Should I be concerned? Numerous brute force attacks

[DaNewGuy]

Hi!

Weirdness afoot here! Hoping somebody can help!

FIRST THE SITUATION
I've had a VPS for a few weeks now (Linux/Apache). I had an issue a couple days ago that resulted in my not being able to see the domains I host from my office network (but could at home).

My host reports that she had configured dns incorrectly, pointing both dns (ns1/ns2) at the same ip. I don't know why that would cause the prob, but she says she fixed it.

In the course of trying to figure out what happened, I thought my IP was being blocked, so I checked the cpHulk Attack log and there was nothing there (my ip was not black listed and there were no reported attacks). This was yesterday or the day before. No more than 48 hours ago.

Meanwhile, for the last week I had been telling her I could not SSH in and she said everything was fine, problem was on my end. So yesterday I used Terminal to ssh into one of my domains. It failed. Then I attempted to ssh into the root, it failed.

I repeated my complaint and sent a copy of the entire event. She waived her wand, today I have access.

NOW THE PROBLEM!
Today I tried to log into MYSERVERIP/whm and received the following message:

Brute Force Protection
This account is currently locked out because a brute force attempt was detected. Please wait a few minutes and try again. Attempting to login again will only increase this delay. If you frequently experience this problem, we recommend having your username changed to something less generic.

After 20 minutes I was able to log in. I went directly to check the cpHulk log and there have been numerous attempts in the last 24 hours or so. I traced the IPs to China, Brazil, etc, one to Portland, Oregan. Fun stuff.

While I was in my WHM looking around, wondering about security, I suddenly found myself locked out yet again from a Brute Force attack!!! Grrrrr!



Anyway, I have the following questions:

1. I now think the reason I could not ssh in was that she had specified a port and did not tell me. Rather than tell me the correct port, she simply moved it back to the generic port (22 I think?). Could that explain why I am suddenly getting so many Brute Attacks?
   
2. The message from cpHulk (in quote above) suggests I should change my username. That was the first thing I tried to do weeks ago when the vps went up. I tried again today, but could not! Can someone tell me how to change my root user name?
   
3. Lastly, should I be concerned about suddenly seeing so many attacks? Or is that just business as usual for anybody who has a server?

Any help would be appreciated!

[Spiral]

My first advice to you is to disable CpHulk .....

CpHulk is a nice idea in concept but from it's earliest beginnings, it has never worked very well and has a lot of major quirks and complications.

The same job as CpHulk can be done much more effectively from better 3rd party applications such as ConfigServer.Net's CSF / LFD Firewall.

Anyway, I have the following questions:

1. I now think the reason I could not ssh in was that she had specified a port and did not tell me. Rather than tell me the correct port, she simply moved it back to the generic port (22 I think?). Could that explain why I am suddenly getting so many Brute Attacks?

SSH has no bearing on CpHulk as that is for Cpanel / WHM specifically.

However, having SSH on port 22 will get you a lot of login attempts to the SSH server since you may as well have a neon sign up at that port that says "Here is my SSH -- please come try your luck"

I would change ports for SSH, disable direct root logins, use only protocol 2 connections, and if possible for your situation use certificate based logins or at the very least extremely long and totally random mixed character passwords. It also wouldn't hurt to limit access to
the actual SSH port you use to only specific IPs or CIDR ranges.

2. The message from cpHulk (in quote above) suggests I should change my username. That was the first thing I tried to do weeks ago when the vps went up. I tried again today, but could not! Can someone tell me how to change my root user name?

Again, disable CpHulk --- I strongly recommend people not use that one.

Regarding "root" login for WHM --- can't really get around that.

You could setup a reseller but the main "root" would still login to WHM.

For SSH though, you can edit /etc/ssh/sshd_config and set your "PermitRootLogins" to "no" and then grant wheel access to any
non-root user you have that has shell access and that will allow you
to login as that username first and then "su" to the root account once
you have logged in first using your non-root user.

3. Lastly, should I be concerned about suddenly seeing so many attacks? Or is that just business as usual for anybody who has a server?

This is a loaded question ---

Are things like this common? Absolutely --- very much so!

Should you be concerned? Again, Absolutely -- yes you should!

However with all that said, you should also bear in mind that random brute force attempts are going to be entirely ineffective and useless going up against a properly configured and security hardened server.

[DaNewGuy]

Wow! Good stuff! Lots of good recommendations.

Much of it is way above my head. I can barely manage a half dozen commands in ssh and this VPS bizness is brand new to me.

I wish I could just pay somebody $250 to set me up in a nice secure little environment once and for all, then I wouldn't sweat. I've googled for server security configuration consultants, but it is extraordinarily difficult to go from my knowledge base (and financial position!) to figuring out what to do.

My current hosting situation is supposed to be "managed". As far as I can tell, my host appears to know just enough to barely stay ahead of me.

+++
Spiral, I really appreciate your help.... is there anyway I can beg just a bit more? I am in a real pickle!

I put a post here:
How do I recover from this?

Perhaps you know the answer?

If you don't have time to look, thanks for the help in this thread!

[Spiral]

Much of it is way above my head. I can barely manage a half dozen commands in ssh and this VPS bizness is brand new to me.

Well that is something that is easy enough to remedy.

(IE: Help you get more up to speed on Linux and security and such)

I wish I could just pay somebody $250 to set me up in a nice secure little environment once and for all, then I wouldn't sweat.

Ok, done!

Seriously though ...

I could have you setup with your own server full updated with CentOS 5.5 64bit (released yesterday) and all components up to the minute, fully configured, optimized, and security hardened to the extreme in literally just a couple of minutes -- less time than it takes to write this post!

I've googled for server security configuration consultants, but it is extraordinarily difficult to go from my knowledge base (and financial position!) to figuring out what to do.

Congratulations, you are speaking to one.

My current hosting situation is supposed to be "managed". As far as I can tell, my host appears to know just enough to barely stay ahead of me.

This does not surprise me in the slightest

Spiral, I really appreciate your help.... is there anyway I can beg just a bit more? I am in a real pickle!

I put a post here:
How do I recover from this?

Perhaps you know the answer?

If you don't have time to look, thanks for the help in this thread!

I will go look at your post now and I will do what I can to help you ----

I have also sent you all my contact information by private message.