Hetzner - DokuWiki

Leitfaden bei Serversperrung/en

Inhaltsverzeichnis

Is my server locked?

If your server is locked, you will be informed about it via e-mail. You also have the opportunity to check yourself, whether your server is affected or not. One possibility is to perform a traceroute to your server. On a Windows Computer you can use tracert.exe. On a Linux computer you can use traceroute to start the diagnosis. If your servers have been really locked, you get a similar output:

[root@www ~]# traceroute 213.239.XXX.XXX
traceroute to 213.239.XXX.XXX (213.239.XXX.XXX), 30 hops max, 38 byte  packets
1  192.168.0.1 (192.168.0.1)  3.416 ms  2.870 ms  1.964 ms
2  BBRAS-SR-ERX2-DEFAULT.nefkom.de (212.114.214.8)  25.070 ms  15.886  ms  17.453 ms
3  gi1-9.r2.nue2.m-online.net (212.18.6.237)  13.509 ms  13.117 ms   21.906 ms
4  gi3-17.r1.nue1.m-online.net (212.18.6.77)  13.822 ms  12.883 ms  13.028 ms
5  nix-gw.hetzner.de (195.85.217.16)  13.680 ms  13.333 ms   13.045 ms

The traceroute ends in this case not at your server but at the first router of Hetzner Online AG. The name of the router depends on the uplink of your Internet connection. Usually the name is structured as follows:

(uplink)-gw.hetzner.de

Examples of most commonly used uplinks are:

dtag-gw.hetzner.de
noris-gw.hetzner.de
decix-gw.hetzner.de
nix-gw.hetzner.de

Alternatively to the traceroute you can also send us a support request from your administration panel https://robot.your-server.de

Why my server was locked?

The most common issues for the blocking of a server are:

  • Attacks from / on your server
  • Disturbing of the network by port scans
  • Wrong network configuration

We block servers to maintain network stability but also to protect the owner of the corresponding server(s). For example by locking the server we prevent the generation of unwanted traffic which the customer would have to pay. Furthermore there is a danger that a compromised server will be used for illegal activities and that may lead to compensation claims. The locking of a server helps to protect our customers against such threats. To analyze the reasons for the locking, a log file with detailed information is added to the email.

There are three differences.

Information on port / Netscan

###################################################################
#          Netscan detected from host   x.x.x.x                   #
###################################################################

time                       src_ip         	dest_ip:dest_port
-------------------------------------------------------------------
Thu Nov 13 18:14:27 2008:   x.x.x.x =>         65.98.236.0:   22
Thu Nov 13 18:14:27 2008:   x.x.x.x =>         65.98.236.1:   22
Thu Nov 13 18:14:27 2008:   x.x.x.x =>         65.98.236.2:   22
Thu Nov 13 18:14:27 2008:   x.x.x.x =>         65.98.236.3:   22
.....

This log shows only outgoing connections. It describes the destination IP or destination port connections. This will help you to find out the problem easily.

Summary report about packet limits are exceeded.

Direction OUT
Internal x.x.x.x
Sum                     62.790 packets/s , 14 MBit/s
External 125.162.12.67, 62.770 packets/s , 13 MBit/s
External 72.14.220.136,      3 packets/s ,  0 MBit/s
External 66.249.72.235       3 packets/s ,  0 MBit/s

This log does not list each connection but produces a summary of the traffic for every destination IP. This log shows you the traffic caused, the number of connections and the resulting packet rates. This reveals the target of an attack and it gives you a hint which application might be involved. Also in this case you can see only outgoing connections.

Detailed Trafficdump

21:44:53.145756 IP x.x.x.x.55008 > 76.9.23.182.29615: UDP, length 9216
21:44:53.145883 IP x.x.x.x.55030 > 76.9.23.182.45527: UDP, length 9216
21:44:53.146007 IP x.x.x.x.55046 > 76.9.23.182.1826: UDP, length 9216
21:44:53.146126 IP x.x.x.x.55064 > 76.9.23.182.34940: UDP, length 9216
21:44:53.146249 IP x.x.x.x.55080 > 76.9.23.182.20559: UDP, length 9216
21:44:53.146371 IP x.x.x.x.55093 > 76.9.23.182.31488: UDP, length 9216
21:44:53.146493 IP x.x.x.x.55112 > 76.9.23.182.56406: UDP, length 9216
21:44:53.146616 IP x.x.x.x.55132 > 76.9.23.182.43714: UDP, length 9216
21:44:53.146741 IP x.x.x.x.55147 > 76.9.23.182.64613: UDP, length 9216

In this case a detailed traffic dump is created that contains all the incoming and outgoing connections. Here you can see following information: destination IP, destination port, the size and type of packets. It would be a huge amount of information to record every packet. That's why you can see only a small part of the traffic. This data will allow you recognize patterns and use it for further analysis. If you need further assistance with log files, we are happy to help.

When will my server be back online?

First of all the problem has to be solved. Only after you have solved it, your server can go back online. We require a signed statement via email or fax with an explanation how you have solved the problem and what you have done to avoid the same problem in future. You can download this form here.

In order to resolve the reason for the locking, we offer you ( in the administration panel https://robot.your-server.de/ -> Main functions -> Servers -> Server locking ) the possibility to get access to your locked server by entering your current puglic IP address (e.g. IP address assigned to you by your internet service provider).

This is only possible in case of one of the following reasons:

  • Server has run an attack
  • Server has scanned network
  • Abuse

In all other cases we will provide you with a remote console (LARA) with which you can try to resolve the problem. Only if you are absolutely sure that the problem is resolved, we can unlock your server. Otherwise the server will continue e.g. an attack and we will have to lock your server again. To apply for a remote console, please open a support ticket via your admin interface https://robot.your-server.de/ -> Support -> Requests -> Order remote console Lara

How can I examine my server for security vulnerabilities?

First of all please check the log files of the server. Often you can find there information on how the malicious software has entered the system. Log files can't give you a full certainty, as these are often changed or deleted by malicious software.

On following websites you will find programs that can help you to search for malicious software

To get a list of all running processes on your server please use „ps auxf“ or „top“. This tools gives you information about the required cpu time and memory usage of different processes.

Should you find a process you suspect, you can investigate further with the command „lsof“. It shows you open files, directories, unix sockets, ip sockets and pipes. If you run „lsof“ with appropriate options, it displays following: all files and network connections opened from a certain process, all processes that have opened a particular file or network connection or the names of all processes waiting on a network connection. For a detailed listing of all open files and network connections, use the command „lsof-p process ID“ If you find a security breach on your server you should check following:

  • Do you install security updates regularly?
  • Is there a vulnerability that was recently discovered in a software which is running on the server?
  • Do you use insecure passwords?

After you have discovered the source of the problem, the question how to proceed arises. The safest path is to re-install your operating system. The continued use of a compromised operating system poses great risks. You can never be sure whether it's really free of any malware. A new installation of the server only makes sense if you have found out the exact cause for the lock down. A new installation without closing the security hole would be useless because the system could be compromised through the same way again. After the operating system is re-installed, usually backups from the previous system are restored. Please be careful. Malicious software may be located in your backup as well.



© 2020. Hetzner Online GmbH. Alle Rechte vorbehalten.