-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/build: Scaleway builders offline #21237
Comments
In hindsight, maybe |
Change https://golang.org/cl/52130 mentions this issue: |
@kevinburke, we still don't know what "abuse" they're talking about. I opened a ticket to ask. They have an "Abuses" page to list abuse reports open against you, but there's nothing there: |
Updates golang/go#21237 Change-Id: Iae62120b96235fae84d6c689802506daeac45ca8 Reviewed-on: https://go-review.googlesource.com/52130 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Scaleway replied:
I replied:
So, open questions, assuming our instances were actually 0wned:
I leave this to @jessfraz and @adams-sarah. |
Change https://golang.org/cl/52192 mentions this issue: |
nmap says only ssh is open, but I am doing a more full depth scan for due-diligence |
firewall sounds like a good idea. no harm, anyway.
…On Mon, Jul 31, 2017 at 10:15 AM, Jess Frazelle ***@***.***> wrote:
nmap says only ssh is open, but I am doing a more full depth scan for
due-diligence
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#21237 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACnUbJAEn_mN-oxghvLWqIwFJ1Ae8Rtwks5sTguigaJpZM4Oomrw>
.
|
Well, there is harm: we have to maintain a bastion host, and we have the inconvenience of having to jump through it or VPN through it or copy files through it whenever we're trying to work. It's not completely free. |
Updates golang/go#21237 Change-Id: Iaaa2f03543d9b85de5bd30814aecacb6d85b8a66 Reviewed-on: https://go-review.googlesource.com/52192 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
I turned the scaleway builders back on they should work now. |
I logged into one of our now-back-up 50 ARM servers to check the image's OpenSSH version:
https://packages.ubuntu.com/xenial/openssh-server says 7.2p2-4ubuntu2.1 is the latest. So, I'm starting to doubt the whole DDoS thing. |
I googled around to see if other people have run into this. there are a
bunch of other reports of ddos from scaleway.
i was thinking maintenance around firewall is probably better than all the
boxes coming down again?
but maybe not
…On Mon, Jul 31, 2017 at 10:46 AM, Brad Fitzpatrick ***@***.*** > wrote:
I logged into one of our now-back-up 50 ARM servers to check the image's
OpenSSH version:
# dpkg -s openssh-server | grep ^Version
Version: 1:7.2p2-4ubuntu2.1
https://packages.ubuntu.com/xenial/openssh-server says 7.2p2-4ubuntu2.1
is the latest.
So, I'm starting to doubt the whole DDoS thing.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#21237 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACnUbGffzpIHBd0Xw4-XygsmIbA6z4xBks5sThMOgaJpZM4Oomrw>
.
|
I think Scaleway's mapping from (time, source IP) => customer is flawed. But I also haven't logged the start/stop time of each machine's ephemeral IP addresses either, so I can't say. And they also didn't tell us a time. |
you should not put all server open to public. you can have 1 or 3 jump gateway host. then make other only have private acess via private ip/net range. then add firewall for jump host limit acess ip. Sent from my Xiaomi Mi Note 2 using FastHub |
@netroby, yeah, that's what the "bastion host" referred to above is. Like I said, there's a non-zero cost in maintaining that, and the machines we're defending against are stateless, can be reimaged & rebooted per builds, and are not valuable (open source code only), so the cost may not outweigh the benefits. It might be easier to just regularly rebuild the images we're using if there are OpenSSH exploits. But we've been running the latest Xenial LTS code with security updates, which is why I suspect Scaleway's finger pointing at our instance is flawed. I doubt somebody wasted their 0 day exploits on the Go continuous build system to do a DDoS attack. |
Cheers |
This outage has been resolved (2 years ago), closing. |
Our scaleway account has been locked for abuse.
Our 50 linux-arm builders are offline.
/cc @jessfraz @kevinburke @adams-sarah @cybrcodr @aclements @randall77
The text was updated successfully, but these errors were encountered: