On 2016-10-05 at 09:55, teor wrote:
Hi,
Does anyone have experience running a long-lived Exit on OVH / So You Start?
We've just received a threat to shut down our OVH Exit due to abuse complaints. We were responding to these automated reports (mainly SSH brute force) with template responses, offering to block the destination IP and port if the remote site wanted us to. We never received a reply.
What does OVH expect its Exit operators to do with complaints? Should we have blocked each complaining IP address as soon as we received a complaint?
Tim
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi Tim,
I am hosting a Tor exit node on kimsufi (also a company of OVH, it's very similar to So You Start) and got two complaints from them.
The first one was a 4K port scan on port 10000 done via my exit node and they said, they'll have to shut down the server if it happens again. I responded to that incident via mail that I blocked port 10000 and got no answer so far (that was about 2 months ago).
Currently, only a few days/weeks back, they sent another abuse report to my mail address, 5K port scans on port 22. This time around, they put my server into recovery mode (read-only) to prevent further "hacking attacks" as they call it. I reset the boot mode (Netboot in your customer interface btw) to normal HDD boot and blocked port 22 via exit policy, but this time I didn't sent an email to them, as they didn't answer my first one.
Abuse complaints from other companies or individuals were never sent to me though if there were any on OVH's side. Those two incidents were automatic reports and detections from OVH's anti-abuse/anti-hacking infrastructure.
Best, Michael