How often do you get BFD attacks?

**digitard** · 04-28-2005 04:22 AM

After recently doing a bunch to secure my server (thanks to you guys in the forums for all the great info I have read) I've had BFD running in the background to take care of Brute Force stuff and notify me. I had NO idea how often people try to break into my box and shut down APF.

How often do you get a BFD warning in email saying it banned someone and they tried to run /etc/apf/apf -d as their script?

Luckily I have only 1 SSH access login on my box and its non-standard (so no dictionary attack will figure it out most likely) and the password is numbers, letters (capital and lowercase) and special characters so I feel its the best I can do security wise on the password.

I recieved 15 today... and average 4-10 a day. I'm sure those of you who have larger servers w/ a larger client base probably recieve it a LOT more.

How often do you get a BFD attempt?

**rs-freddo** · 04-28-2005 05:02 AM

BFD runs the apf script, not the wannabe hackers.

I've had about 20 today, normally i get 20 a week.

**chirpy** · 04-28-2005 05:18 AM

Often it seems to depend who had the IP address range before you as to how many brute force hits you get. I have some severs that rarely get any and some that get 50+ a day. But, at least now it's doing its thing

**digitard** · 04-28-2005 01:33 PM

Yeah each time I get that I get a lil more faith in how I setup APF and other security programs.

I dont know why though the past 48hrs seems to be 'super attempt' season on my server. I know its either the same people spoofing IP's, or my IP has been posted as a 'try to shut down the server' board or something cause its the same stupid dictionary list (if I have to see DARKMAN one more time!!!) but still its sorta annoying...lol.

Oooh while I was typing I got another one! lol.

Its all good though. I listened to what you guys had to say here about securing my server and I'm not worried about someone gaining SSH casue root login is off and only 1 user (myself) has SSH access and the login is damn near impossible to just 'guess'.

**rs-freddo** · 04-28-2005 04:44 PM

Mostly they are just automated attacks from infected machines. Recognise the user "test" or "patrick", occasionally I even get the user "root".

I removed all ip's from the deny file when rebooting the server couple of days ago. Again today I've had over 20 attacks - which again is unusual. Maybe there's another successful windows virus out there again... There were 5 serious Windows vulnerabilities a couple of weeks ago.

**webits** · 04-28-2005 11:25 PM

I hope you changed the PORT SSH, I use to have loads of kiddies trying to gain access to my BOX, so i changed the SSH PORT, put all the necarray ports to be open and out going and bang, never again did I've a problem just with some FTP login failures trying to gain access

**digitard** · 04-29-2005 03:17 AM

I haven't changed my SSH port... yet. Its on my 'list of things to do' but I'm getting married in less than 48hrs (lol) so my 'webserver updates' are on hold til I get back cause I wanna be able to thoroughly test things before I say 'okay' and leave it alone for 4 days while I'm gone.

**brianc** · 04-29-2005 07:01 AM

Originally Posted by digitard

I haven't changed my SSH port... yet. Its on my 'list of things to do' but I'm getting married in less than 48hrs (lol) so my 'webserver updates' are on hold til I get back cause I wanna be able to thoroughly test things before I say 'okay' and leave it alone for 4 days while I'm gone.

Congratulations! Marriage is a good institution and I have been married for 11 years now and each year is better than the previous.

<blush>Sorry for the off-topic reply.</blush>

Brian

**verdon** · 04-29-2005 07:48 AM

Originally Posted by brianc

Congratulations! Marriage is a good institution and I have been married for 11 years now and each year is better than the previous.

<blush>Sorry for the off-topic reply.</blush>

Brian

He's right... 21 for me... not always easy, but worth it in the long run... Good Luck

**lloyd_tennison** · 04-29-2005 03:42 PM

I recevied 18,000 in one morning. I changed to ssh port. Something is definitely out there.

**BraveX** · 04-29-2005 07:04 PM

I'm new to the dedicated server arena after being a reseller for a long time. I've had the new server for about 3 weeks and I got m first BF attack this morning.

I don't allow shell/telnet access on my server (except for root). How would I go about changing the SSH port? Should I be using something else other than root for extra security? Any recommendations? (I'm new to CPanel and using a server with Red Hat Linux OS installed)

Thanks,
BX

P.S. Congrats Brian.

**brianc** · 04-29-2005 07:53 PM

Hi BraveX:

You can modify your SSH port number via this file: /etc/ssh/sshd_config

Here is a good security tutorial:

http://forums.cpanel.net/showthread....threadid=14444

Have a great weekend.
Brian

**BraveX** · 04-29-2005 08:31 PM

Thanks, Brian!

**rligg** · 05-02-2005 09:30 PM

why not just deny access from all ips with the exception of a few?

**lloyd_tennison** · 05-05-2005 01:17 AM

Be careful doing that - most ISP's (for people that work from home) use dynamic IP's and you could get locked out...

LinkBack

Thread Tools

How often do you get BFD attacks?

Congratulations!

bfd-0.6

BFD is not detecting attacks Please help

BFD without APF?

Bfd

BFD and APF