Results 1 to 9 of 9
  1. #1
    Join Date
    Jan 2008
    Posts
    42

    * Constant SSH login tries from numerous IP's (bots)

    Hey guys,

    I have a dedicated RHEL server with cPanel and my server loads spikes about +0.4 (out of 2.0) for about 30 mins every 4-6 hours or so. My regular server load is 0.01, because there is barely any traffic on the server yet, but by looking at my top processes in WHM, I can see that the processes that are spiking the Server Load when it is high, is something like:

    sshd: [priv] root
    sshd: [priv] root
    sshd: [priv] root
    sshd: [accepted]
    sshd: [priv] games
    sshd: [priv] news
    sshd: [priv] root
    sshd: [priv] root
    sshd: [accepted]

    ...something along these lines. And a lot of times there are 10-20 of these sshd processes at one time.

    My server is managed and my dedicated server engineer said it was probably a bot trying passwords. He took one of the IP's, said it was from Taiwan, and blocked that IP in iptables.

    However, this is still happening constantly with different IP's. Is there a way to prevent this from happening? I'm the only person (and my host) who should be able to login to my server using SSH... however, I don't have a static IP and I work from multiple locations, so only allowing certain IP's won't work for me.

    First off, is this normal? Or am I being attacked or what? What can I do to remedy this? It seems the bots haven't successfully logged in, but they are spiking my server load which is NOT what I want.

    Thanks for any help and guidance.

  2. #2
    Brute Force attack on your server. Install CSF with LFD on your server to get a quick control.

  3. #3
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,834
    Quote Originally Posted by apacheMan View Post
    First off, is this normal? Or am I being attacked or what? What can I do to remedy this? It seems the bots haven't successfully logged in, but they are spiking my server load which is NOT what I want.
    Yes it's normal to get scanned, and for a brute force attack on SSHD to cause a slight increase in the server load. The easiest way to "remedy" this would be to change the port of SSHD from the default 22 to something else, but make sure it's open in your firewall... another option would be to install CSF/LFD as suggested to block most of the brute force attempts.

    If you want to get real paranoid, you can leave SSHD on the same port but come up with a very restrictive firewall rule set that ONLY allows designated IP's to connect to port 22. This takes a bit of practice and it' easy to lock yourself out, so it's not always ideal unless you know what you're doing.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Free Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  4. #4
    Join Date
    Jan 2008
    Posts
    42
    Hey guys... thanks for the informative response! Now that I know this is Brute Force Attacks... I definitely do want to stop it so I can get control of the situation.

    Both of you recommended CSF/LFD, and after looking it up... it looks really nice and the LFD part sounds like it will stop my problem. Problem is, I am in no way capable of installing this by myself with my knowledge.

    So let me ask, is this something that my managed host would be able to install and configure quickly? They can take care of most simple tasks, but I wasn't sure if installing CSF/LFD was considered a "Big Job" that fully-managed hosts would say no to.

    Also, if it was installed, would I need a professional to then configure it properly for my server? Or would it work just fine with the standard install? I don't need bells and whistles, just the basic security measures would be fine.

    Thanks so much for your help and advice.

  5. #5
    Join Date
    Mar 2002
    Location
    UK
    Posts
    1,262
    Try here: Configserver it's free, easy to install and in addition to the firewall has:-
    To complement the ConfigServer Firewall (csf), we have developed a Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly.

  6. #6
    Join Date
    Jun 2007
    Location
    UK
    Posts
    219
    You may want to consider:

    • Moving SSH to a random high port - if they can't find it they can't attempt logins
    • Disable password logins (make sure you generate a working keypair first!) - that'll stop brute force attacks
    • Use something like DenyHosts which will help you automatically block IPs that use brute force attacks (be sure to RTFM first - if you don't follow the instructions you can block yourself)
    I think the server saw what was required of it and just committed suicide instead.

  7. #7
    Join Date
    Sep 2002
    Location
    Among the corn
    Posts
    10,622
    CSF and LFD will stop that dead in it's tracks if your log programs are setup properly (which they should be by default).
    It'll take a few attempts, but CSF and LFD will catch 'em.

  8. #8
    Join Date
    Mar 2003
    Location
    United States
    Posts
    3,675
    Installing CSF + LFD is not too difficult, if you are able to connect to SSH (and you should be capable of at least doing that if you have a server) then it's literally a copy & paste affair.

    Here's the install:
    http://www.configserver.com/free/csf/install.txt

    Just run each line below, basically:
    ====================
    rm -fv csf.tgz
    wget http://www.configserver.com/free/csf.tgz
    tar -xzf csf.tgz
    cd csf
    sh install.sh
    ====================

    Once that is done, everything is rather easily maintained in your WHM.

    Once you get that done, change the port as well. It's a simple matter of editing the SSH config file and making sure the port is clear in your firewall.

    If you need any specific help, just shout.

    Any managed host should really install this (or their equivalent) without issue.

  9. #9
    Join Date
    Aug 2007
    Posts
    37
    I followed all instructions from above and this is what I have.

    The port details above are for information only, csf hasn't been auto-configured.

    Don't forget to:
    1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
    2. Restart csf and lfd
    3. Set TESTING to 0 once you're happy with the firewall
    I see some UDP ports on here that I'm at lost as what service is using them. Like (32768,32772,32773) It is a CPANEL server so maybe the people that have the experience with these might have a better clue.

    But anyway can I then configure the reminder of this via WHM right? Or do I need to edit the files directly in /etc/csf/?
    Last edited by The.Watcher; 05-31-2008 at 08:51 AM.

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •