Hetzner - DokuWiki

Leitfaden bei Serversperrung/en

Inhaltsverzeichnis

Server Locking

There are some situations in which we are forced to lock a server. If your server gets locked you will be notified via email.

If you didn't receive an email or are unsure if your server has truly been locked you can send us a support request via the Robot administration interface.

Alternatively, you can run a traceroute to your server. If the traceroute ends at the first router of Hetzner, which is shown in the form "(uplink)-gw.hetzner.de", then the server has been locked. In Windows you start a traceroute by running "tracert.exe". In Linux the command to use is "traceroute".

Reasons for Server Locking

The most common reasons for locking a server are:

  • Attacks from/on your server
  • Interference to the network by port scans
  • Incorrect network configuration
  • Non-payment of invoices
  • Abuse (e.g. hosting a phishing site/malware/copyright infringing material, etc.)

We lock servers for multiple reasons, including protecting our infrastructure, as a precautionary measure to prevent any possible further abuses and to protect the server owner.

To assist in analyzing the problem, a log file with as much information as we have is added to the email. Please note that we don't have additional information or log files to those we provide. We don't have software access to the server and thus cannot see what exactly is going on. Please check your own internal server logs and analyze the issue yourself.

Log Files

Information on Port-/Netscans

###################################################################
#          Netscan detected from host   x.x.x.x                   #
###################################################################

time                        src_ip		  dest_ip:dest_port
-------------------------------------------------------------------
Thu Nov 13 18:14:27 2013:   x.x.x.x =>         65.98.236.0:   22
Thu Nov 13 18:14:27 2013:   x.x.x.x =>         65.98.236.1:   22
Thu Nov 13 18:14:27 2013:   x.x.x.x =>         65.98.236.2:   22
Thu Nov 13 18:14:27 2013:   x.x.x.x =>         65.98.236.3:   22
.....

This log shows the exact time and the source IP, as well as the destination IP and port.

Summary on exceeded Packet Limits

Direction OUT
Internal 178.63.65.85
Threshold Packets 100.000 packets/s
Sum                     40.674.000 packets/300s (135.580 packets/s),  40.673 flows/300s (135 flows/s),  5,909 GByte/300s (161 MBit/s)
External 77.96.88.114,  40.668.000 packets/300s (135.560 packets/s),  40.667 flows/300s (135 flows/s),  5,909 GByte/300s (161 MBit/s)
External 196.37.186.67,  5.000 packets/300s (16 packets/s),                5 flows/300s (0 flows/s),    0,000 GByte/300s (0 MBit/s)
External 77.74.52.53,    1.000 packets/300s (3 packets/s),                 1 flows/300s (0 flows/s),    0,000 GByte/300s (0 MBit/s)

This log does not list each connection separately but rather shows a summary of the traffic per destination IP. It shows the packet rates, the flow rate as well as the total connection speed.

Detailed Traffic Dump

21:44:53.145756 IP x.x.x.x.55008 > 76.9.23.182.29615: UDP, length 9216
21:44:53.145883 IP x.x.x.x.55030 > 76.9.23.182.45527: UDP, length 9216
21:44:53.146007 IP x.x.x.x.55046 > 76.9.23.182.1826:  UDP, length 9216
21:44:53.146126 IP x.x.x.x.55064 > 76.9.23.182.34940: UDP, length 9216
21:44:53.146249 IP x.x.x.x.55080 > 76.9.23.182.20559: UDP, length 9216
21:44:53.146371 IP x.x.x.x.55093 > 76.9.23.182.31488: UDP, length 9216
21:44:53.146493 IP x.x.x.x.55112 > 76.9.23.182.56406: UDP, length 9216
21:44:53.146616 IP x.x.x.x.55132 > 76.9.23.182.43714: UDP, length 9216
21:44:53.146741 IP x.x.x.x.55147 > 76.9.23.182.64613: UDP, length 9216

In this case a detailed traffic dump is created which contains all (incoming and outgoing) connections. This shows the following information: destination IP, destination port and the size and type of packets. As each individual packet is shown, only a small part of the traffic is captured owing to the huge amount of information involved.

Server Unlocking

Before the server can be unlocked, the problem that caused it to be locked needs to be resolved. Once this has been conclusively done you need to send us an unblock request via the Robot.
Please click on "Requests" from the menu on the left and then select "Unblock requests...". Here you need to select the corresponding Blocking ID and then fully fill out the form and send it to us.

To resolve the issue a LARA remote console can be requested, allowing full access to the server. If you want to order a LARA remote console, please open a special support request from the Robot asking for that directly. Login to the Robot, go to "Requests", select your server and then select "Server requests" (click on the small plus next to it). There you can select "Remote Console (LARA)" and make an appointment for when you want it. That way our technicians will get the order immediately, and be able to see for which server you want the LARA and when you want it.

Another option is to enter your home/office IP address (as long as it is static) via the Robot and you will be able to access the server via that IP. This is possible in the Robot by going to "Servers" and then clicking on "Server locking". There you can enter your static IP. Please note that this feature is not always available.

Tips for Server Security and Analysis

Please take a look at the following page in our wiki for general information and tips on server security and analysis: Security



© 2016. Hetzner Online GmbH. Alle Rechte vorbehalten.