r/devops - A story of the day and one dedicated OVH server

          
          

          
          

          
          

          = A story of the day and one dedicated OVH server =

![ ](httpswww.redditstatic.com/desktop2x/img/renderTimingPixel.png)

A day ago I got an email from OVH bot about something being fishy on one specific dedicated server. I checked some details of that email and it seems legit so I had no reason to see it somehow phishing.

I ssh'ed into it and saw lot of prestashops and wordoresses, also some custom apps. Ok, so an urgent ticket for inspection has been sent to a dev team and they fixed it.

Now there was a part in the alert email from OVH telling that I should write back when the problem will get resolved. This one I skipped due to not messing up with internal procedures of handling these situations, nor I had a real reason to do it as it got fixed.

The very next day theydown the server into some rescue mode.

I had to remount disk and turn off the hacked app totally.

While I like the emergency tools for restoring server, I am dreadfully shocked for no info were given about shutting down the whole machine. Any kind of "you have 24 hours to fix this or we willdown the instance"

This is on the edge of legality. Dedicated server can host multiple apps belonging to multiple organisations and because one of them triggers an alert (100% fg false ) the whole server has to be.

OVH



Now as I ranted enough, is there similar policy of handling some monitoring alerts out there?

I see that for the first time

As much as I like talkingabout OVH, on that case it's not on them.

You haveon machine? Fix it right away and let them know. It's actually concerning they have to tell you before you actually found out.

Like you said, this machine could have multiple apps belonging to multiple organisations. Do better.

I'm sure what they did will be explicitly set out ToS and totally legal as a result, but you got a notification from them about this and ignored it?

If theyoff what they thought to be malicious activity to protect your organisation, and had no information to prove otherwise, it feels like that was exactly what they should have done.

There is no magic gauge for "abuse/no abuse". There are just individual occurrences, often based on reports from third parties. I. e. usually the hosting company can't verify on their own if the problem has been solved. They may not even have ready tools to check, and they certainly don't have the time to do it manually. This is why they need a response from you.


I've had a wide variety of abuse incidents, I always treated them and responded immediately and never had a hosting company interfere with the server on their own. I contact them if I'm not done yet but expect a proper fix may take longer. I contact them if I conclude the report is false (e.g. once I got a report that referred to incidents that happened before the IP was assigned to my server, so I replied that there is nothing for me to do).