Results 1 to 8 of 8
  1. #1

    Constant Brute Force Attacks

    Yesterday afternoon I started to receive notification e-mails from my server's firewall's Brute Force Detector to say that the server was being attacked, it blocked the IPs in question, however every few minutes another attack would occur using a different IP address. The attacks appeared to be trying to log in as root aswell as a number of other strange usernames. The firewall would block one IP, and then another would replace it.

    It has now been almost 24 hours, and this is still happening - sometimes several attacks a minute. This morning I had over 1000 brute force detection warning emails in my inbox. The attacks are still going on as I write this.

    My server seems to be coping ok despite this, albeit with a slightly higher server load than normal - but it's rather worrying all the same.

    Should I report this the server provider ? Is there anything I can do, or they can do for that matter ? The IPs are different every time from different ranges, do i just have to wait it out until whoever it is gives up and stops ?

  2. #2
    Join Date
    Dec 2002
    Location
    Texas
    Posts
    424
    i get in like that every few weeks, depends on what mood i'm in if i decided to send it to abuse

  3. #3
    Join Date
    Oct 2004
    Posts
    133
    Report this to your server provide.
    Probably another server in their Data Center is hacked,
    and it is being used for attacks on other servers from the local network.

  4. #4
    Change the ssh port, you will avoid most attacks.

  5. #5
    Join Date
    Jul 2005
    Location
    UK.
    Posts
    4
    Hello,

    Ok I do not know what type of firewall you are using so what I am about to suggest might not work for you.

    What I do when creating firewalls is to stop anyone from being able to connect directly to my firewalls. E.G the first couple of rules allows ssh connections from home, work and perhaps another location. Then I drop all other connections to the external interface of the firewall.

    That way an external connection cannot even get up a login prompt but I can still login from fixed remote locations. Job done.

    This does kind of assume you have additional public IP address space pointing at your firewall to enable you to host stuff behind your firewall? If that is true after the drop you can allow to the rest of your address space as you see fit. with a nice any any drop to clean up the connetcions as the final rule.

    Hope this helps.

    Mat.

  6. #6
    Change the ssh port, you will avoid most attacks.
    Ok i've tried that, but it doesn't seem to have had any effect.

    Ok I do not know what type of firewall you are using so what I am about to suggest might not work for you.
    I'm using APF, i'm not sure how to do what you're describing there, i've not much experience using the firewall to be honest.

  7. #7
    Originally posted by Dal
    Ok i've tried that, but it doesn't seem to have had any effect.



    I'm using APF, i'm not sure how to do what you're describing there, i've not much experience using the firewall to be honest.
    This is strange; it doesn't look like a usual attack.

    Add your ip's in the file /etc/apf/allow_hosts.rules

    In the file /etc/apf/conf.apf look for IG_TCP_CPORTS and remove your ssh port.

    restart apf (apf -r) .

  8. #8
    Sorry my mistake, it has had an effect - although the attacks are still going on, the attacker is no longer getting to the shell to make any more password attempts.

    At least that'll make sure they never succeed, even if they do seem to be continuing regardless.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •