hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Constant SSH login tries from numerous IP's (bots)
Reply

Forum Jump

Constant SSH login tries from numerous IP's (bots)

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 04-26-2008, 12:35 PM
apacheMan apacheMan is offline
Junior Guru Wannabe
 
Join Date: Jan 2008
Posts: 42
*

Constant SSH login tries from numerous IP's (bots)


Hey guys,

I have a dedicated RHEL server with cPanel and my server loads spikes about +0.4 (out of 2.0) for about 30 mins every 4-6 hours or so. My regular server load is 0.01, because there is barely any traffic on the server yet, but by looking at my top processes in WHM, I can see that the processes that are spiking the Server Load when it is high, is something like:

sshd: [priv] root
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]
sshd: [priv] games
sshd: [priv] news
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]

...something along these lines. And a lot of times there are 10-20 of these sshd processes at one time.

My server is managed and my dedicated server engineer said it was probably a bot trying passwords. He took one of the IP's, said it was from Taiwan, and blocked that IP in iptables.

However, this is still happening constantly with different IP's. Is there a way to prevent this from happening? I'm the only person (and my host) who should be able to login to my server using SSH... however, I don't have a static IP and I work from multiple locations, so only allowing certain IP's won't work for me.

First off, is this normal? Or am I being attacked or what? What can I do to remedy this? It seems the bots haven't successfully logged in, but they are spiking my server load which is NOT what I want.

Thanks for any help and guidance.



Sponsored Links
  #2  
Old 04-26-2008, 12:49 PM
cloud911 cloud911 is offline
WHT Addict
 
Join Date: Apr 2008
Posts: 141
Brute Force attack on your server. Install CSF with LFD on your server to get a quick control.

  #3  
Old 04-26-2008, 01:12 PM
Patrick Patrick is offline
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,733
Quote:
Originally Posted by apacheMan View Post
First off, is this normal? Or am I being attacked or what? What can I do to remedy this? It seems the bots haven't successfully logged in, but they are spiking my server load which is NOT what I want.
Yes it's normal to get scanned, and for a brute force attack on SSHD to cause a slight increase in the server load. The easiest way to "remedy" this would be to change the port of SSHD from the default 22 to something else, but make sure it's open in your firewall... another option would be to install CSF/LFD as suggested to block most of the brute force attempts.

If you want to get real paranoid, you can leave SSHD on the same port but come up with a very restrictive firewall rule set that ONLY allows designated IP's to connect to port 22. This takes a bit of practice and it' easy to lock yourself out, so it's not always ideal unless you know what you're doing.

__________________
Patrick William | RACK911 Labs | Software Security Auditing
250+ Vulnerabilities Found - Get a Quote @ http://www.RACK911Labs.com

www.HostingSecList.com - Security notices for the hosting community.

Sponsored Links
  #4  
Old 04-26-2008, 01:25 PM
apacheMan apacheMan is offline
Junior Guru Wannabe
 
Join Date: Jan 2008
Posts: 42
Hey guys... thanks for the informative response! Now that I know this is Brute Force Attacks... I definitely do want to stop it so I can get control of the situation.

Both of you recommended CSF/LFD, and after looking it up... it looks really nice and the LFD part sounds like it will stop my problem. Problem is, I am in no way capable of installing this by myself with my knowledge.

So let me ask, is this something that my managed host would be able to install and configure quickly? They can take care of most simple tasks, but I wasn't sure if installing CSF/LFD was considered a "Big Job" that fully-managed hosts would say no to.

Also, if it was installed, would I need a professional to then configure it properly for my server? Or would it work just fine with the standard install? I don't need bells and whistles, just the basic security measures would be fine.

Thanks so much for your help and advice.

  #5  
Old 04-26-2008, 01:33 PM
grandad grandad is offline
Web Hosting Master
 
Join Date: Mar 2002
Location: UK
Posts: 1,262
Try here: Configserver it's free, easy to install and in addition to the firewall has:-
Quote:
To complement the ConfigServer Firewall (csf), we have developed a Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly.

__________________
Help with Back Pain

  #6  
Old 04-26-2008, 02:36 PM
HoundOfTheSmith HoundOfTheSmith is offline
Junior Guru
 
Join Date: Jun 2007
Location: UK
Posts: 219
You may want to consider:
  • Moving SSH to a random high port - if they can't find it they can't attempt logins
  • Disable password logins (make sure you generate a working keypair first!) - that'll stop brute force attacks
  • Use something like DenyHosts which will help you automatically block IPs that use brute force attacks (be sure to RTFM first - if you don't follow the instructions you can block yourself)

__________________
I think the server saw what was required of it and just committed suicide instead.

  #7  
Old 04-26-2008, 07:55 PM
twhiting9275 twhiting9275 is offline
Just me
 
Join Date: Sep 2002
Location: Among the corn
Posts: 10,473
CSF and LFD will stop that dead in it's tracks if your log programs are setup properly (which they should be by default).
It'll take a few attempts, but CSF and LFD will catch 'em.

  #8  
Old 04-27-2008, 12:00 AM
CrazyTech CrazyTech is offline
Retired Moderator
 
Join Date: Mar 2003
Location: United States
Posts: 3,675
Installing CSF + LFD is not too difficult, if you are able to connect to SSH (and you should be capable of at least doing that if you have a server) then it's literally a copy & paste affair.

Here's the install:
http://www.configserver.com/free/csf/install.txt

Just run each line below, basically:
====================
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
====================

Once that is done, everything is rather easily maintained in your WHM.

Once you get that done, change the port as well. It's a simple matter of editing the SSH config file and making sure the port is clear in your firewall.

If you need any specific help, just shout.

Any managed host should really install this (or their equivalent) without issue.

  #9  
Old 05-31-2008, 08:41 AM
vip2 vip2 is offline
Junior Guru Wannabe
 
Join Date: Aug 2007
Posts: 37
I followed all instructions from above and this is what I have.

Quote:
The port details above are for information only, csf hasn't been auto-configured.

Don't forget to:
1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall
I see some UDP ports on here that I'm at lost as what service is using them. Like (32768,32772,32773) It is a CPANEL server so maybe the people that have the experience with these might have a better clue.

But anyway can I then configure the reminder of this via WHM right? Or do I need to edit the files directly in /etc/csf/?


Last edited by The.Watcher; 05-31-2008 at 08:51 AM.
Reply

Related posts from TheWhir.com
Title Type Date Posted
MongoHQ Launches New Security Features, Open Sources Startup Security Handbook Web Hosting News 2014-01-30 12:22:00
Sophos Launches Cloud-Based Managed Security Service Web Hosting News 2013-10-29 17:53:59
Web Hosting Sales and Promos Roundup – July 26, 2013 Web Hosting News 2014-05-23 15:42:54
cPanel Releases cPanel, WHM 11.34 with New User Interface Web Hosting News 2012-10-16 13:09:49
cPanel Conference 2012: What's New with cPanel and WHM with Ken Power Web Hosting News 2012-11-12 13:54:56


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?