V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
通过以下 Referral 链接购买 DigitalOcean 主机,你将可以帮助 V2EX 持续发展
DigitalOcean - SSD Cloud Servers
andy0831liu
V2EX  ›  VPS

linode 服务器突然不能 ssh 了

  •  
  •   andy0831liu · 2018-11-19 09:44:12 +08:00 · 417 次点击
    这是一个创建于 2189 天前的主题,其中的信息可能已经有所发展或是发生改变。

    我们服务器租用的 linode,使用的 ubuntu server 16.04,昨晚用户问说怎么登陆不上网站,打开缓慢,我就登陆到我们的应用服务器,查日志发现数据库服务器连接超时,然后用 ssh 登陆数据库服务器,半天没有反应,过一会提示 connection timed out,但是 ping 是正常的,telnet 80 端口也没问题(数据库服务器也运行了 apache),但是 telnet 22 端口没有反应,直接跳过这个,然后使用 linode 上的 Launch Lish Console 登录到数据库服务器,使用 ps -ef|grep ssh,发现 sshd 进程是正常的,但是在这台服务器上使用 apt install 任何软件都是超时,从这台服务器 ping 其他 IP 跟域名都是正常的,但是从这台服务器 ssh 到应用服务器也是 connection timed out(以前是正常的),iptables 都是没有开启的,然后 netstat|grep 80,会出现提示 getnameinfo,这种问题应该如何解决? 昨天没有在服务器上做任何操作,是晚上用户反馈才发现问题的.

    andy0831liu
        1
    andy0831liu  
    OP
       2018-11-19 10:03:49 +08:00
    收到 linode 发给我消息了

    Hello,

    We have received a report of malicious activity originating from your Linode. We ask that you investigate this matter as soon as you are able. Once you have completed your investigation, kindly reply to this ticket with the answers to the following questions:

    1) What was the source of the issue?
    2) What steps did you take to resolve this issue?
    3) What steps did you take to prevent this from occurring again?

    Being as this activity is in violation of our Terms of Service, we ask that you reply within the next 24 hours. If we do not receive a reply within that time, we may temporarily disrupt service to your Linode in order to prevent further malicious activity.

    -------------------------------------------------------------------
    I think my Linode is compromised. How can I tell?
    -------------------------------------------------------------------
    If you believe that your Linode has been compromised, you can start troubleshooting by auditing the following log files and writable directories:

    - /var/log/auth.log : Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘ last ’ command to cross reference recent account logins with this file.
    - /tmp : This directory is often used by malicious parties to store files
    - Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
    - ps aux : Use this command to audit running processes for foreign processes

    -------------------------------------------------------------------
    My Linode is compromised. What do I do now?
    -------------------------------------------------------------------
    If you discover that your Linode is compromised, we strongly suggest that you redeploy. It is often very difficult to determine the full scope of a vulnerable system. We have a guide that can assist you with redeploying your server that you can find linked below:

    https://www.linode.com/docs/security/recovering-from-a-system-compromise/

    During this process, please continue to keep us updated, and let us know if you have any questions.

    Regards,
    Matt W.
    Linode Support



    Hello,

    I just wanted to reach out and see if you had any new information for us regarding this issue. In order to properly resolve this issue we're going to need responses to the three questions below:

    1) What was the source of the issue?
    2) What steps did you take to resolve this issue?
    3) What steps did you take to prevent this from occurring again?

    At this point network restrictions have been placed on this Linode to prevent this malicious activity from continuing to occur.

    You will need to use the Linode LISH console to access the Linode and address the issue at this point. To see more information on what the LISH console is and how to use it you can reference the documentation below:

    https://www.linode.com/docs/networking/using-the-linode-shell-lish/

    Let us know if you have any questions or there's anything that we can assist you with today.

    Thanks,
    Matt Watts
    Linode Support Team


    现在我该怎么做,他们好像说已经限制我服务器的网络了,我该怎么回复? 我服务器上并没有部署 wordpress,他们建议重新 deploy,但是服务器上有数据库,现在网络限制了,我没办法把数据弄出来
    msg7086
        2
    msg7086  
       2018-11-19 11:52:30 +08:00
    两种做法。一是开一个同区域的机器,把数据通过内网 IP 复制出来。二是新建一个 volume,挂载到旧的机器上,把数据复制出来,等重装系统以后挂载上再拷回去。
    andy0831liu
        3
    andy0831liu  
    OP
       2018-11-19 14:00:03 +08:00
    @msg7086 谢谢,主要是 linode 那边限制我网络访问了,任何服务器都访问不了,说我服务器有恶意行为,我查了日志发现有很多其他 IP 试图登录我服务器,然后跟 linode 技术支持沟通了下,让他们把网络限制放开,然后我登录过去用 iptables 限制了可以访问的 IP 的端口,根本原因就是没有加防火墙。
    msg7086
        4
    msg7086  
       2018-11-19 17:39:33 +08:00
    最主要是要检查服务器是否被黑了。
    如果被黑了,不要多想,直接备份然后重做系统。
    如果没被黑,那 iptables 限制好就行了。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2620 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 10:32 · PVG 18:32 · LAX 02:32 · JFK 05:32
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.