hosted by liquidweb

Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Constant SSH login tries from numerous IP's (bots)

Forum Jump

Constant SSH login tries from numerous IP's (bots)

Reply Post New Thread In Hosting Security and Technology Subscription
Send news tip View All Posts Thread Tools Search this Thread Display Modes
Junior Guru Wannabe
Join Date: Jan 2008
Posts: 42

Constant SSH login tries from numerous IP's (bots)

Hey guys,

I have a dedicated RHEL server with cPanel and my server loads spikes about +0.4 (out of 2.0) for about 30 mins every 4-6 hours or so. My regular server load is 0.01, because there is barely any traffic on the server yet, but by looking at my top processes in WHM, I can see that the processes that are spiking the Server Load when it is high, is something like:

sshd: [priv] root
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]
sshd: [priv] games
sshd: [priv] news
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]

...something along these lines. And a lot of times there are 10-20 of these sshd processes at one time.

My server is managed and my dedicated server engineer said it was probably a bot trying passwords. He took one of the IP's, said it was from Taiwan, and blocked that IP in iptables.

However, this is still happening constantly with different IP's. Is there a way to prevent this from happening? I'm the only person (and my host) who should be able to login to my server using SSH... however, I don't have a static IP and I work from multiple locations, so only allowing certain IP's won't work for me.

First off, is this normal? Or am I being attacked or what? What can I do to remedy this? It seems the bots haven't successfully logged in, but they are spiking my server load which is NOT what I want.

Thanks for any help and guidance.

Sponsored Links
WHT Addict
Join Date: Apr 2008
Posts: 141
Brute Force attack on your server. Install CSF with LFD on your server to get a quick control.

Security Ninja
Join Date: Mar 2003
Location: Canada
Posts: 8,826
Originally Posted by apacheMan View Post
First off, is this normal? Or am I being attacked or what? What can I do to remedy this? It seems the bots haven't successfully logged in, but they are spiking my server load which is NOT what I want.
Yes it's normal to get scanned, and for a brute force attack on SSHD to cause a slight increase in the server load. The easiest way to "remedy" this would be to change the port of SSHD from the default 22 to something else, but make sure it's open in your firewall... another option would be to install CSF/LFD as suggested to block most of the brute force attempts.

If you want to get real paranoid, you can leave SSHD on the same port but come up with a very restrictive firewall rule set that ONLY allows designated IP's to connect to port 22. This takes a bit of practice and it' easy to lock yourself out, so it's not always ideal unless you know what you're doing.

Patrick William | RACK911 Labs | Software Security Auditing
400+ Vulnerabilities Found - Get a Quote @ - Security notices for the hosting community.

Sponsored Links
Junior Guru Wannabe
Join Date: Jan 2008
Posts: 42
Hey guys... thanks for the informative response! Now that I know this is Brute Force Attacks... I definitely do want to stop it so I can get control of the situation.

Both of you recommended CSF/LFD, and after looking it up... it looks really nice and the LFD part sounds like it will stop my problem. Problem is, I am in no way capable of installing this by myself with my knowledge.

So let me ask, is this something that my managed host would be able to install and configure quickly? They can take care of most simple tasks, but I wasn't sure if installing CSF/LFD was considered a "Big Job" that fully-managed hosts would say no to.

Also, if it was installed, would I need a professional to then configure it properly for my server? Or would it work just fine with the standard install? I don't need bells and whistles, just the basic security measures would be fine.

Thanks so much for your help and advice.

Web Hosting Master
Join Date: Mar 2002
Location: UK
Posts: 1,262
Try here: Configserver it's free, easy to install and in addition to the firewall has:-
To complement the ConfigServer Firewall (csf), we have developed a Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly.

Help with Back Pain

Junior Guru
Join Date: Jun 2007
Location: UK
Posts: 219
You may want to consider:
  • Moving SSH to a random high port - if they can't find it they can't attempt logins
  • Disable password logins (make sure you generate a working keypair first!) - that'll stop brute force attacks
  • Use something like DenyHosts which will help you automatically block IPs that use brute force attacks (be sure to RTFM first - if you don't follow the instructions you can block yourself)

I think the server saw what was required of it and just committed suicide instead.

Just me
Join Date: Sep 2002
Location: Among the corn
Posts: 10,591
CSF and LFD will stop that dead in it's tracks if your log programs are setup properly (which they should be by default).
It'll take a few attempts, but CSF and LFD will catch 'em.

Retired Moderator
Join Date: Mar 2003
Location: United States
Posts: 3,675
Installing CSF + LFD is not too difficult, if you are able to connect to SSH (and you should be capable of at least doing that if you have a server) then it's literally a copy & paste affair.

Here's the install:

Just run each line below, basically:
rm -fv csf.tgz
tar -xzf csf.tgz
cd csf

Once that is done, everything is rather easily maintained in your WHM.

Once you get that done, change the port as well. It's a simple matter of editing the SSH config file and making sure the port is clear in your firewall.

If you need any specific help, just shout.

Any managed host should really install this (or their equivalent) without issue.

Junior Guru Wannabe
Join Date: Aug 2007
Posts: 37
I followed all instructions from above and this is what I have.

The port details above are for information only, csf hasn't been auto-configured.

Don't forget to:
1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall
I see some UDP ports on here that I'm at lost as what service is using them. Like (32768,32772,32773) It is a CPANEL server so maybe the people that have the experience with these might have a better clue.

But anyway can I then configure the reminder of this via WHM right? Or do I need to edit the files directly in /etc/csf/?

Last edited by The.Watcher; 05-31-2008 at 08:51 AM.

Related posts from
Title Type Date Posted
Outage of Vietnamese News Sites Caused by Country's Largest Attack Ever Web Hosting News 2014-10-21 12:57:16
Hackers Gain Access to Namecheap Accounts Using Login Data Stolen from Third-Party Sites Web Hosting News 2014-09-02 11:36:37
MongoHQ Launches New Security Features, Open Sources Startup Security Handbook Web Hosting News 2014-01-30 12:22:00
Sophos Launches Cloud-Based Managed Security Service Web Hosting News 2013-10-29 17:53:59
Web Hosting Sales and Promos Roundup – July 26, 2013 Web Hosting News 2014-05-23 15:42:54

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Log in with your username and password

Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Web Hosting News:
WHT Membership
WHT Membership



Welcome to

Create your username to jump into the discussion! is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.

(4 digit year)

Already a member?