I host my personal blog generated through Jekyll in DigitalOcean and they are closing the droplet for the second time. My network is disabled for the droplet so i dont have much to do. They are telling about ddos attack initiated from my droplet and previously they closed the droplet and said they can't bring it back so i moved to another droplet, now this thing is getting repeated. Does anyone else face such problem?.<p>-------------------
Hi there,<p>We are sorry to report that we have detected what appears to be a DDoS attack being launched from one or more of your servers.<p>To shut down this attack, we have disabled the networking interface on the server or servers involved, so further connection would have to be accomplished via the console in our control panel. You need to use the direct link provided, as your control panel access will be limited.<p>This is the direct link to the console of the effected droplet https://cloud.digitalocean.com/droplets/1559956/console<p>Please log in at your earliest convenience in order to investigate and remove the program generating the traffic. Once this is done, please also determine how this software came to be installed on your droplet and prevent it from being installed again in the future.<p>If you need any guidance on how to find and resolve this issue, we recommend reviewing this: https://www.digitalocean.com/community/questions/my-droplet-is-locked-by-support-staff-because-because-of-an-outgoing-flood-or-ddos-what-do-i-do<p>Once you are done let us know and we will investigate re-enabling your networking.<p>Please understand that this is a very serious issue, and that should it re-occur we may suspend or even terminate your account to prevent further incidents. If have any questions or need any guidance on how to protect your servers please let us know.<p>Thank you,
DigitalOcean Support
----------------
About that, I had the absolutely same issue, but I was hosting WordPress.<p>The first thing I was doing after setting a droplet was changing the password to something that was easier for me to remember, something along the line of 'qweasdzxc' but a bit harder combination. This was huge mistake on my part.<p>Apparantly my password was being bruteforced and once they get root access the DDOS attacks were being performed. What I did was delete the first droplet, starting a new one and just changing the default password by adding a few numbers after it. Then I went ahead and installed fail2ban(<a href="https://www.digitalocean.com/community/tutorials/how-to-prot..." rel="nofollow">https://www.digitalocean.com/community/tutorials/how-to-prot...</a>) + some iptables configurations thats are shown in that link. It practicly makes bruteforcing your droplet close to impossible(at least I think so).
If you need any assistence you can contact me through my profile e-mail and I would gladly help you. Remember though you will need a clean droplet, because your system was already compromised and there are holes in it, then simply installing fail2ban will not be enough.<p>P.S I had to make a new account to post that comment, I guess my old account was punished or something.
Did you actually read their email to you? You have console access so you should probably access your droplet that way, find how your droplet got compromised and remove what's causing the outbound DDOS. DO is an unmanaged service, so if you're incapable of managing and securing your server, perhaps try a managed provider.
Reading the mail seems clear enough - your server/droplet was sending traffic. If you think it was just hosting a (static) blog then it has presumably been compromised.<p>Did you follow the advice link? Did you look for sign of compromise?<p>On the face of it disabling a compromised server is precisely the right thing to do - to stop it attacking other users, even if that puts your site offline. Or do you disagree?
Not sure if this matters but I realized that DigitalOcean recycles droplets i.e. they re-assign a same IP to a new client taking it from a previous client who might have left/deleted their account. It happened to me actually. Of course, that may not be a big deal but I noticed that I was getting a lot of traffic from a certain domain that still points to my IP (they probably had that droplet IP before).
I don't like that but DO said there is nothing tehy can do because the domain owner has to change the nameservers.
Digital Ocean is not at all safe to use. They disabled my account, having credit of 100$ of student pack. I used to pay 5$ for droplet since 4 months and they are now without any genuine reason locking my account. Neither do they listen to any queries and rather they respond back saying that We will not unlock your account.
I am also frustrated by them. It's not safe and reliable to host application on digital ocean servers because they can become assholes anytime.
if you generate your blog using jekyll and are not using any custom plugins, why dont you host it on github.<p>Even if you use custom plugins, you can still generate the blog locally and push the resulting HTML to a Git repo.<p>look at <a href="https://github.com/jekyll/jekyll/issues/325" rel="nofollow">https://github.com/jekyll/jekyll/issues/325</a>