Halcyon Consoles 2-4 are crashing after updating Ciphers / Disabling old Ciphers

[life777eternal]

Recently updated the ciphers(or disabled the old ciphers) on Windows Web Server 2008 R2, as per Vinhold Starbrook's instructions, and after several restarts, the Region consoles are showing, "The client and server cannot communicate, because they do not possess a common algorithm" and crashing. Although that could be because the Halcyon consoles 2-4 are crashing, and subsequently every region that tries to open after that. Though it's not recording any new error in the log.

The UserServer, GridServer, & GridMessagingServer have all been crashing. Apparently because they can't communicate with MySQL for some reason. Though I have the MySQL server and database back up and running now, so it shouldn't have any problem connecting to the database. All of my Osgrid OpenSim regions have no trouble connecting.

APPLICATION EXCEPTION DETECTED: System.UnhandledExceptionEventArgs

Exception: System.ComponentModel.Win32Exception (0x80004005): The client and server cannot communicate, because they do not possess a common algorithm

   at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
   at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
   at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at MySql.Data.MySqlClient.NativeDriver.StartSSL()
   at MySql.Data.MySqlClient.NativeDriver.Open()
   at MySql.Data.MySqlClient.Driver.Open()
   at MySql.Data.MySqlClient.Driver.Create(MySqlConnectionStringBuilder settings)
   at MySql.Data.MySqlClient.MySqlPool.GetPooledConnection()
   at MySql.Data.MySqlClient.MySqlPool.TryToGetDriver()
   at MySql.Data.MySqlClient.MySqlPool.GetConnection()
   at MySql.Data.MySqlClient.MySqlConnection.Open()
   at OpenSim.Data.SimpleDB.MySQLSimpleDB.OpenConnection() in D:\a\halcyon\halcyon\OpenSim\Data\SimpleDB\MySQLSimpleDB.cs:line 88
   at OpenSim.Data.SimpleDB.MySQLSimpleDB..ctor(String connectionString) in D:\a\halcyon\halcyon\OpenSim\Data\SimpleDB\MySQLSimpleDB.cs:line 73
   at OpenSim.Data.SimpleDB.ConnectionFactory.GetConnection() in D:\a\halcyon\halcyon\OpenSim\Data\SimpleDB\ConnectionFactory.cs:line 28
   at OpenSim.Region.OptionalModules.Avatar.FlexiGroups.NativeGroupDataProvider.GetConnection() in D:\a\halcyon\halcyon\OpenSim\Region\OptionalModules\Avatar\FlexiGroups\NativeGroupDataProvider.cs:line 55
   at OpenSim.Region.OptionalModules.Avatar.FlexiGroups.NativeGroupDataProvider..ctor(ConnectionFactory connectionFactory) in D:\a\halcyon\halcyon\OpenSim\Region\OptionalModules\Avatar\FlexiGroups\NativeGroupDataProvider.cs:line 70
   at OpenSim.Region.OptionalModules.Avatar.FlexiGroups.ProviderFactory.GetProviderFromConfigName(ILog log, IConfig groupsConfig, String configName) in D:\a\halcyon\halcyon\OpenSim\Region\OptionalModules\Avatar\FlexiGroups\ProviderFactory.cs:line 63
   at OpenSim.Region.OptionalModules.Avatar.FlexiGroups.FlexiGroupsModule.Initialize(IConfigSource config) in D:\a\halcyon\halcyon\OpenSim\Region\OptionalModules\Avatar\FlexiGroups\FlexiGroupsModule.cs:line 125
   at OpenSim.ApplicationPlugins.RegionModulesController.RegionModulesControllerPlugin.Initialize(OpenSimBase openSim) in D:\a\halcyon\halcyon\OpenSim\ApplicationPlugins\RegionModulesController\RegionModulesControllerPlugin.cs:line 156
   at OpenSim.ApplicationPluginInitializer.Initialize(IPlugin plugin) in D:\a\halcyon\halcyon\OpenSim\Base\IApplicationPlugin.cs:line 62
   at OpenSim.Framework.PluginLoader`1.Load() in D:\a\halcyon\halcyon\OpenSim\Framework\PluginLoader.cs:line 191
   at OpenSim.Framework.PluginLoader`1.Load(String extpoint) in D:\a\halcyon\halcyon\OpenSim\Framework\PluginLoader.cs:line 153
   at OpenSim.OpenSimBase.LoadPlugins() in D:\a\halcyon\halcyon\OpenSim\Base\OpenSimBase.cs:line 170
   at OpenSim.OpenSimBase.StartupSpecific() in D:\a\halcyon\halcyon\OpenSim\Base\OpenSimBase.cs:line 208
   at OpenSim.OpenSim.StartupSpecific() in D:\a\halcyon\halcyon\OpenSim\Base\OpenSim.cs:line 163
   at OpenSim.Framework.Servers.BaseOpenSimServer.Startup() in D:\a\halcyon\halcyon\OpenSim\Framework\Servers\BaseOpenSimServer.cs:line 300
   at OpenSim.Application.Main(String[] args) in D:\a\halcyon\halcyon\InWorldz\Halcyon\Application.cs:line 153

Application is terminating: True

This started after I had applied Vin's recommendation in the registry and group policy. Although I had SSL 2.0 and SSL 3.0 enabled for a short time so it could have been vulnerable to something during that time.

DisableOldWinCiphers

See associated picture: disable-ssl2-in-iis.png
Following content is saved in DisableOldWinCiphers.reg ready to load into the Registry.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000 
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000 
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000

Manually doing the Above changes:
Disabling outdate TLS on Windows Server 2008 / 2012 R2:
Open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ 
Now we have to enable versions 1.1 and 1.2 of TLS. For this, we need to create new keys called 'TLS 1.1' and 'TLS 1.2' underneath the 'Protocols' key.
Once the key structure is created, you can proceed to creating a DWORD (32 bit) entry called 'DisabledByDefault' and set its value to '0' in each of the four keys: TLS 1.1/Client, TLS 1.1/Server, TLS 1.2/Client and TLS 1.2/Server.
For the TLS 1.0, TLS 1.1 set new DWORD DisabledByDefault=1 to disable them. Allow for TLS 1.2: DisabledByDefault=0

Also see this: https://howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/
and the list: https://grc.com/miscfiles/SChannel_Cipher_Suites.txt
Installed this list on GLCWeb.
Run gpedit.msc to change the following:
 Select
  Computer Configuration
    Administrative Templates
      Network
        SSL Configuration Settings
          DblClick on "SSL Cipher Suite Order"
            enable
Copy the below to the entry box.

Test validation using https://ssllabs.com/ssltest

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5

(Did not do this part as he said I didn't need it.)
Put Certificates.msc in the FilezillaCert folder. Use to remove out dated Trust and intermediary SSLs.

Copy the file powershell.exe.config to:
C:\Windows\System32\WindowsPowerShell\v1.0 folder.

Add this line to the top of C:\RegionChk.ps1:
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

Restart the server.

When I removed all of the weak ciphers from the above, as noted by the SSLLabs.com site, I couldn't connect on the Remote Desktop Connection.

# TLS 1.2 (suites in server-preferred order)
--
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK | 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK | 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK | 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK | 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK | 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK | 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK | 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK | 112

Two or three people have told me that I should update my server OS, and that's probably true.

Thank you, Shalom.

[life777eternal]

My server does have .NET 4.8 but Halcyon and/or the OS seems to think it's not there for some reason or another.

[emperorstarfinder]

Good morning,

So there are a couple of issues raised in one issue ticket. So let me address each one individually.

1. Server Operating System - Unfortunately, Microsoft Windows Server 2008 and Microsoft Windows Server 2008 R2 are no longer supported and recieving updates. This is due to the fact that they have reached the end of life for their support cycle (EOL). The end date for support according to Microsoft (https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2008-r2) is as follows:
   • Start Date: October 22, 2009
   • Mainstream End Date: January 13, 2015
   • Extended Support End Date: January 14, 2020 It is strongly recommended that you upgrade your server operating system to at least Windows Server 2022 to ensure you get the latest in quality updates which do include the latest security updates each month.
2. Issues finding .Net Framework 4.8 - When Windows Update installs updates including a new version of the .Net Framework, it will pull the latest version of that major framework version. For example if at the time, you reinstall Windows and do your Windows Update, and the latest version of .Net Framework 4.8 available is .Net 4.8.2 it will install that version instead of the .Net Framework 4.8.0 because it is set to download the installer for the latest version. To fix the issue of .Net 4.8 not being found, you will need to uninstall the version of .Net 4.8 currently installed and then get the offline installer for .Net 4.8 from: https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-8-offline-installer-for-windows-9d23f658-3b97-68ab-d013-aa3c3e7495e0 and install manually. Then run Windows Update after. That should resolve the error regarding .Net Framework 4.8
3. Issues with mismatched ciphers - Unfortunately, I do not know what the intial reasopn was for you recieving the advice to change your ciphers on Windows Server 2008. However, usually you should not need to change the ciphers. In fact, by changing the ciphers you do risk it affecting other services such as Remote Desktop Protocol (RDP) and other various services that rely on those ciphers that comes with Windows. Generally, Network and Server Administrators will not advise you to alter the ciphers the operating system has because it can cause unintended problems. Likewise, just because your altering something in the Windows registry, does not mean that it in fact will alter things that are also hardcoded deep within the Windows operating system. Modifying Windows is unfortunately a very perilous task which if you are unsure of what you are doing, you should not embark on. In my team's case, we have an internal Halcyon grid (which we refer to as internal test beds because they are not available to the public). Our test bed runs the grid services on Windows 2008 R2 but we run the Regions on WIndows Server 2022 with no issues. Initially we did run into the cipher mismatch issue, but we installed the MSBuild tools (which you can find here: https://visualstudio.microsoft.com/downloads/?q=build+tools and scroll down the page to the build tools) on the WIndows 2008 R2 server and pulled a fresh copy of the Halcyon source code and built it on the server. That worked for us and we were able to run Halcyon just fine without changing the ciphers. If you did not follow the recommendation in Item 1 which would solve your problem, then you will need to probably reinstall Windows Server 2008 R2 assuming you have a key or means to legally activate the operating system. Then you will need to install all of the required dependencies manually (i.e. .Net Frameworks, the required dependencies for IIS, etc. and then follow what has been provided here for building the Halcyon code base. This should resolve the issue with ciphers. You can however save a copy of your folders within your halcyon bin folder along with the configuration files locally while you reinstall. Also make sure you backup a copy of the database. Often it is advisable not to have your database server be on the same machine as your world services assuming it is within the network your server is part of.

I hope this helps at least a little bit.

[life777eternal]

Greetings @emperorstarfinder thank you for the information. Firstly, I am aware that it would be better to upgrade Windows Web Server 2008 R2, and I have the install ISO for Windows Server 2012 R2, just not a product key yet. Though a while ago I found an online company in Australia that can provide those at a lower cost, which was where I received a product key for Windows Web Server 2008 R2. Although Windows Server 2022 is still too expensive.

Secondly, I have not been able to contact a human at the VPS company that my Server is with, I tried three months ago, and still nothing now. Although I'll have to do at least two in-place upgrades. First to Windows Server 2012 R2, and then to Windows Server 2019.

And I have had Visual Studio Community 2019, and I had downloaded Visual Studio Community 2022. Although I noticed that it doesn't work on Windows Web Server 2008 R2. Also I'm not very familiar with Visual Studio yet.

Also you're right that changing the pre-set ciphers is a risk, the remote desktop connection was affected, and I had to connect with TightVNC to change some of it back so that I could connect again with RDC again.

Thank you, Shalom.

[emperorstarfinder]

Good afternoon,

First regarding Windows Server 2022 licensing - Microsoft has moved to a Client Access License Model (CAL) which means they will quote you a price based on the specs you tell them and number of users / clients connecting to the server. However third party providers that are authorized to sell product keys for Windows Server 2022 are selling the Windows Server 2022 Standard Edition product key for as low as 28 USD. However, I cannot give you advise on where to purchase your key from. But I will say you should be cautious about the site you buy the key from as some sites have been known to give bad keys.

Depending on your hosting provider, some hosting providers will also provide pre-installed VPS services that have Windows Server 2022 all installed and activated. Usually they will not charge you extra for the license key but this will depend on the hosting provider.

Second regarding inability to get support from hosting provider - I am sorry to hear that your having issues getting an actual human to provide assistance at your hosting provider. some hosting providers just require you to file a support ticket through your account dashboard. Should you need assistance with finding a hosting provider, someone from my team may be able to assist.

Third regarding MSBuild Tools on Windows Server 2008 - You do not need to install the graphical user interface for Visual Studio 2022 (GUI) on Windows Server. You only need to scroll down close to the bottom of the page that I provided the link for and download the MSBuild Tools installer. The command line interface (CLI) for MSBuild will work. This however assumes you have Microsoft .Net Framework 3.5 all the way up to 4.8 installed on the server. Keep in mind you need to install each version of .Net Framework manually to make sure your system sees all required versions and not through the Windows Update service.

Fourth regarding changing of ciphers - Usually it is never recommended to alter an operating system if you are not the one who developed the operating system and its usually recommended even moreso with Windows. The reason is because operating systems are very complex by their nature and while people may be good at modifying things on the surface, even that has the potential of breaking things deeper in the operating system. Likewise when someone providing tech support tells you to alter things such as ciphers and it causes a loss of data, a breach from a hacker, etc. it can cause all kinds of legal headaches for both the owner (in this case you) and the person providing support.

I hope that helps at least a little bit.

[sonjamichelle]

Stepping in to provide my 2 cents on hosting providers. Not being able to contact a support person for three months is UNACCEPTABLE! LEAVE THEM!

I've been working with computers an IT going on 43 years, the trend of letting an AI or a barely knowledgeable "support agent" reading a script or decision tree that only went through 2 weeks of computer-based video training handle your "needs" is just getting out of hand!

Places that I have used in the past and have VERY good luck and support with are, Nocix, Vultr and Digital Ocean.

Vultr and Digital Ocean offer mainly VPS but do offer some bare metal or dedicated solutions. Though those tend to be pricey. Vultr is the only one that offers Windows OS option (2016-2022). The best part about Digital Ocean or Vultr is that you pay for what you use. You CAN spin up a server without money up front, see how it will work for you, and it all is good, keep on going. Or if it doesn't meet your needs, terminate it and only pay for the time you used.

Yes, Amazon and Microsft Azure are options too, but you NEED DEEP POCKETS!!!! They are NOT priced for a small business or personal user. Look what happened to InWorldz and their reliance on Amazon and Rackspace. From what I understand they dug themselves a $30,000 hole.

For bare metal, I personally and currently use Nocix. They have been really good to me since 2016, support usually respond to me within minutes!!! And that is just STANDARD support. You DO have to pay up front for your server, but it is YOUR sever, not shared. You get 5 IP address and 1TB of data transfer at 1Gbs. There are many OS choices, even VMWare and Proxmox.

I currently have an AMD Opteron Windows 2019 Server with a License I paid for back in Dec 2019 running my web server, mail server and a small OpenSim based grid. I even just spun up a Hyper-V instance to handle my FreePBX needs here in the near future. All for $25USD/month. They are based out of Kansas City here in the US. The server specs are nominal and meet my needs, but they DO have some pretty beefy server options from cheap to really expensive. A good Halcyon capable server will run you around $60-$100USD / month depending on your needs. That is just a BALLPARK wild assed, assumption on what you would need and what I have used in the past for my Halcyon grid.

https://www.digitalocean.com/

https://www.vultr.com/

https://www.nocix.net/dedicated/

[emperorstarfinder]

Yes, Sonja does provide some good places that do provide good hosting. You can also check out A Dimension Beyond which does provide hosting for Halcyon worlds. They can be found:

https://adimensionbeyond.com/

You would however need to have a chat with them regarding prices. A Dimension Beyond is also out of Arizona in the US.