Results 1 to 16 of 16
Thread: Hackers trying to access my VPS
-
08-25-2011, 12:48 PM #1Junior Guru Wannabe
- Join Date
- Jul 2011
- Posts
- 38
Hackers trying to access my VPS
Is your VPS being hacked every day? Do you have csf/lfd installed? Did you disable direct root login and use wheel user to su to root? If not, you need to do it right away. When I first got my VPS, all I cared about was uploading and testing my website and forgot all about Security.
One day I was researching on csf/lfd and decided to use it. I changed the alert email to send me an email for any successful ssh logins or if someone tries to connect via ssh. As soon as I had this setup, I have been getting tons of notifications below. Some days, my server would BAN 40 to 50 IPs from China, India, Indonesia, Thailand, Korea, and even US. They are trying to access my Root. I doubt they got in because my server show no sign of irregular activities.
Just to be safe, what is the best way to check my VPS to make sure they didn’t get in? Any suggestion on how to stop them permanently? Are these hackers using some type of script to utilize someone’s IP to hack into your server? I doubt these IPs belongs to the Hacker. Should I worry about them?
Time: Thu Aug 25 06:25:15 2011 -0400
IP: 61.19.85.154 (TH/Thailand/-)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
Aug 25 06:25:10 vps sshd[19948]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.19.85.154 user=root
Aug 25 06:25:10 vps sshd[19951]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.19.85.154 user=root
Aug 25 06:25:10 vps sshd[19954]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.19.85.154 user=root
Aug 25 06:25:12 vps sshd[19948]: Failed password for root from 61.19.85.154 port 48276 ssh2
Aug 25 06:25:12 vps sshd[19951]: Failed password for root from 61.19.85.154 port 36550 ssh2
Time: Thu Aug 25 00:11:38 2011 -0400
IP: 202.137.7.6 (ID/Indonesia/-)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
Aug 25 00:11:31 vps sshd[20196]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.137.7.6 user=root
Aug 25 00:11:31 vps sshd[20145]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.137.7.6 user=root
Aug 25 00:11:32 vps sshd[20176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.137.7.6 user=root
Aug 25 00:11:33 vps sshd[20196]: Failed password for root from 202.137.7.6 port 48580 ssh2
Aug 25 00:11:33 vps sshd[20145]: Failed password for root from 202.137.7.6 port 36298 ssh2
-
08-25-2011, 12:58 PM #2WHT Addict
- Join Date
- Jul 2011
- Location
- Sweden
- Posts
- 104
Check out this:
http://www.webhostingtalk.com/showthread.php?t=468168
-
08-25-2011, 01:04 PM #3Web Hosting Master
- Join Date
- Jun 2003
- Location
- California
- Posts
- 2,786
Move your SSH port from port 22 to a non-standard port and you will significantly reduce these reports. And your server will be more secure.
First choose a port that does not appear in the list of TCP_IN and TCP_OUT in your CSF config file. For instance, you can use something like port 2471.
Step two: add that port to the TCP_IN and TCP_OUT listing in your CSF config file. If you don't do this, you could be locked out.
Step three: stop and restart CSF.
Step four: change the port for SSH ... the instructions will change based on which OS you are using, but for CentOS, you do this:
An effective method is to run ssh on a non-standard port. Any unused port will do, although one above 1024 is preferable. Many people choose 2222 as an alternative port (as it's easy to remember), just as 8080 is often known as the alternative HTTP port. For this very reason, it's probably not the best choice, as any hacker scanning port 22 will likely also be scanning port 2222 just for good measure. It's better to pick some random high port that's not used for any known services. To make the change, add a line like this to your /etc/ssh/sshd_config file:
# Run ssh on a non-standard port:
Port 2345 #Change me
and restart the sshd service. Don't forget to then make any necessary changes to port forwarding in your router and any applicable firewall rules.
-
08-25-2011, 01:08 PM #4WHT Addict
- Join Date
- Mar 2011
- Location
- florida
- Posts
- 158
install Fail2ban
set ban limit to
bantime = 1000000 which is seconds witch is 277 hrs
in jail.conf
maxretry = 3 (or 2)
in jail.conf
-
08-25-2011, 01:10 PM #5Web Hosting Master
- Join Date
- Apr 2007
- Posts
- 3,531
Simply moving SSH to another port will stop 99% of these, if you still get them look at installing a brute force detection script.
BotWars.io - Code the AI of your Battle Bot!
-
08-25-2011, 01:55 PM #6Web Hosting Guru
- Join Date
- Oct 2008
- Location
- J
- Posts
- 299
disable IPv4 login to your vps and use IPv6 only.
- do it your self.
-
08-25-2011, 02:37 PM #7Junior Guru Wannabe
- Join Date
- Jul 2011
- Posts
- 38
How do I find out if a Hacker already have access to my root?
-
08-25-2011, 02:47 PM #8Web Hosting Master
- Join Date
- Jul 2008
- Location
- Eta Carinae
- Posts
- 2,672
-
08-25-2011, 04:19 PM #9Web Hosting Evangelist
- Join Date
- Dec 2007
- Posts
- 471
If you're unsure whether you have been breached, 1) immediately change all your passwords 2) shut down SSH 3) install tripwire or AIDE or other IDS as a go forward detection 3) via your VPS console go through your logs (syslog, messages, auth, etc, etc depending on your linux distribution) to find any unintended root or sudo capable user logins.
Then, once you've secured the system and are confident in your IDS, re-enable SSH.
-
08-25-2011, 08:47 PM #10Temporarily Suspended
- Join Date
- Aug 2011
- Posts
- 20
If you are paranoid, backup your data (and now on, keep regular backups) and reload your operating system.
-
08-25-2011, 09:27 PM #11Web Hosting Master
- Join Date
- Apr 2011
- Location
- Las Vegas, NV
- Posts
- 1,643
-
08-25-2011, 09:53 PM #12WHT Addict
- Join Date
- Mar 2011
- Location
- florida
- Posts
- 158
install Rkhunter
-
08-25-2011, 10:00 PM #13Aspiring Evangelist
- Join Date
- Apr 2010
- Location
- North Carolina
- Posts
- 442
Disable password login, use SSH keys, change the ssh port, (possibly restrict it to only from your IP or a VPN) make sure everything is up to date and nothing unneeded is running, keep the console logged out (if you can, like on Xen, KVM, VMWare, etc) and keep your home system/network secure. Doing all that will greatly reduce the risk of getting hacked. As always, backup your important data to multiple locations.
-
08-25-2011, 10:01 PM #14Web Hosting Master
- Join Date
- Jan 2003
- Location
- SLC
- Posts
- 2,278
How do I find out if a Hacker already have access to my root?
-
08-25-2011, 10:24 PM #15Newbie
- Join Date
- Aug 2011
- Posts
- 24
You are right to be concerned about hacking attempts, but after you've taken appropriate precautions I doubt that there is any reason to be alarmed. The reality today is that any internet connected computer is a target for hacking. Whether the hackers will be successful or not depends partly on how securely you've setup your system, what vulnerabilities you expose, the perceived value of hacking your site and the determination and skills of the hackers.
From what I've seen, the vast majority of "attacks" are just scripts/bots searching for easy targets. Most are just looking for default software configurations, user accounts and passwords. My recommendations for keeping a secure system without driving yourself crazy are:
1. Change the port used for SSH. This step alone will eliminate essentially all of your exposure to scripted attacks.
2. Disable root logins via SSH. This step makes the attacker guess or find out your user ID as well as your password in order to gain access to your system.
That is probably all the "protection" most systems need. (You are not running a money transfer portal are you?) Use the monitoring you have, not to monitor attacks, but to monitor successful logins. If your ID has logged in, and it is not you -- that is a BIG problem! Change your password immediately (if you can do that) and restore everything you can from your most recent backup.
-
08-26-2011, 09:48 AM #16Web Hosting Master
- Join Date
- Jun 2003
- Location
- California
- Posts
- 2,786
CSF also has a setting to notify you when there is a successful log in:
Time: Thu Aug 25 07:23:17 2011 -0600
IP: xx.xxx.xxx.xxx (US/United States/cpe-xx-xxx-xxx-xxx.socal.res.rr.com)
Account: root
Method: password authentication
Similar Threads
-
Moved from Shared Hosting to "Cloud" VPS to thwart hackers
By gffund in forum Systems Management RequestsReplies: 7Last Post: 01-09-2010, 01:19 AM -
Does the use of partitions prevent hackers from getting access to the linux server?
By lifeonfire in forum Hosting Security and TechnologyReplies: 2Last Post: 05-07-2007, 03:01 PM -
Hackers gain root access and install rootkit :(
By justbenice in forum Hosting Security and TechnologyReplies: 12Last Post: 05-15-2006, 03:43 PM -
VPS Provider access to client VPS'
By Infinix in forum VPS HostingReplies: 8Last Post: 03-27-2006, 05:13 AM -
Hackers using myshell.php and other to gain access.. Need help
By quicksols in forum Hosting Security and TechnologyReplies: 38Last Post: 04-08-2003, 05:17 PM