OVH Community, your new community space.

No support


whycup
23-07-2016, 16:41
Working fine for me

Deizash
09-01-2015, 20:48
I don't know about UK's support but mine's working.

BoostMMR
09-01-2015, 19:36
I cant access the support page, is it down?

Deizash
09-01-2015, 15:50
Support answered that the area where my server is hosted, was indeed DDOSed but they fixed the problem.
I have also changed my SSH port yesterday and so far there were nothing suspicious in the logs; however, users still get disconnected from the server once in a while. I told this to support and I am waiting for an answer.

syslog:
Jan 9 04:42:06 vps82376 syslog-ng[1571]: Configuration reload request received, reloading configuration;
Jan 9 04:42:06 vps82376 syslog-ng[1571]: EOF on control channel, closing connection;
Jan 9 05:02:06 vps82376 -- MARK --
Jan 9 05:22:06 vps82376 -- MARK --
Jan 9 05:26:01 vps82376 /USR/SBIN/CRON[4479]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 05:46:01 vps82376 -- MARK --
Jan 9 06:06:01 vps82376 -- MARK --
Jan 9 06:26:01 vps82376 /USR/SBIN/CRON[4500]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 06:46:01 vps82376 -- MARK --
Jan 9 07:06:01 vps82376 -- MARK --
Jan 9 07:26:01 vps82376 /USR/SBIN/CRON[4517]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 07:46:01 vps82376 -- MARK --
Jan 9 08:06:01 vps82376 -- MARK --
Jan 9 08:26:01 vps82376 -- MARK --
Jan 9 08:26:01 vps82376 /USR/SBIN/CRON[4537]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 08:46:01 vps82376 -- MARK --
Jan 9 09:06:01 vps82376 -- MARK --
Jan 9 09:26:01 vps82376 /USR/SBIN/CRON[4553]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 09:46:01 vps82376 -- MARK --
Jan 9 10:06:01 vps82376 -- MARK --
Jan 9 10:26:01 vps82376 /USR/SBIN/CRON[4569]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 10:46:01 vps82376 -- MARK --
Jan 9 11:06:01 vps82376 -- MARK --
Jan 9 11:26:01 vps82376 /USR/SBIN/CRON[4596]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 11:46:01 vps82376 -- MARK --
Jan 9 12:06:01 vps82376 -- MARK --
Jan 9 12:26:01 vps82376 /USR/SBIN/CRON[4612]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 12:46:01 vps82376 -- MARK --
Jan 9 13:06:01 vps82376 -- MARK --
Jan 9 13:26:01 vps82376 /USR/SBIN/CRON[4635]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 13:46:01 vps82376 -- MARK --
Jan 9 14:06:01 vps82376 -- MARK --
Jan 9 14:26:01 vps82376 /USR/SBIN/CRON[4669]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 14:31:18 vps82376 named[1664]: client 212.83.152.146#5300: query (cache) 'isc.org/ANY/IN' denied
Jan 9 14:51:18 vps82376 -- MARK --
Jan 9 15:11:18 vps82376 -- MARK --
Jan 9 15:26:02 vps82376 /USR/SBIN/CRON[4687]: (root) CMD (cd / && run-parts --report /etc/cron.hourly)
Jan 9 15:46:02 vps82376 -- MARK --
I'm not sure what --report /etc/cron.hourly and --MARK-- means though.

Deizash
07-01-2015, 20:58
Sadly, but even with fail2ban, they still manage to shutdown my server. Would the IPv6 patch help?
Is there some simple button to disable/enable ssh in OVH? I don't want to mess with the configuration every time.

@obokar
Here's what iptables -L outputted:

Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-apache-w00tw00t tcp -- anywhere anywhere
fail2ban-php-url-fopen tcp -- anywhere anywhere multi port dports http,https
fail2ban-apache-myadmin tcp -- anywhere anywhere
fail2ban-exim tcp -- anywhere anywhere multiport dpor ts smtp,ssmtp
fail2ban-apache-nohome tcp -- anywhere anywhere multi port dports http,https
fail2ban-apache-overflows tcp -- anywhere anywhere mu ltiport dports http,https
fail2ban-apache-badbots tcp -- anywhere anywhere
fail2ban-webmin tcp -- anywhere anywhere multiport dp orts webmin,20000
fail2ban-apache-noscript tcp -- anywhere anywhere mul tiport dports http,https
fail2ban-apache tcp -- anywhere anywhere multiport dp orts http,https
fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh
fail2ban-pam-generic tcp -- anywhere anywhere
fail2ban-ssh tcp -- anywhere anywhere multiport dport s ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-badbots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-myadmin (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-nohome (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-w00tw00t (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-exim (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-pam-generic (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-php-url-fopen (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 212.83.37.37 anywhere
DROP all -- huzhou.ctc.mx.fund123.cn anywhere
DROP all -- s3-150.gazduirejocuri.ro anywhere
DROP all -- 58.137.115.46 anywhere
DROP all -- ip123-1-126.tgg.net.id anywhere
DROP all -- s15972093.onlinehome-server.info anywhere
DROP all -- 58.215.176.234 anywhere
DROP all -- 232.51.174.61.dial.wz.zj.dynamic.163data.com.cn anywhere
DROP all -- unixhost14.thewebhostingpeople.com anywhere
DROP all -- 122.225.97.68 anywhere
DROP all -- 125.141.199.225 anywhere
DROP all -- 202.58.98.92 anywhere
DROP all -- 122.225.97.92 anywhere
DROP all -- 233.51.174.61.dial.wz.zj.dynamic.163data.com.cn anywhere
RETURN all -- anywhere anywhere

Chain fail2ban-ssh-ddos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-webmin (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
EDIT: Perhaps setting fail2ban ban time to permanent would also help? I think it's currently 1 day.

pbgben
07-01-2015, 10:52
I turn ssh off and on as needed, remember that OVH provides ipKVM so there is no need to leave it open.

obokar
07-01-2015, 09:02
Deizash,

I've installed fail2ban as well and makes magic for SSH attacks. I believe I have over 20 blocks over 2 weeks. I've been using this tutorial https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04 to set it up and also it gets the IPs in the iptables.

Have you checked the iptables list (iptables -L ) ?

Deizash
06-01-2015, 14:52
I haven't done that yet. The support answered and they did some stuff there, I'll see how it goes. And for the SSH, I don't think I will set it to my IP since I am afraid that I can lock myself out.

LawsHosting
06-01-2015, 01:01
Quote Originally Posted by Deizash
I installed fail2ban. If that doesn't help, I will try to change my SHH port, unless someone can offer a better idea.
Or close port 22 to your own IP (if you have a static IP that is)...

Fail2ban does help, did you apply the IPv6 patch ( http://crycode.de/wiki/Fail2Ban#IPv6 - in german, but translate will work )?

Deizash
05-01-2015, 22:29
I installed fail2ban. If that doesn't help, I will try to change my SHH port, unless someone can offer a better idea.

Deizash
05-01-2015, 21:44
I haven't tried that. I prefer doing it with emails or support tickets. Anyway, I checked the auth.log and I think I'm being DDOSed and someone is trying to hack my server.
Look at these few lines I took from my auth.log (there are thousands of them):
Jan 5 21:09:29 vps82376 sshd[7947]: Failed password for invalid user andy from 202.114.144.143 port 25327 ssh2
Jan 5 21:09:29 vpsxxxxx sshd[7947]: Received disconnect from 202.114.144.143: 11: Bye Bye [preauth]
Jan 5 21:12:57 vpsxxxxx sshd[7950]: Invalid user jerry from 202.114.144.143
Jan 5 21:12:57 vpsxxxxx sshd[7950]: input_userauth_request: invalid user jerry [preauth]
Jan 5 21:12:57 vpsxxxxx sshd[7950]: pam_unix(sshd:auth): check pass; user unknown
Jan 5 21:12:57 vpsxxxxx sshd[7950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.114.144.143
Jan 5 21:12:59 vpsxxxxx sshd[7950]: Failed password for invalid user jerry from 202.114.144.143 port 47278 ssh2
Jan 5 21:12:59 vpsxxxxx sshd[7950]: Received disconnect from 202.114.144.143: 11: Bye Bye [preauth]
Jan 5 21:16:30 vpsxxxxx sshd[7954]: Invalid user ftpuser from 202.114.144.143
Jan 5 21:16:30 vpsxxxxx sshd[7954]: input_userauth_request: invalid user ftpuser [preauth]
Jan 5 21:16:30 vpsxxxxx sshd[7954]: pam_unix(sshd:auth): check pass; user unknown
Jan 5 21:16:30 vpsxxxxx sshd[7954]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.114.144.143
Jan 5 21:16:31 vpsxxxxx sshd[7954]: Failed password for invalid user ftpuser from 202.114.144.143 port 5251 ssh2
Jan 5 21:16:32 vpsxxxxx sshd[7954]: Received disconnect from 202.114.144.143: 11: Bye Bye [preauth]
Jan 5 21:19:59 vpsxxxxx sshd[7956]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.114.144.143 user=root
Jan 5 21:20:01 vpsxxxxx sshd[7956]: Failed password for root from 202.114.144.143 port 27201 ssh2
Jan 5 21:20:01 vpsxxxxx sshd[7956]: Received disconnect from 202.114.144.143: 11: Bye Bye [preauth]
Jan 5 21:23:30 vpsxxxxx sshd[7960]: Invalid user linda from 202.114.144.143
Jan 5 21:23:30 vpsxxxxx sshd[7960]: input_userauth_request: invalid user linda [preauth]
Jan 5 21:23:30 vpsxxxxx sshd[7960]: pam_unix(sshd:auth): check pass; user unknown
Jan 5 21:23:30 vpsxxxxx sshd[7960]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.114.144.143
Jan 5 21:23:32 vpsxxxxx sshd[7960]: Failed password for invalid user linda from 202.114.144.143 port 49151 ssh2
Jan 5 21:23:32 vpsxxxxx sshd[7960]: Received disconnect from 202.114.144.143: 11: Bye Bye [preauth]
Jan 5 21:26:01 vpsxxxxx CRON[7963]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 5 21:26:01 vpsxxxxx CRON[7963]: pam_unix(cron:session): session closed for user root
Jan 5 21:26:58 vpsxxxxx sshd[7966]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.114.144.143 user=root
Jan 5 21:27:01 vpsxxxxx sshd[7966]: Failed password for root from 202.114.144.143 port 7125 ssh2
Jan 5 21:27:01 vpsxxxxx sshd[7966]: Received disconnect from 202.114.144.143: 11: Bye Bye [preauth]
Jan 5 21:27:57 vpsxxxxx sshd[7968]: Invalid user admin from 211.100.28.177
Jan 5 21:27:57 vpsxxxxx sshd[7968]: input_userauth_request: invalid user admin [preauth]
Jan 5 21:27:57 vpsxxxxx sshd[7968]: pam_unix(sshd:auth): check pass; user unknown
Jan 5 21:27:57 vpsxxxxx sshd[7968]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=211.100.28.177
Jan 5 21:27:59 vpsxxxxx sshd[7968]: Failed password for invalid user admin from 211.100.28.177 port 49290 ssh2
Jan 5 21:27:59 vpsxxxxx sshd[7968]: Connection closed by 211.100.28.177 [preauth]
Jan 5 21:30:28 vpsxxxxx sshd[7972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.114.144.143 user=root
Jan 5 21:30:30 vpsxxxxx sshd[7972]: Failed password for root from 202.114.144.143 port 29073 ssh2
Jan 5 21:30:30 vpsxxxxx sshd[7972]: Received disconnect from 202.114.144.143: 11: Bye Bye [preauth]
Jan 5 21:34:01 vpsxxxxx sshd[7974]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.114.144.143 user=root
Jan 5 21:34:03 vpsxxxxx sshd[7974]: Failed password for root from 202.114.144.143 port 51023 ssh2
Jan 5 21:34:03 vpsxxxxx sshd[7974]: Received disconnect from 202.114.144.143: 11: Bye Bye [preauth]
Jan 5 21:36:20 vpsxxxxx sshd[7977]: Accepted password for root from 77.221.80.117 port 61594 ssh2
Jan 5 21:36:21 vpsxxxxx sshd[7977]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 5 21:36:21 vpsxxxxx sshd[7977]: subsystem request for sftp by user root
Jan 5 21:36:37 vpsxxxxx sshd[7980]: Accepted password for root from 77.221.80.117 port 61596 ssh2
Jan 5 21:36:37 vpsxxxxx sshd[7980]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 5 21:36:37 vpsxxxxx sshd[7980]: subsystem request for sftp by user root

Neil
05-01-2015, 15:58
Hello

No it is not possible, have you tried calling them?

Deizash
05-01-2015, 14:17
I did but they don't answer me.
EDIT: Can my server be moved from lithuanian OVH to UK OVH?

S0phie
05-01-2015, 12:12
Hi,

Please contact our Lithuanian support: https://www.ovh.lt/

Deizash
04-01-2015, 21:57
Hello, I have a problem with my server for some months now. It just keeps freezing and everyone in the server times out. It happens about 10 times a day.
I opened a ticket but after some talking with the consultant, he just doesn't answer me anymore. It's gonna be 4 days soon and there is no answer. I tried to change my consultant but I was asked to fill in why. I wrote why and when I clicked change, it said that the field was empty.
I am from Lithuania but lithuanian OVH forum is kind of dead. Is there any way someone here could review my ticket?