Knowledgebase

Portal Home > Knowledgebase > Articles Database > Brute Force Attacks?


Brute Force Attacks?




Posted by GarrisonHost-John, 12-27-2010, 01:53 AM
On our cPanel server, we keep receiving brute force attacks. I even got locked out of my own root account for 5 minutes due to someone trying to brute force in. I am not concerned about them getting in as our passwords are unique per server and very long(30+ characters generated). However, this does pose a issue if this will lock clients out in the future. Attached is an image of the cPHulk screen. Mind you, the list only shows today. I was wondering what actions I should take. Attached Thumbnails  
Posted by AdmoNet, 12-27-2010, 01:57 AM
I would use a tool like CSF + LFD to auto-ban IP's attempting to login more than x times in y minutes. Check out some of the server management teams, they offer server hardening which usually includes this basic configuration.
Posted by Syslint, 12-27-2010, 02:10 AM
Also it will be good to change ssh port to a non standard port.
Posted by gpl24, 12-27-2010, 04:58 AM
I also just moved servers. I got rid of a lot of BF attacks by installing CSF Firewall and setting the CC_DENY to a specific country 2-letter ISO because I was under attack. It will not prevent repeat-offenders as they will just change their proxy, but it will certainly slow them down.
Posted by kevinnivek, 12-27-2010, 09:36 AM
you're always going to see brute force attempts no matter where you are. its a good idea to read those guides suggested here and employ the use of an automated IP banning system for brute force attempts
Posted by IDediServer Kevin, 12-27-2010, 05:06 PM
BFD from R-fx Networks is a simple script that will allow you to whitelist IP's etc. If keeping tracking of customer IP's for whitelisting is too problematic then I would simply change the port to reduce the number of attacks/blocks. Don't forget that iptables doesn't scale well beyond 90k-120k+ or so entries (CPU usage), something to think about for the long term...
Posted by BuzyBee-Kevin, 12-30-2010, 04:40 AM
If you change the SSH port for WHM "cpanel" and have the server listen only on one IP your brute force atacks will go away and block port scanning with CSF fire wall. After I did this I have not had one Brute force attack on any of our servers. "Knock on wood right" To change your SSH port do this At command prompt type: pico /etc/ssh/sshd_config Scroll down to the section of the file that looks like this: Code: #Port 22 #Protocol 2, 1 #ListenAddress 0.0.0.0 #ListenAddress :: Uncomment and change #Port 22 to look like Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number) Uncomment and change #Protocol 2, 1 to look like Protocol 2 Uncomment and change #ListenAddress 0.0.0.0 to look like Listen Address 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server) Add a warning to your intruders use this Set an SSH Legal Message To an SSH legal message, SSH into server and login as root. At command prompt type: pico /etc/motd Enter your message, save and exit. Note: I use the following message... Code: ALERT! You are entering a secured area! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. Now everytime someone logs in as root, they will see this message... go ahead a try it. Well I hopes this help you out.
Posted by DxSEO, 12-30-2010, 06:10 AM
I would advice you to change ssh port to a non standard port it might help you to get some security
Posted by InoxHost, 12-30-2010, 11:37 AM
Well, if you have granted access to particular persons, I would recommend to use ssh keys. It completely prevents anyone to gain access to your server. We use ssh keys to all of our servers.
Posted by tobaria, 12-30-2010, 02:30 PM
TOTALLY AGREE
Posted by petteyg359, 12-30-2010, 02:53 PM
Change your SSH port. Lots of automated attacks happen on port 22. Just changing that port will eliminate the vast majority of attempts. Get CSF. It has a nice cPanel interface you can use. Try 65535. 49151 is the current highest available for registration. If you use something under 49151, there's a very small chance you'll pick a port that some other service expects to use.
Posted by Atlas Global, 01-01-2011, 04:49 PM
Most of the attacks are fully automated… a network of hacked personal computers and servers that form a ‘BotNet’ They just randomly probe IP’s to see what they can find.
Posted by ayhanarda, 01-04-2011, 08:22 AM
Change ssh port and install csf later everything will be good
Posted by Neosurge, 01-04-2011, 08:34 AM
CSF will help you automatically block these attacks.
Posted by austin72, 01-25-2011, 07:48 AM
I totally agree with above reply.
Posted by CH-Shaun, 01-25-2011, 08:00 AM
You could also whitelist yourself based on your ISP's IP range or a static IP in hosts.allow to access SSH on a shared hosting environment. Then you would blacklist all other IP's via a wildcard in hosts.deny.
Posted by mfwl, 02-18-2011, 05:49 AM
You should go to security centre and disable password access to ssh and enable the secure key method just in case they find the root password


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
reseller that handles billing and support (Views: 607)
My Asia based VPS and wordpress optimization (Views: 645)
how restore backup with whm? (Views: 605)
Pprivet Lable hosting!! (Views: 597)
cPanel suhosin ALERT - script tried to increase memory_limit (Views: 557)