How to stop these login attempts

[moFBush]

Hello,

I recently configured and started to use LogWatcher on my server that runs Webhost Manager and cPanel. The following information was sent to me from LogWatch

Code:

 --------------------- SSHD Begin ------------------------ 

 
 Didn't receive an ident from these IPs:
    210.103.124.7: 5 Time(s)
    213.180.161.100 (cust.static.213-180-161-100.cybernet.ch): 5 Time(s)
    84.19.176.196 (ns.km21707-05.keymachine.de): 5 Time(s)
 
 Failed logins from:
    58.241.118.116: 15 times
       root/password: 15 times
    210.103.124.7: 105 times
       root/password: 81 times
       ftp/password: 8 times
       mysql/password: 3 times
       mail/password: 2 times
       news/password: 2 times
       adm/password: 1 time
       bin/password: 1 time
       games/password: 1 time
       lp/password: 1 time
       mailman/password: 1 time
       nobody/password: 1 time
       operator/password: 1 time
       rpm/password: 1 time
       sshd/password: 1 time
    213.180.161.100 (cust.static.213-180-161-100.cybernet.ch): 5 times
       root/password: 5 times
 
 Illegal users from:
    58.241.118.116: 30 times
       admin/password: 10 times
       test/password: 10 times
       guest/password: 5 times
       user/password: 5 times
    84.19.176.196 (ns.km21707-05.keymachine.de): 18 times
       test/password: 18 times
    210.103.124.7: 257 times
       admin/password: 14 times
       test/password: 10 times
       liviu/password: 9 times
       user/password: 8 times
       master/password: 7 times
       network/password: 7 times
       pgsql/password: 7 times
       password/password: 5 times
       fluffy/password: 4 times
       guest/password: 4 times
       sanda/password: 4 times
       username/password: 4 times
       webmaster/password: 4 times
       info/password: 3 times
       michael/password: 3 times
       shell/password: 3 times
       Zmeu/password: 2 times
       admins/password: 2 times
       apache/password: 2 times
       cmd/password: 2 times
       library/password: 2 times
       linux/password: 2 times
       mike/password: 2 times
       oracle/password: 2 times
       richard/password: 2 times
       unix/password: 2 times
       webadmin/password: 2 times
       word/password: 2 times
       wwwrun/password: 2 times
       Aaliyah/password: 1 time
       Aaron/password: 1 time
       Aba/password: 1 time
       Abel/password: 1 time
       Access/password: 1 time
       Exit/password: 1 time
       Ionut/password: 1 time
       Jewel/password: 1 time
       adam/password: 1 time
       add/password: 1 time
       address/password: 1 time
       adrian/password: 1 time
       alan/password: 1 time
       alex/password: 1 time
       alin/password: 1 time
       alina/password: 1 time
       alinus/password: 1 time
       amanda/password: 1 time
       andrei/password: 1 time
       angel/password: 1 time
       aron/password: 1 time
       at/password: 1 time
       backup/password: 1 time
       bash/password: 1 time
       bnc/password: 1 time
       bran/password: 1 time
       brett/password: 1 time
       cafe/password: 1 time
       cap/password: 1 time
       cgi/password: 1 time
       ch/password: 1 time
       char/password: 1 time
       com/password: 1 time
       commando/password: 1 time
       copy/password: 1 time
       danny/password: 1 time
       data/password: 1 time
       david/password: 1 time
       denied/password: 1 time
       dulap/password: 1 time
       edit/password: 1 time
       flopy/password: 1 time
       george/password: 1 time
       get/password: 1 time
       hacker/password: 1 time
       haxor/password: 1 time
       help/password: 1 time
       hk/password: 1 time
       http/password: 1 time
       httpd/password: 1 time
       hy/password: 1 time
       id/password: 1 time
       ident/password: 1 time
       if/password: 1 time
       internet/password: 1 time
       irc/password: 1 time
       ircop/password: 1 time
       is/password: 1 time
       it/password: 1 time
       john/password: 1 time
       kathi/password: 1 time
       kayten/password: 1 time
       kernel/password: 1 time
       ldap/password: 1 time
       max/password: 1 time
       mcedit/password: 1 time
       michi/password: 1 time
       mikael/password: 1 time
       name/password: 1 time
       net/password: 1 time
       nick/password: 1 time
       nickname/password: 1 time
       nicole/password: 1 time
       not/password: 1 time
       ok/password: 1 time
       open/password: 1 time
       oper/password: 1 time
       org/password: 1 time
       party/password: 1 time
       paul/password: 1 time
       pe/password: 1 time
       pico/password: 1 time
       pl/password: 1 time
       play/password: 1 time
       postfix/password: 1 time
       postmaster/password: 1 time
       print/password: 1 time
       printul/password: 1 time
       psybnc/password: 1 time
       radu/password: 1 time
       resin/password: 1 time
       rex/password: 1 time
       robert/password: 1 time
       rumeno/password: 1 time
       sabin/password: 1 time
       sales/password: 1 time
       samba/password: 1 time
       sara/password: 1 time
       search/password: 1 time
       sef/password: 1 time
       send/password: 1 time
       sex/password: 1 time
       sgi/password: 1 time
       sh/password: 1 time
       sharon/password: 1 time
       shop/password: 1 time
       smecher/password: 1 time
       squid/password: 1 time
       ssh/password: 1 time
       stan/password: 1 time
       station/password: 1 time
       stef/password: 1 time
       stephen/password: 1 time
       steven/password: 1 time
       sunny/password: 1 time
       sunsun/password: 1 time
       susan/password: 1 time
       suva/password: 1 time
       technicom/password: 1 time
       telnet/password: 1 time
       tgz/password: 1 time
       to/password: 1 time
       trib/password: 1 time
       uk/password: 1 time
       undernet/password: 1 time
       unseen/password: 1 time
       us/password: 1 time
       users/password: 1 time
       web/password: 1 time
       webpop/password: 1 time
       work/password: 1 time
       www-data/password: 1 time
       www/password: 1 time
       yahoo/password: 1 time
       za/password: 1 time

How can I stop these attempts? There are two accounts on my machine, root and a account that runs my website. Each of which has a very strong password of at least 30+ alpha numerical and "special" characters so I firmly believe the passwords will not be cracked any time soon.

Thanks

[webignition]

A common method is to use an iptables-based firewall to manage who can or can't access a given server coupled with a compatible 'failed login' checker that will then block IPs that use brute force methods.

APF+BFD is a popular choice and configserver.com's CSF+LFD is a new and viable option.

[mohit]

hi,
that seems to be some kinda attack to your SSH port, you may change the SSH port to a higher value than default "port 22" this will put you on a bit safer side as default ports are always prone to such login attempts.

have a look at the below given discussion it has all the info you would need.
http://forums.cpanel.net/showthread....nging+ssh+port

see ya,
mohit

[moFBush]

Where is some documentation about APF+BFD?

[webignition]

APF+BFD

http://rfxnetworks.com/apf.php
http://rfxnetworks.com/bfd.php

CFS+LFD

http://forums.cpanel.net/showthread.php?t=53511
http://configserver.net/cp/csf.html

[morfargekko]

Hey guys, this has helped me with the same problem. Chirpys firewall ia awsome!
http://www.configserver.com/blog/