Hacker attacks

Portal Home > Knowledgebase > Articles Database > Hacker attacks

Posted by grizzled, 08-08-2011, 10:21 PM
Im getting notices everyday on my da of a bunch of ips trying to hack me,I have apf installed on my server,can you tell me how to configure it,or how to test if its working properly?
Posted by spykee, 08-08-2011, 10:28 PM
How are they trying to hack you? Are you referring to some bruteforce attack? If so, you might want to ask your hosting provider if they can provide some anti-bruteforce protection for your server. If they can't, install some host based protection (eg. Denyhosts) or better just secure your SSH (eg. disable password authentication and use keys).
Posted by grizzled, 08-08-2011, 10:30 PM
Yes it is that ,why dont you tell me how to configure apf? is installed already
Posted by Deker, 08-09-2011, 05:42 AM
CSF is better than APF I recommend you uninstall APF and install CSF instead. Configuring CSF is too easy.
Posted by bear, 08-09-2011, 07:38 AM
If APF is alerting you that it's blocked something, I'd suggest that's an indication it's working, no? I'd agree with using CSF instead, however. Like that far more and have considerably less issues with it in my experience.
Posted by grizzled, 08-09-2011, 07:29 PM
Ye I was temtpted to use csf and did install it but it didnt work thats why I want assistance with apf since its already on my machine,Im trying to learn from its read me file,but it dont give much commands and since Ive never had hacker attacks before,Id appreciate support with paths and codes thanks b4 handed
Posted by ultimatewebhost, 08-09-2011, 07:41 PM
CSF will certainly help you and is easy to configure.
Posted by grizzled, 08-09-2011, 08:24 PM
ye men but is harder for me to install why dont you instead give me incentives on how to configure apf firewall for its well functioning,sincerely it all got contrary feeling so beware I cant install csf and to me it dont seem easier
Posted by HelpOps, 08-09-2011, 09:07 PM
It's best that you learn how to configure apf yourself so you can configure it to your needs. http://www.rfxn.com/projects/advanced-policy-firewall/ http://www.rfxn.com/appdocs/README.apf
Posted by foobic, 08-09-2011, 10:26 PM
If you're using APF then you should also install its partner BFD, which automatically blocks IPs attempting brute-force attacks. But since you mention DA (DirectAdmin?), a recent update has added a new brute-force detection feature there too, which is sending out a lot of warning messages. It's currently set to warn only, not block, but hopefully they'll add that facility shortly.
Posted by grizzled, 08-10-2011, 12:16 AM
thank you foobic you didnt skip,so thats why this da guys are going nuts,so can you tell me how to install bfd.or someone tell me how to install bfd and configure it to block attacks? is it by runnin this:? Current Release: http://www.rfxn.com/downloads/bfd-current.tar.gz Last edited by grizzled; 08-10-2011 at 12:20 AM.
Posted by grizzled, 08-10-2011, 01:41 AM
I installed bfd and got this BFD installed Install path: /usr/local/bfd Config path: /usr/local/bfd/conf.bfd Executable path: /usr/local/sbin/bfd I will see in the next days if this stops hacker attacks since setted email to user at 0 to find out ,if it doesnt I will get back later definitely thanks gals
Posted by fasthostonline, 08-11-2011, 02:57 PM
i suggest u install CSF also secure ur SSH
Posted by grizzled, 08-11-2011, 03:48 PM
Why dont u say how to secure ssh? Crapi hacker attacks keep on happening even though I installed bfd,I dont know but I guess this creeps must not have something better to do with their time,and that is a shame. Please send recommendations on what I missed on bfd
Posted by DewlanceHosting, 08-11-2011, 04:12 PM
QUOTE=grizzled;7622774]Why dont u say how to secure ssh? If you are using a cPanel then first stop root loging through ssh, then change your default ssh port and add this port in allowed list(in firewall) Use ssh key logging(No one can access your ssh without key file..)
Posted by Chris_M, 08-11-2011, 04:12 PM
BFD will automatically add the IP to hosts_dent.rules located in /etc/apf Open that file and look to see if any of the IP's that have been attacking you have been blocked. They will only be blocked after x amount of tries. If you set bfd to alert you and entered a valid email for the alerts to be sent to, you should be getting notices that look something like the following, The following is a summary event for exceeded login failures on mywebserver.com: SOURCE ADDRESS: 49.212.27.180 TARGET SERVICE: sshd FAILED LOGINS: 10 EXECUTED COMMAND: /etc/apf/apf -d 49.212.27.180 {bfd.sshd} SOURCE LOGS FROM SERVICE 'sshd' (GMT -0400): Aug 11 14:14:42 cp sshd[4927]: Failed password for root from 49.212.27.180 port 39392 ssh2 Aug 11 14:14:43 cp sshd[4928]: Received disconnect from 49.212.27.180: 11: Bye Bye Aug 11 14:14:47 cp sshd[4929]: Failed password for root from 49.212.27.180 port 40428 ssh2 Aug 11 14:14:47 cp sshd[4930]: Received disconnect from 49.212.27.180: 11: Bye Bye Aug 11 14:14:51 cp sshd[4931]: Failed password for root from 49.212.27.180 port 41235 ssh2 Aug 11 14:14:51 cp sshd[4932]: Received disconnect from 49.212.27.180: 11: Bye Bye Aug 11 14:14:55 cp sshd[4934]: Failed password for root from 49.212.27.180 port 41951 ssh2 Aug 11 14:14:55 cp sshd[4935]: Received disconnect from 49.212.27.180: 11: Bye Bye Aug 11 14:14:59 cp sshd[4936]: Failed password for root from 49.212.27.180 port 42705 ssh2 Aug 11 14:14:59 cp sshd[4937]: Received disconnect from 49.212.27.180: 11: Bye Bye ----------------------------------------------- BFD (Brute Force Detection) 1.3 [bfd@r-fx.org]
Posted by grizzled, 08-11-2011, 04:13 PM
do I need to reboot after installin bfd??????????? gonna try see that file chris m chrismas,I setted the mail but never got any notice thanks man Last edited by grizzled; 08-11-2011 at 04:25 PM.
Posted by grizzled, 09-10-2011, 09:32 AM
How do I solve this on csf brothers? *WARNING* Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this if you have not already done so.
Posted by bear, 09-10-2011, 10:13 AM
I'd suggest you:
Posted by ssfred, 09-11-2011, 12:18 AM
Also install any common root kits like chkrootkit,RKhunter to ensure the binaries are not altered.
Posted by Boxxed, 09-11-2011, 03:17 AM
If your using cPanel, Try to get WHMXtra. Since its worth to use. i have been using WHMXtra for over a year by now. Or else install Fail2Ban, a reliable Firewall system to block all Invalid access.
Posted by secpanel, 09-11-2011, 11:06 AM
You could install a simple brute force blocker like BFD, as someone mentioned above. Also, you could try changing the ssh port, if the attacks are on it. You could also configure bfd to enable email alerts to you within the config file. Cheers!
Posted by LinuxSecurityExpert, 09-12-2011, 06:35 PM
If you have reason to believe your system has been compromised check for root kits using something like rkhunter or chrootkit. Also if you're getting a flood of the SSH login attempts, you might install something like fail2ban --- or better yet --- configure the server for key authentication if your users are sophisticated enough to handle that!
Posted by grizzled, 09-12-2011, 09:37 PM
Thanks for ur enlightmnents,rkhunter wget address dont work does bfd work along csf? Im about installing fail2ban and others but changing port aint not much of a relief,advanced hackers can find it, the trick would be not allow root login,but how to without loosing your connection to the server or having it shot at ur nose thanks 4 reading
Posted by bear, 09-12-2011, 09:57 PM
BFD works with APF. What you want is LFD if you're using CSF firewall. Pretty sure you've previously asked about that, however. Say what now?
Posted by grizzled, 09-12-2011, 10:32 PM
Im going to explain to you bear since you dont understand,well Im trying to say that Im wondering how to stop allow root access WITHOUT STAYING OUTSIDE THE SERVER,do you understand dear bear?,just like when you loose ur apartment keys,or is it not understood ? shot means close are we? like when someones shot the door but on the server means kicking myself out of my own server for trying to stop allow root acces Hope this clears missunderstandingszz
Posted by bear, 09-12-2011, 10:52 PM
To disallow direct root access, you create a keypair and edit the ssh config file to disallow direct root. Here's a random link explaining: http://wiki.centos.org/HowTos/Network/SecuringSSH Ah, "shut", as in shut out and unable to access. Thanks!
Posted by netmultiple, 09-12-2011, 11:37 PM
BFD&APF do the same thing as CSF&LFD. What is the different and who is the best?
Posted by grizzled, 09-13-2011, 11:03 PM
is good question this guy did he,by the way thanks bear arent you meaning as key pairs ,ssh keys because I had a test with them and found out they are pretty hazardous ,and need lots of testing so u dont get shut out of server like you said
Posted by quantumphysics, 09-13-2011, 11:09 PM
they aren't hazardous, they are secure and you won't get locked out if you keep secure backups of your keys
Posted by grizzled, 09-13-2011, 11:21 PM
hey physicist your block signs seem like racistic flags,like here and there like are you from there? anyway You guys mean use ssh keys instead of using a password,that is one step but please bring along examples to it Disallowing direct root access is something I thaught was achieved on file sshd_config so it wasnt that?,so u say is ssh config,ok gonna see that but couldnt instead bring knowledge in order to disable root user and log in as a user with root access keeping in mind I dont want to be shut out of server and I'd rather use this than ssh keys. thanks 4 reading
Posted by quantumphysics, 09-13-2011, 11:22 PM
ssh keys PLUS a password. the key itself has a passphrase.
Posted by grizzled, 09-13-2011, 11:29 PM
thank you but I dont want to use ssh keys pairs I want a user with password that has root capabilities,if anyone know how to do that keeping in mind I dont want to be shut out of server,Id appreciate
Posted by grizzled, 09-14-2011, 12:33 AM
I guess there was a mistake not saying it was intended,because other wise I would think you want to blow me away bear but >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>To disallow direct root access, you create a keypair and edit the ssh config file to disallow direct root <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Posted by brianoz, 09-15-2011, 06:28 AM
Log in as a non-root user and then use sudo to become root. Don't create a second root user, it's not the way to do it.
Posted by ALEXEI_M, 09-15-2011, 07:44 AM
Better to install CSF... You can install CSF as fallows . Installation ============ Installation is quite straightforward: rm -fv csf.tgz wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh Next, test whether you have the required iptables modules: perl /etc/csf/csftest.pl
Posted by grizzled, 09-15-2011, 06:17 PM
Ive installed csf and it works for perl I install perl-libwww-perl first,but somehow I get this *WARNING* Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this if you have not already done so. that somehow dont think affect me or maybe ftp could be damaged hole _____________________________________________________________________ brianoz could u bring some coding example please
Posted by Nassim, 09-16-2011, 10:44 AM
install anti malware and re analyse you computer
Posted by jaydul, 09-16-2011, 04:08 PM
I Disagreed this statement.I think APF better.But it's difficult to optimize on server.CSF Easy to use. Thank you
Posted by grizzled, 09-17-2011, 11:49 PM
I also think apf is better but not updated ol ___________________________________ Id hate to say that you faked it like a little girl ,well maybe not like a little girl bear but you faked it indeed since speaking objectivily the file ssh_config its aimless or in other words is compleately impotent in hardening venues,any changes of port or root access that you make on this file wont affect at all the server they are of any effect at all,but the other link you provided contained related issues,thanks anyway just correcting this fact so our lovely audience dont get misled
Posted by foobic, 09-18-2011, 12:26 AM
ssh_config is for the SSH client - which you'd use to connect out from the server using a command like: Indeed it won't affect the server - for that you need to edit sshd_config (and restart sshd).
Posted by bear, 09-18-2011, 07:06 AM
Faked? Little girl? Interesting.
Posted by grizzled, 09-18-2011, 10:20 PM
so in ur words Im offending you bear,but I said you didnt fake it like little girl,so no one called you girl,because I said maybe not like a little girl but indeed you faked it since you brought inacurrate info,simply ssh_config is a numb and of non use for hardening endevours,any changes here wont affect the server,but if you take it as an offense is ur thing but not what I said,see it as you wish dear bear see it as u wish
Posted by brianoz, 09-19-2011, 03:41 AM
Grizzled: Changing the ssh port does help with security in a number of ways, perhaps surprising to the novice: it reduces the chance an automated password guesser might guess (or find) a password successfullyit reduces log noise from unsuccessful attempts, which while unsuccessful can mask a real attack through sheer log file volumeit acts as a further layer of security - they need to know a port number as well as a passwordif an ssh exploit does come out, and is exploited automatically, you'll be a lot safer Everything that bear has said is right on, as usual; I'd recommend being polite and friendly to bear as he is both a moderator as well as being someone who took the time to try and help you (even if he was wrong, which in this case, in my opinion, he wasn't). Bear's been around for a long time, and he is a man who knoweth of which he speak.
Posted by grizzled, 09-19-2011, 03:58 AM
I never said bear is a liar but info related changing port and granting access to root is not on ssh_config file and if you think is the file that does that work is because you are ignorant,is nothing against bear Im just making it for objectiveness,besides the port thing is outstanding for you for me is old and can be scanned in a minute,in my opinion I think bear is a charming man but here brought a piece of info that was wrong
Posted by grizzled, 09-19-2011, 04:00 AM
BY THE WAY I DONT NEED ANY MORE DRAMA WITH THIS I CAN HARDEN MY SERVER BETTER THAN ANYONE IN THE WORLD WITHOUT ANY HELP,PLEASE MODERATOR CLOSE THIS
Posted by grizzled, 09-19-2011, 04:16 AM
If community would keep attacking me here,it would mean that on wht only bear can have a mistake,please moderator dont need more drama close this from once and for all
Posted by foobic, 09-19-2011, 04:18 AM
Seriously, all this because bear told you and you misinterpreted that as meaning /etc/ssh/ssh_config? Even though he also gave you a handy link to a good tutorial that explicitly names the exact file path? Good luck.

Add to Favourites Print this Article