linode 服务器突然不能 ssh 了

收到 linode 发给我消息了

Hello,

We have received a report of malicious activity originating from your Linode. We ask that you investigate this matter as soon as you are able. Once you have completed your investigation, kindly reply to this ticket with the answers to the following questions:

1) What was the source of the issue?
2) What steps did you take to resolve this issue?
3) What steps did you take to prevent this from occurring again?

Being as this activity is in violation of our Terms of Service, we ask that you reply within the next 24 hours. If we do not receive a reply within that time, we may temporarily disrupt service to your Linode in order to prevent further malicious activity.

-------------------------------------------------------------------
I think my Linode is compromised. How can I tell?
-------------------------------------------------------------------
If you believe that your Linode has been compromised, you can start troubleshooting by auditing the following log files and writable directories:

- /var/log/auth.log : Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘ last ’ command to cross reference recent account logins with this file.
- /tmp : This directory is often used by malicious parties to store files
- Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
- ps aux : Use this command to audit running processes for foreign processes

-------------------------------------------------------------------
My Linode is compromised. What do I do now?
-------------------------------------------------------------------
If you discover that your Linode is compromised, we strongly suggest that you redeploy. It is often very difficult to determine the full scope of a vulnerable system. We have a guide that can assist you with redeploying your server that you can find linked below:

https://www.linode.com/docs/security/recovering-from-a-system-compromise/

During this process, please continue to keep us updated, and let us know if you have any questions.

Regards,
Matt W.
Linode Support



Hello,

I just wanted to reach out and see if you had any new information for us regarding this issue. In order to properly resolve this issue we're going to need responses to the three questions below:

1) What was the source of the issue?
2) What steps did you take to resolve this issue?
3) What steps did you take to prevent this from occurring again?

At this point network restrictions have been placed on this Linode to prevent this malicious activity from continuing to occur.

You will need to use the Linode LISH console to access the Linode and address the issue at this point. To see more information on what the LISH console is and how to use it you can reference the documentation below:

https://www.linode.com/docs/networking/using-the-linode-shell-lish/

Let us know if you have any questions or there's anything that we can assist you with today.

Thanks,
Matt Watts
Linode Support Team


现在我该怎么做，他们好像说已经限制我服务器的网络了，我该怎么回复? 我服务器上并没有部署 wordpress，他们建议重新 deploy，但是服务器上有数据库，现在网络限制了，我没办法把数据弄出来

两种做法。一是开一个同区域的机器，把数据通过内网 IP 复制出来。二是新建一个 volume，挂载到旧的机器上，把数据复制出来，等重装系统以后挂载上再拷回去。

@msg7086 谢谢，主要是 linode 那边限制我网络访问了，任何服务器都访问不了，说我服务器有恶意行为，我查了日志发现有很多其他 IP 试图登录我服务器，然后跟 linode 技术支持沟通了下，让他们把网络限制放开，然后我登录过去用 iptables 限制了可以访问的 IP 的端口，根本原因就是没有加防火墙。

最主要是要检查服务器是否被黑了。
如果被黑了，不要多想，直接备份然后重做系统。
如果没被黑，那 iptables 限制好就行了。