Urgent !!!!! Server Under Attack

**jotay** · 04-04-2006 08:03 PM

Hi, One of my webpage has been haked ........

How i can deny access to one or more IP to my server ?

this is a log:

The remote system 193.202.89.64 was found to have exceeded acceptable login failures on your server; there was 204 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

THIS IS OTHER LOG !!! :

Security Violations
=-=-=-=-=-=-=-=-=-=
Apr 4 16:58:15 matrix1 sshd(pam_unix)[23289]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.103.134 user=root
Apr 4 16:58:15 matrix1 sshd(pam_unix)[23288]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.103.134 user=root
Apr 4 16:58:15 matrix1 sshd(pam_unix)[23290]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.103.134 user=root
Apr 4 16:58:15 matrix1 sshd(pam_unix)[23286]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.103.134 user=root
Apr 4 16:58:15 matrix1 sshd(pam_unix)[23285]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.103.134 user=root
Apr 4 16:58:17 matrix1 kernel: audit(1144184297.923:7722084): user pid=23288 uid=0 auid=0 msg='PAM authentication: user=root exe="/usr/sbin/sshd" (hostname=217.156.103.134, addr=217.156.103.134, terminal=ssh result=Authentication failure)'
Apr 4 16:58:17 matrix1 kernel: audit(1144184297.924:7722106): user pid=23290 uid=0 auid=0 msg='PAM authentication: user=root exe="/usr/sbin/sshd" (hostname=217.156.103.134, addr=217.156.103.134, terminal=ssh result=Authentication failure)'
Apr 4 16:58:17 matrix1 kernel: audit(1144184297.934:7722166): user pid=23286 uid=0 auid=0 msg='PAM authentication: user=root exe="/usr/sbin/sshd" (hostname=217.156.103.134, addr=217.156.103.134, terminal=ssh result=Authentication failure)'
Apr 4 16:58:17 matrix1 kernel: audit(1144184297.935:7722188): user pid=23285 uid=0 auid=0 msg='PAM authentication: user=root exe="/usr/sbin/sshd" (hostname=217.156.103.134, addr=217.156.103.134, terminal=ssh result=Authentication

THIS IS OTHER LOG:

The remote system 217.156.103.134 was found to have exceeded acceptable login failures on your server; there was 40 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

PLEASE HELP !!!!!!!!!

**Murtaza_t** · 04-04-2006 08:12 PM

run this command :

Code:

]# iptables -A INPUT -s 217.156.103.134 -j DROP

Code:

]# service iptables save

this will parmanently block that IP.

But the best would be install APF anf BFD to deal with these bad guys automatically.

http://forums.cpanel.net/showthread.php?t=30159

**dave9000** · 04-04-2006 08:14 PM

And to add to the above post

change the ssh port from port 22 to a unused port

This in itself will stop almost all of the login attempts

**jotay** · 04-04-2006 09:04 PM

Thanks Murtaza and Dave !!!

LinkBack

Thread Tools

Urgent !!!!! Server Under Attack

Urgent Formmail Attack

server under attack need to stop now

Server under Virus Attack - Please help it's URGENT !!!

Server Attack, every day, help:(

My server under attack