V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
通过以下 Referral 链接购买 DigitalOcean 主机,你将可以帮助 V2EX 持续发展
DigitalOcean - SSD Cloud Servers
kevinwkxw
V2EX  ›  VPS

因搬瓦工提供的系统漏洞而被黑, vps 被搬瓦工禁用 1 年

  •  1
     
  •   kevinwkxw · 2018-08-11 11:50:33 +08:00 · 699 次点击
    这是一个创建于 2288 天前的主题,其中的信息可能已经有所发展或是发生改变。

    事情是这样的,去年年底时再搬瓦工买了 29.9 刀的 VPS,安装了搬瓦工提供的 CentOS7-x64-bbr,系统中只安装了梯子。这个梯子一直用到 8 月初。

    就在这个月初,我的 VPS 被搬瓦工禁用了。禁用的理由是:

    Network abuse: Mass Mailing
    

    提示我还有两次机会(如果被禁用三次,一年内服务无法恢复)。初步看了下应该是 vps 被黑了,再一直发送垃圾邮件。 这时我申请了恢复,并重启了 vps,打算排查下问题。很快 vps 又被禁用。原因同上,因为恶意程序又在发送垃圾邮件。根本没有时间排查问题。

    这次不敢大意了,给搬瓦工提了工单。一天后客服给了句重新安装系统。我想重装就重装吧,反正也没有使用重要数据,最多重新搭下,麻烦点就麻烦点。按照搬瓦工客服的方法,又重新安装了搬瓦工提供的 CentOS7-x64-bbr。但刚装了梯子,vps 又被搬瓦工停用了。原因一模一样。也就十来分钟的时间。这时,系统被停用了 3 次,被搬瓦工禁用一年。

    可这次是安装了全新的搬瓦工提供的系统,却立刻被中毒,说明搬瓦工提供的系统有严重漏洞。在这种情况下按说应该给我恢复系统,因为责任不在为这。可搬瓦工不光不给恢复使用,甚至提出要求我付 50 刀才肯恢复的无理要求。

    我想,这段时间因这个系统漏洞被搬瓦工禁用的绝对不止我一个。大家有没有遇到过被搬瓦工禁用的问?可一起讨论下,看有没有什么对策。

    这件事前前后后耗了我一周的时间。对搬瓦工的服务质量、服务态度彻底失望。

    下面是与搬瓦工客服的沟通:

    我,Sunday, August 5th, 2018 (03:16 )

    My vps is hacked, the system has detected a large number of smtp connections originating from my server. New it has been suspended. how can i resolve the issue?

    客服, Monday, August 6th, 2018 (02:28)

    We do not tolerate any abuse on our network, no matter what it is intentional or not. However, we will give our customers 3 chances in a calendar year. You have 1 more chances and your account will be suspended until January 1 next year if you do not take care of this issue seriously.

    Please note that we don't have any intention to suspend your account, but we need to make sure that we are providing the best services to our customers all over the world and we do not tolerate anything that affects our customers from using our VPS's.

    So, now you can login back to the KiwiVM control panel and resolve this isse without any difficulties by agreeing to the conditions displayed in the control panel and pressing the button which says "I understand the issue and ready to resolve it right away".

    This issue usually happens when your server is rooted/hacked. Make sure you install clean OS immediately after resuming service, otherwise the issue will repeat. Also, make sure that there are no viruses on your installed programs which may cause this issue to happen again.

    Please do not hesitate to contact us if you need any further assistance in the future.

    我,Monday, August 6th, 2018 (19:13 )

    I take your advice and I have reinstalled my server, now the vps is a clean centos-7-bbr provided by you. but the issue is still existing. And now my server is suspended during this year. I hope my service and be recovered as soon as possible.

    客服,Tuesday, August 7th, 2018 (14:36)

    We do not tolerate any abuse on our network, no matter intentional or not. You have been warned 3 times, but the issue was not fixed, so now you would have to wait until next year before VPS can be unsuspended again.

    If you'd like to download a full backup of your VPS, you can do that in the KiwiVM panel (Snapshots menu).

    Please note that per our Terms of Service we reserve the right to charge $50 fee for each repeat incident, which means we would have already billed you twice for the last two incidents. We did not do that in your case because we value our relationship with our customers. We trust that our customers take abuse issues seriously and fix them promptly.

    Having said all that, what we can do is the following: we can issue you the $50 bill for the last abuse incident as per our Terms of Service. Once paid, we will reset your suspension count to zero so you can resume operation. Let us know if this works for you.

    In the meantime, we highly recommend hiring an experienced Linux administrator who can help you secure your VPS. Also, note that in many cases abuse issues are caused by a virus on the client's PC.

    Please do not hesitate to contact us if you need any further assistance in the future.

    我,Tuesday, August 7th, 2018 (22:02 )

    I have taken your advice and reinstalled a new clean OS, the OS was 'Centos 7 x86_64 bbr'. But after I have reinstalled the OS, a mail notification told me that my server was suspended. I Think the problem is that there are some vulnerabilities in 'Centos 7 x86_64 bbr ' provided by your platform. My server was hacked because of your platform security problems. I don't do anything to violate your Terms of Service, I don't think the problem is on me. Your platform security problem has impacted my service seriously, I hope to recover my service AS SOON AS POSSIBLE and FREE.

    客服,Wednesday, August 8th, 2018 (12:40)

    My sincere apologies for any inconvenience. However, please note that all our services are self-managed. While we invest heavily into making sure all our equipment and networks are kept in the best possible shape, we do not manage or offer support for customer's applications. In other words, we do not assist with installing and configuring applications, troubleshooting, recovering from backups, etc. - these are the sole responsibility of the Customer. Should you need assistance of such level, then we highly recommend hiring a Linux administrator who can help you with these tasks.

    We must be strict about this rule in order for our pricing to stay sustainable - we want to keep delivering rock-solid, stable service at a very low cost.

    I can confirm that currently we are not experiencing any service interruptions; all our equipment and network are functioning normally.

    If you have difficulties connecting to the server, we highly recommend trying out our Interactive console (available in KiwiVM) as it allows to access your VPS even if SSH is disabled.

    If you do not have root login info, then you may either reset root password via KiwiVM, or use Interactive console to boot your VPS in single user mode to reset root password.

    To download a full copy of your VPS please use Snapshots menu in the KiwiVM.

    Please do not hesitate to contact us if you need any further assistance in the future

    我,Wednesday, August 8th, 2018 (21:14 )

    I don't think so. The OS that I have installed is provided by you, and after a very short time I reinstalled the system, my server was hacked, then my server was suspended by you. I even have no time to maintain the server.

    We have Linux administrator maintain the server, but because of your OS's vulnerabilities, we have NO TIME and NO METHOD to maintain the server. We can't access the server by ssh and kiwi panel. The responsibility is not on our.

    I hope to recover our server or get my refund.

    客服,Thursday, August 9th, 2018 (14:06 )

    Please do not try to shift the blame to us. I am afraid we are not going to be able to add anything to this discussion.

    我,Thursday, August 9th, 2018 (21:45 )

    I have payed you money, but now you suspend my service on no reasonable reason. Your behavior is telling us that you are fucking your customers.

    At last, there only two actions I can take:

    1. Post the issue to community forum.
    2. NEVER USING YOUR SERVICE.

    这时,客服关闭了我的工单。

    5 条回复    2018-08-13 20:39:31 +08:00
    hjmnoah
        1
    hjmnoah  
       2018-08-12 04:34:02 +08:00
    搬瓦工没啥问题,self manage 的服务就是需要你自己来操心安全问题的,即便是提供的模板有漏洞,拿到机子之后也可以做快速升级,修改密码,修改 ssh 端口,关闭密码鉴权,安装 fail2ban 等操作来防止被黑。如果实在是被黑太快,换个模版也就行了。

    服务器被拿去发垃圾邮件,服务商的 IP 是要进黑名单的,对他们来说是损失了一个 IP,一年给三次机会已经很不错了
    kevinwkxw
        2
    kevinwkxw  
    OP
       2018-08-12 09:54:32 +08:00
    @hjmnoah 你说的这些事情一般在一个很短的时间能很难完成这些操作。被黑甚至不排除搬瓦工恶意为之。任何一家服务商对其提供的模板定时修复其漏洞我觉得这是其服务的一部分。照目前这样下去,我想会越来越多的人受害。
    msg7086
        3
    msg7086  
       2018-08-12 10:46:44 +08:00
    > 但刚装了梯子,vps 又被搬瓦工停用了。

    装了梯子?
    datocp
        4
    datocp  
       2018-08-12 18:30:29 +08:00
    问题的问题在为什么一使用就有这些连接存在。这个问题几年前就有网友反应了,声称安全的软件难道本身就是有漏洞存在。

    对于搬瓦工,我觉得搬瓦工的服务非常好,不像 vultr 那么吊,直接说退款就删号了。。。而楼主的问题,首先责任在于对梯子软件是否有漏洞,以及分享人群是否有滥用的情况。另外一个问题在于你不了解 iptables 防火墙,当年有网友反应这个问题的时候,当时就直接加了下面的规则,只是我一直用 stunnel,似乎从来没遇到过类似问题,但是看到用飞机的网友倒是反应了不少。我个人对飞机的安全性是一直有疑问的,因为早在 2015.1.1 就发生了一个奇怪的因为 DNS 问题而导致客户端上不了网的情况,当然 2015.1.2 就修复了。问题是 socket5 本身就有远程 DNS 代理功能,怎么会有这种问题发生了。从那天开始我就不敢用飞机了,程序员收集隐私的爱好的例子举不胜举。
    iptables 关于-P INPUT DROP。当时在默认使用-P INPUT ACCEPT 时,我也一度认为根本就没设定端口,为什么程序可以连接上来,我错了,就得设定成-P INPUT DROP 才可以杜绝任何非自己允许的端口连接。自己去搜搜 iptables 的使用方法吧。这种问题怪不了搬瓦工,本身 vps 就是自管理自己负责安全控制的。

    root@default:/tmp# iptables -S OUTPUT
    -P OUTPUT ACCEPT
    -A OUTPUT -o venet0+ -j quota40g
    -A OUTPUT -p tcp -m multiport --dports 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j DROP
    -A OUTPUT -p udp -m multiport --dports 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j DROP
    -A OUTPUT -p tcp -m multiport --dports 21,22,23,993,995,1109,24554,60177,60179 -j DROP
    -A OUTPUT -p udp -m multiport --dports 993,995,1109,24554,60177,60179,61234 -j DROP
    -A OUTPUT -m state --state INVALID -j DROP

    root@default:/tmp# iptables -S INPUT
    -P INPUT DROP
    -A INPUT -d xxx.xxx.124.5/32 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,URG RST -j DROP
    -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A INPUT -f -j DROP
    -A INPUT -i venet+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -i vpns+ -j ACCEPT
    -A INPUT -i tap_sof+ -j ACCEPT
    -A INPUT -p ipv6 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 22,26241 -j ACCEPT
    -A INPUT -p udp -m multiport --dports 500,1194,1701,4000,4500,8000 -j ACCEPT
    -A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT
    -A INPUT -j LOG --log-prefix INPUT_DROP_
    kevinwkxw
        5
    kevinwkxw  
    OP
       2018-08-13 20:39:31 +08:00
    @datocp 其实使用 iptables 直接禁掉目的端口为 25 的所有连接的方法是考虑过的,反正我不用户发送邮件,可无奈时间太短。把搬瓦工的镜像导了出来,后面抽空研究研究。

    昨天换了 Linode,目前正常运行。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5371 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 28ms · UTC 07:33 · PVG 15:33 · LAX 23:33 · JFK 02:33
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.