Bot accesses "servers" and server addresses will have multiple names - reverse DNS Query will show. If there are many names - block the hosting. Well, in the control panel, a list of allowed DNS names for outgoing traffic.

Probably your problem is that the bots are not installed by the tenant himself.

Classical situation:
Clients order VPS, leave simple passwords for remote access.
Botnets regularly scan the network, find your hosts with open ports, pick up passwords, take control, then start spamming / ddosing (this is what a botnet is created for)
The provider, or the same Spamhaus, see suspicious traffic from your servers and send a warning.
For the experiment: you can make a virtual machine, open the ssh port to the outside, and leave it for an hour. Then look at var/log/auth.log and see a large number of login attempts with simple passwords - these are the same bots striving to join your host to their army.
If this is your situation, then you should take preventive measures, namely, display a warning to the user about the consequences that may be if they leave a simple password.

Like 0 comments