Results 1 to 4 of 4
  1. #1

    Logwatch for my host... What to do with it?

    So I've been getting this log watch from my server emailed to me on a daily basis. It gives me a list of all the authentification failures via SSH and other protocols. Should I be actively concerned that there's specific IP addresses consistantly trying to access my SSH account? Likewise, for any type of failed login. Should I actively block their IP address from accessing the server at all?

    I've also noticed in the Connections group, there's a lot of connections -- is this normal?

    Just want to make sure I'm taking an active effort on preventing my server being brought down. I mean, I have 2000+ SSHd authentication failures... seems really high.

  2. #2
    Join Date
    Feb 2003
    North Hollywood, CA
    Thats 'normal'

    You should setup a brute force detection system, and sounds like a good idea to setup a firewall to block the SSH port to certain user/IPs.

    On this forum or google look for APF and BFD works well, and a side of OSSEC.
    Remote Hands and Your Local Tech for the Los Angeles area.

    (310) 573-8050 - LinkedIn

  3. #3
    Join Date
    Sep 2000
    Alberta, Canada
    I've seen attempts in the 10's of thousands and yes, they are normal. Just people running scripts to see if an easy to crack Server login is being used.

    You should prevent direct 'root' login and using another port will cut down on login attempts as well.

    The site seems to be a blank page. Although one of your Clients could be using it to monitor the Server, a site with no Web pages is not one I would prefer, to be trying to access my Server. - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  4. #4
    Join Date
    Sep 2002
    Top Secret
    You should really look into something like csf to automatically handle these types of things for you. This will automagically block individuals who try over X number of times without a password to login.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts