might be able to detect specific attempts like SSH but not failed web logins.

LinuxGam
28-09-2013, 19:12
Quote Originally Posted by lawshosting
doesn't ovh's system detect these type of things?

Tbh, i let fail2ban do it's job, else i'd be sending out reports all day (not just to ovh).
+100

LawsHosting
28-09-2013, 18:45
Doesn't OVH's system detect these type of things?

TBH, I let fail2ban do it's job, else I'd be sending out reports all day (not just to OVH).

donald22
28-09-2013, 13:12
Quote Originally Posted by NeddySeagoon
donald22,

It depends where the attack comes from. If its the far East, don't bother reporting it.
Anywhere else, I only report it if its a nusance.

Mostly, I don't check as I don't allow any remote logins by password.

Knocking on the door is not the only way in however. As others have said, keep things up to date.
Normally I do ignore these, I only reported it as it is an ovh server that is being used to attack my site, intentionally or unintentionally the owner of the server should be made aware of the attack from his server. Just my opinion.

NeddySeagoon
28-09-2013, 11:57
donald22,

It depends where the attack comes from. If its the far East, don't bother reporting it.
Anywhere else, I only report it if its a nusance.

Mostly, I don't check as I don't allow any remote logins by password.

Knocking on the door is not the only way in however. As others have said, keep things up to date.

donald22
28-09-2013, 11:13
That is possible, it is also possible that the owner is using his server as a proxy thinking that will mask his activities, either way he should be contacted in my opinion.

JakeMS
28-09-2013, 03:50
Hi,

You'll see these a lot.

They are "hackbots" they attempt to get into any server they find. Typically they are run from servers that are not owned by the hackers, instead, run from servers which were previously compromised.

So chances are, the server which is attacking you, the bill payer/admin has no idea their server is doing this. So it's not really fair to blame the customer who owns their server unless they are deliberately allowing/performing the attacks.

Usually, after the bot gets in, it will stop and go to the next server after alerting the bot controller, the bot controller will usually come back in a day, or so and fix the security hole you have so other bots don't steal his/her bot, and then add the machine to their botnet to do the same thing and be ready on standby for other attacks.

But none the less, it's just another bot in a another botnet trying to make a bigger botnet with more bots.

But you'll see these quite often, no big deal really and nothing new, just keep on top of your security and updates and you'll be fine.

Just my 2p :-).

donald22
27-09-2013, 22:49
Thanks I have forwarded the cpanel email to that address.

Kacotet
27-09-2013, 22:36
Welcome to the Internet.

abuse@ovh.net

LinuxGam
27-09-2013, 10:39
I used to install public certificates as well, maybe I will add that when I get the time, but if all the boxes above are ticked they really aren't gonna brute force it

donald22
27-09-2013, 10:32
Yes cpanel brute force protection is quite effective, not even an account with that name (although there is a similar domain) and the ip is now blacklisted, just thought mabye ovh will know who owns that server as these people are rodents.

LinuxGam
27-09-2013, 10:26
Do you have Fail2Ban installed and strong passwords? As long as root is disabled, you have strong passwords and up the ban time limit, let them try :-)

donald22
27-09-2013, 10:13
5 failed login attempts to account web-site-rank (system) -- Large number of attempts from this IP: 94.23.253.45

Reverse DNS: ns383500.ovh.net

Origin Country: France (FR)

hmm