Results 1 to 9 of 9
-
04-26-2008, 12:35 PM #1Junior Guru Wannabe
- Join Date
- Jan 2008
- Posts
- 42
Constant SSH login tries from numerous IP's (bots)
Hey guys,
I have a dedicated RHEL server with cPanel and my server loads spikes about +0.4 (out of 2.0) for about 30 mins every 4-6 hours or so. My regular server load is 0.01, because there is barely any traffic on the server yet, but by looking at my top processes in WHM, I can see that the processes that are spiking the Server Load when it is high, is something like:
sshd: [priv] root
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]
sshd: [priv] games
sshd: [priv] news
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]
...something along these lines. And a lot of times there are 10-20 of these sshd processes at one time.
My server is managed and my dedicated server engineer said it was probably a bot trying passwords. He took one of the IP's, said it was from Taiwan, and blocked that IP in iptables.
However, this is still happening constantly with different IP's. Is there a way to prevent this from happening? I'm the only person (and my host) who should be able to login to my server using SSH... however, I don't have a static IP and I work from multiple locations, so only allowing certain IP's won't work for me.
First off, is this normal? Or am I being attacked or what? What can I do to remedy this? It seems the bots haven't successfully logged in, but they are spiking my server load which is NOT what I want.
Thanks for any help and guidance.
-
04-26-2008, 12:49 PM #2WHT Addict
- Join Date
- Apr 2008
- Posts
- 141
Brute Force attack on your server. Install CSF with LFD on your server to get a quick control.
-
04-26-2008, 01:12 PM #3Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Yes it's normal to get scanned, and for a brute force attack on SSHD to cause a slight increase in the server load. The easiest way to "remedy" this would be to change the port of SSHD from the default 22 to something else, but make sure it's open in your firewall... another option would be to install CSF/LFD as suggested to block most of the brute force attempts.
If you want to get real paranoid, you can leave SSHD on the same port but come up with a very restrictive firewall rule set that ONLY allows designated IP's to connect to port 22. This takes a bit of practice and it' easy to lock yourself out, so it's not always ideal unless you know what you're doing.RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
04-26-2008, 01:25 PM #4Junior Guru Wannabe
- Join Date
- Jan 2008
- Posts
- 42
Hey guys... thanks for the informative response! Now that I know this is Brute Force Attacks... I definitely do want to stop it so I can get control of the situation.
Both of you recommended CSF/LFD, and after looking it up... it looks really nice and the LFD part sounds like it will stop my problem. Problem is, I am in no way capable of installing this by myself with my knowledge.
So let me ask, is this something that my managed host would be able to install and configure quickly? They can take care of most simple tasks, but I wasn't sure if installing CSF/LFD was considered a "Big Job" that fully-managed hosts would say no to.
Also, if it was installed, would I need a professional to then configure it properly for my server? Or would it work just fine with the standard install? I don't need bells and whistles, just the basic security measures would be fine.
Thanks so much for your help and advice.
-
04-26-2008, 01:33 PM #5Web Hosting Master
- Join Date
- Mar 2002
- Location
- UK
- Posts
- 1,265
Try here: Configserver it's free, easy to install and in addition to the firewall has:-
To complement the ConfigServer Firewall (csf), we have developed a Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly.
-
04-26-2008, 02:36 PM #6Junior Guru
- Join Date
- Jun 2007
- Location
- UK
- Posts
- 219
You may want to consider:
- Moving SSH to a random high port - if they can't find it they can't attempt logins
- Disable password logins (make sure you generate a working keypair first!) - that'll stop brute force attacks
- Use something like DenyHosts which will help you automatically block IPs that use brute force attacks (be sure to RTFM first - if you don't follow the instructions you can block yourself)
I think the server saw what was required of it and just committed suicide instead.
-
04-26-2008, 07:55 PM #7
CSF and LFD will stop that dead in it's tracks if your log programs are setup properly (which they should be by default).
It'll take a few attempts, but CSF and LFD will catch 'em.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
04-27-2008, 12:00 AM #8Web Hosting Master
- Join Date
- Mar 2003
- Location
- United States
- Posts
- 3,683
Installing CSF + LFD is not too difficult, if you are able to connect to SSH (and you should be capable of at least doing that if you have a server) then it's literally a copy & paste affair.
Here's the install:
http://www.configserver.com/free/csf/install.txt
Just run each line below, basically:
====================
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
====================
Once that is done, everything is rather easily maintained in your WHM.
Once you get that done, change the port as well. It's a simple matter of editing the SSH config file and making sure the port is clear in your firewall.
If you need any specific help, just shout.
Any managed host should really install this (or their equivalent) without issue.Denver Hunter | Webmaster | Library of Biz - Side Hustles, Small Business & Professional Growth
-
05-31-2008, 08:41 AM #9Junior Guru Wannabe
- Join Date
- Aug 2007
- Posts
- 43
I followed all instructions from above and this is what I have.
The port details above are for information only, csf hasn't been auto-configured.
Don't forget to:
1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall
But anyway can I then configure the reminder of this via WHM right? Or do I need to edit the files directly in /etc/csf/?Last edited by The.Watcher; 05-31-2008 at 08:51 AM.