Guideline for locked products

Last change on 2022-01-18 • Created on 2020-03-18

Introduction

There are some situations in which we are forced to lock a product. Often this will be a single IP, but it can also apply to multiple IPs or even entire servers or storage boxes. If we lock a product, we always send an email explaining the situation.

If you didn't receive an email or if you are unsure if we have really locked a product, please send us a support request via the Robot administration interface. Alternatively, you can run a traceroute to your server. If the traceroute ends at the first Hetzner router, which you will see in the form core-backbone.hetzner, then we have locked the server. In Windows, you can start a traceroute by running tracert.exe. In Linux, the correct command is traceroute.

Reasons we lock products

The most common reasons for locking a product are:

  • Non-payment
  • Abuse
  • Hosting phishing/malware/copyright infringing material, etc.
  • Sending spam
  • Network
  • Attacks from your server
  • Network scans from your server
  • Incorrect network configuration

We lock servers for multiple reasons, including protecting our infrastructure, as a precautionary measure to prevent any possible further abuse, and to protect the server owner.

Network log files

For most network issues, to help you analyze the problem, we include a log file with as much information as we have in the email we send you. Important note: We don't have additional information or log files. We don't have software access to your server, so we cannot see what exactly is going on. Please check your own internal server logs and analyze the issue yourself.

Information on port-/netscans

###################################################################
#          Netscan detected from host   10.0.0.1                  #
###################################################################

time                        src_ip		  dest_ip:dest_port
-------------------------------------------------------------------
Thu Nov 13 18:14:27 2021:      10.0.0.1 =>           10.0.0.2:   22
Thu Nov 13 18:14:27 2021:      10.0.0.1 =>           10.0.0.3:   22
Thu Nov 13 18:14:27 2021:      10.0.0.1 =>           10.0.0.4:   22
Thu Nov 13 18:14:27 2021:      10.0.0.1 =>           10.0.0.5:   22
.....

This log shows the exact time and the source IP, as well as the destination IP and port.

Summary on exceeded packet limits

Direction OUT
Internal 198.51.100.1
Threshold Packets 100,000 packets/s
Sum                40,674,000 packets/300s (135,580 packets/s), 40,673 flows/300s (135 flows/s), 5.909 GByte/300s (161 MBit/s)
External 10.0.0.6, 40,668,000 packets/300s (135,560 packets/s), 40,667 flows/300s (135 flows/s), 5.909 GByte/300s (161 MBit/s)
External 10.0.0.7,      5,000 packets/300s (16 packets/s),           5 flows/300s (0 flows/s),   0.000 GByte/300s (0 MBit/s)
External 10.0.0.8,      1,000 packets/300s (3 packets/s),            1 flows/300s (0 flows/s),   0.000 GByte/300s (0 MBit/s)

This log does not list each connection separately; instead it displays a summary of the traffic per destination IP. It shows the packet rates, the flow rate, and the total connection speed.

Detailed traffic dump

21:44:53.145756 IP 10.0.0.1.55008 > 10.0.0.2.29615: UDP, length 9216
21:44:53.145883 IP 10.0.0.1.55030 > 10.0.0.2.45527: UDP, length 9216
21:44:53.146007 IP 10.0.0.1.55046 > 10.0.0.2.1826:  UDP, length 9216
21:44:53.146126 IP 10.0.0.1.55064 > 10.0.0.2.34940: UDP, length 9216
21:44:53.146249 IP 10.0.0.1.55080 > 10.0.0.2.20559: UDP, length 9216
21:44:53.146371 IP 10.0.0.1.55093 > 10.0.0.2.31488: UDP, length 9216
21:44:53.146493 IP 10.0.0.1.55112 > 10.0.0.2.56406: UDP, length 9216
21:44:53.146616 IP 10.0.0.1.55132 > 10.0.0.2.43714: UDP, length 9216
21:44:53.146741 IP 10.0.0.1.55147 > 10.0.0.2.64613: UDP, length 9216

In this case, a detailed traffic dump is created which contains all (incoming and outgoing) connections. This shows the following information: destination IP, destination port, and the size and type of packets. Since every packet is displayed, only a small part of the traffic is recorded due to the large amount of data.

Server access

To help you resolve the issue, we offer an IP whitelist feature in Robot. There, you need to enter your public home/office IP address, and you will be able to temporarily access the server from this single connection. You can do this in Robot by going to Servers and then clicking on Server locking. There, you can enter your public IP, which is directly displayed there, so you can just copy-paste it. Important note: This feature is not always available; it depends on the cause for the server lock.

If you have difficulty with the above, you can request a KVM Console (free of charge). This will give you full access to the server. If you want to order a KVM Console, please open support request for the correct server in Robot. To do this, just log into Robot. Then click Servers, choose the correct server. In the support ticket form, select Remote Console. You can choose to get the KVM Console as soon as possible or you can pick an appointment time.

Unlocking your product

We can only unlock the product(s) after you completely fix the issue(s).

Once you have done so, please send us an unlock request via the Robot web interface Robot. To do this, please

  • Log into Robot.
  • Click on the user icon in the upper right hand corner and then on "Support".
  • Under "Unlock", select the correct locking ID. (This is in the subject line of the locking email you got.)
  • Fill out the form. Include as much information as possible.

Please do not send us multiple unlock requests for the same issue. We will process your request as soon as we can.

Table of Contents