Hi man,

I will try to explain you how things got in wrong direction for you. OVH don't lie, but they don't have best support that you can find around. Anyway. Last 15-25 days a lot of attacks was made on French ISP's and attacker used Tor IP list to do one part of his sick idea. One of my nodes "in my home" was infected as well. As Linux devs need some time to patch packages that make us vulnerable, we are just attack objects to them. In my case they used exim4 security issue, and as this sh.. comes preinstalled with server ISO i didn't even look to it.

Your are victim of same thing I guess. Classic server side infection from some bot net. Better question is what you can do to protect your servers in the future.

1. Allow logging to your server from one country or IP, for that i use geoip : http://www.axllent.org/docs/view/ssh-geoip/

2. Add simple 2 min settings to fail2ban: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6 (this settings can be used on debian as well etc.)

3. Remove ssh password logins from your servers, use only keys

4. Setup honey-pot on your server and play their game (10-15 job): http://linuxdrops.com/how-to-set-up-a-honeypot-using-smart-and-simple-artillery-debian-6-0/

In the future I will write ansible play-book for this, or some bash or python script to do this on every server i use for Tor nodes.

 

I run one exit node from 2014 with OVH cloud (runabove) and thanks to all security measures I made (using some firewall setting as well) i don't have issue with them, and they respect that i take care about my servers security.

Try same and you will see. Block port 25 as well.