Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : how to prevent user using brute force on it account

[xwing]

i had this problem that a user of mine is using the account on my linux vps to do brute forcing login/pass exploit,is there any way to prevent this?

[ServerSurgeon Martin]

Hi,

You can use something like Logwatch and configure it to send emails to your mailbox, this will send emails with information who and from where tried bruteforce or dictionary attacks and based on this take measures(block account, Deny connections from some IP that was doing this).

[xwing]

aight sweeet

[eth1]

You can also install a firewall software such as CSF( www.configserver.com ) which along with LFD ( Login Failure Daemon ) will block the IP address of the offending computer trying to brute force on services such as POP3, SSH, IMAP etc.

Quote:

To complement the ConfigServer Firewall (csf), we have developed a Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly. Other similar products run every x minutes via cron and as such often miss break-in attempts until after they've finished, our daemon eliminates such long waits and makes it much more effective at performing its task.

Quote:

http://www.configserver.com/cp/csf.html

[activelobby4u]

apf/bfd is still one of the widely used methods apart from csf/lfd

[WeWatch]

Do you know for sure it's one of your users?

Could it be someone else using your VPS?

Have you seen the logs?

[psp7492]

If you have already identified the user, why don't you ban the user.

[xwing]

the user has been banned and he admitted that it's just to test the program lol,im just want to avoid this kind of matter happen again on other users.

[Sh3khar]

Quote:

Originally Posted by xwing

i had this problem that a user of mine is using the account on my linux vps to do brute forcing login/pass exploit,is there any way to prevent this?

I doubt any user on your VPS would be running such scripts. Such scripts are mostly uploaded under /tmp, /var/tmp, /dev/shm etc.

You can check all the ongoing processes running on your server using the command

ps -auxf

If the brute force is still going on, you will see the list of IPs the script is connecting to, get the PID of that process from the 2nd column and search the files the process is accessing using the command

lsof -p PID

Once you figure out the scripts, change the script permissions and kill the processes. Figuring out how the files were uploaded and securing your server accordingly is the next part.

Opps, I was posting the same time, when you figure out the client and posted your comments. However, the above commands will definitely help you to catch the user next time.

Regards.