I expect it’s just that the node software is trying to connect to remote nodes, and Hetzner are thinking this is suspicious.
Has anyone else had this issue with Hetzner / other providers, and is there any way I can stop this behaviour, or provide some kind of information to demonstrate to Hetzner that the software isn’t attacking anyone?
I may just say ‘it’s running test P2P network software’ and see if that is sufficient for Hetzner, but any tips on how to manage this issue would be appreciated.
if you look closely to the email they sent you, you can see they listed the suspicious activity (with port numbers from your machine to the ip +port numbers of the scanned machines) which should clearly indicate if it’s your nodes or not (most certainly is) … that list most certainly isn’t even very long compared to a real port-scan (and is nowhere near typical ports for a port-scan or done in a systematic/reasonable way if this should be a port-scan) …
now if you explain to them that you believe this is a false positive on port scanning, because you are participating in a test for a decentralized data and communications network and we did a test where we shut down somewhere around 25% of nodes last night to simulate a larger outage (that’s what probably happened and from around the time you were probably flagged by their system; not sure who asked for this test but it certainly happened and was successful xD ). Since QUIC Traffic uses UDP and not TCP this would explain why the attempt to re-connect no longer existing nodes (and possibly bootstrapping to new nodes since the network structure re-organized) triggered their UDP port-scanning detection …
… the port-scanning theory doesn’t sound plausible when looking at the flagged connections … and you answer would be very plausible … which most certainly will make them no longer worry about this incident …
I also missed the deadline to respond, but have received some new messages stating:
‘Unfortunately you were mistakenly sent an abuse email. This was caused by an automated detection system. Please ignore the previous email, the abuse case has been closed’
Hopefully they’ll all be treated as false-positives… we’ll see!
I always found Hetzner support to be pretty snappy. Generally I would get an automated reply in seconds and a human within 10-20 mins. But my issues were purely tech or sales not “abuse”.
Support is pretty snappy, but in this case I think no one wants to burn their fingers before talking to the nightshift to find out who uploaded the new siem rules without proper testing
Not even with the Rescue tab in your Hetzner Dashboard?
I don’t have any more dedicated servers so Im working from memory otherwise I’d send screenshots.
But it worked well enough for me when I forgot the initial clever-as-eff password I created at setup
Have you tried requesting a chat or phone session with support?
Again I found them easy to deal with and in faultless English.
Which datacentre is your box in?
I have a dedicated server and 2x VPS through hetzner, and have been running nodes on them full time since we all started this process. I haven’t gotten any letters about scans. They’ve been pretty easy to work with though when I’ve had other issues and support is generally nice.
I don’t think so. I think that when it comes to swearing, all cultures are about at the same level. We Finns are different in how little below that level we appear to be in our everyday basic lack of politeness.
It’s always a shock to return from abroad, where, when you have been at the same space with others, you have been treated like you actually existed. Here it’s a game of delaying that basic recognition of another human being’s humaness as long as possible.