| Posted by endin, 11-03-2010, 07:45 AM | | Hello
Larg faild logins, +200 diffrence IP per hour.
anybody can help me ?
i'm having attacks about 24h ago until now per hour with more +200 diffrence IP.
Thanks.
|
| Posted by StealthyHosting, 11-03-2010, 07:46 AM | | Login attempts on what? Did you look up the IPs and see if they are public proxies? sounds like a basic proxy brute force.
|
| Posted by endin, 11-03-2010, 07:55 AM | | on ssh.
exmaple one of more 1000 IPs:
190.68.117.18
165.228.197.253
|
| Posted by tsj5j, 11-03-2010, 07:57 AM | | Whitelist your IP and firewall off other IPs from SSH.
Or try knockd if you have a dynamic IP.
http://www.ducea.com/2006/07/05/how-...inux-firewall/
|
| Posted by StealthyHosting, 11-03-2010, 08:00 AM | | Quick google of both those IPs shows other people complaining about SSH dictionary attacks with them. Make sure your password is secure, whitelist your IPs, block all others on SSH port, and change your SSH port if it is default.
|
| Posted by 24x7group, 11-03-2010, 08:30 AM | | Indeed, install a firewall or edit the /etc/hosts.deny and /etc/hosts.allow file to only allow SSH from your own IP and people who need to enter it.
Nothing as bad as getting your server hammered by these idiots
|
| Posted by thehosterdude, 11-03-2010, 09:52 AM | | Like everyone else says, edit your SSH config to run on a different port,(this is it's self will likely take care of your issue) disable root log in and enable Brite Force detection in WHM
May I recommend Configserver firewall, if you are running a cPanel server anyway. It integrates nicely with WHM and has a user friendly interface where you can set up and configure your firewall.
|
| Posted by GGWH-James, 11-03-2010, 09:59 AM | | Unless I missed it, I am surprised that nobody has mentioned to disable password authentication and start using keys instead.
|
| Posted by kimper, 11-03-2010, 10:03 AM | | You're right.
I'll also advice to install the CSF firewall. It is very useful and will help you to secure and monitor your server and applications (not only the ssh)
|
| Posted by tsj5j, 11-03-2010, 10:11 AM | | I personally find that using keys severely limits my ability to administrate servers in remote locations (eg. when the server's down while you're somewhere without your key), so I tend to avoid it.
|
| Posted by Daniel_G, 11-03-2010, 03:06 PM | | Use fail2ban, it'll automatically ban an IP address for a length of time after so many failed attempts (you configure how many failed attempts and how long the ban will last).
You could also change the port that SSH is listening on.
Or, you could do nothing. So long as all the accounts on the server are using secure passwords that a brute force attack couldn't get, or you're using public key authentication only, you've nothing to worry about.
True, but what I do is carry this kind of thing around on a USB pen encrypted with TrueCrypt and a very complex password.
|
| Posted by File1eu, 11-04-2010, 05:23 AM | | 1. Install denyhosts. After 5 failed attempts an IP is blacklisted for a particular amount of time.
2. Optional: change the SSH port
3. Profit
|
| Posted by net, 11-04-2010, 05:25 AM | | Moved > Hosting Security and Technology.
|
|
 Add to Favourites
 Print this Article
|
