The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone getting alot of brute force attacks against their server?

Discussion in 'General Discussion' started by Vatoloco, Jan 9, 2005.

  1. Vatoloco

    Vatoloco Well-Known Member

    Joined:
    Jun 21, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Almost everyday I'll have something like what is below in my log files. It's never coming from the same IP, but the types of names it tries to login with are always similar.

    I'm thinking maybe it's a trojan that these machines are infected with? Just wondering if anyone else is experiencing it or if someone is coming after me specifically.


    Failed logins from these:
    account/password from 67.18.220.130: 1 Time(s)
    adam/password from 67.18.220.130: 1 Time(s)
    adm/password from 67.18.220.130: 2 Time(s)
    alan/password from 67.18.220.130: 1 Time(s)
    apache/password from 67.18.220.130: 1 Time(s)
    backup/password from 67.18.220.130: 1 Time(s)
    cip51/password from 67.18.220.130: 1 Time(s)
    cip52/password from 67.18.220.130: 1 Time(s)
    cosmin/password from 67.18.220.130: 1 Time(s)
    cyrus/password from 67.18.220.130: 1 Time(s)
    data/password from 67.18.220.130: 1 Time(s)
    frank/password from 67.18.220.130: 1 Time(s)
    george/password from 67.18.220.130: 1 Time(s)
    henry/password from 67.18.220.130: 1 Time(s)
    horde/password from 67.18.220.130: 1 Time(s)
    iceuser/password from 67.18.220.130: 1 Time(s)
    irc/password from 67.18.220.130: 2 Time(s)
    jane/password from 67.18.220.130: 1 Time(s)
    john/password from 67.18.220.130: 1 Time(s)
    master/password from 67.18.220.130: 1 Time(s)
    matt/password from 67.18.220.130: 1 Time(s)
    mysql/password from 67.18.220.130: 1 Time(s)
    nobody/password from 67.18.220.130: 1 Time(s)
    noc/password from 67.18.220.130: 1 Time(s)
    operator/password from 67.18.220.130: 1 Time(s)
    oracle/password from 67.18.220.130: 1 Time(s)
    pamela/password from 67.18.220.130: 1 Time(s)
    patrick/password from 67.18.220.130: 2 Time(s)
    rolo/password from 67.18.220.130: 1 Time(s)
    root/password from 67.18.220.130: 59 Time(s)
    server/password from 67.18.220.130: 1 Time(s)
    sybase/password from 67.18.220.130: 1 Time(s)
    test/password from 67.18.220.130: 5 Time(s)
    user/password from 67.18.220.130: 3 Time(s)
    web/password from 67.18.220.130: 2 Time(s)
    webmaster/password from 67.18.220.130: 1 Time(s)
    www-data/password from 67.18.220.130: 1 Time(s)
    www/password from 67.18.220.130: 1 Time(s)
    wwwrun/password from 67.18.220.130: 1 Time(s)
     
  2. jdonoso

    jdonoso Well-Known Member

    Joined:
    Nov 15, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    The Third Rock from The Sun!
    Hi,

    This is no a sign that your server is infected, but probably theirs. It can also be a hacker doing force brute attacks in order to gain access to your box. I would recommend you to install APF (http://www.rfxnetworks.com/apf.php) in conjunction with BSD (http://www.rfxnetworks.com/bsd.php) to protect yourself against them.

    Do a search in this forum, since there are several threads regarding this subject.

    Best regards,
     
  3. Webbie05

    Webbie05 Member

    Joined:
    Dec 16, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hey there, i was getting alot of those so all i did was changing my ssh port to something else and since then i had no probs, altho all they need to do is an port scan to get that new port mind you.
     
  4. nerdzoll

    nerdzoll Well-Known Member

    Joined:
    Oct 4, 2004
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    just another thought

    Hey, one thing that I have done and stopped every single one of those attacks is set aside 2 or 3 IPs that you will never use for anything else.
    Assign one to SSH (even on the standard port 22) and only run ssh on that IP, I have not had a single brute force on ssh since I did it...
    Oh and if you desire every so often you can rotate the IP of SSH.

    Works wonders
     
  5. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    It's just a worm that spreads via weak accounts over ssh - pretty much anyone running anything connected to the net will get hit by this at least every once in a while. I see two to three unique sources a day.
     
  6. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - BRAZIL
  7. brentp

    brentp Well-Known Member

    Joined:
    Mar 11, 2004
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ayr, North Queensland, Australia
    I used to get around 15 emails from APF per day from bruteforce attacks on the old box.

    Regards,
    Brent
     
  8. Vatoloco

    Vatoloco Well-Known Member

    Joined:
    Jun 21, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for all the suggestions. I setup an IP just for SSH and changed the port and, so far, no more entries like that in the logs! :)
     
  9. ntwaddel

    ntwaddel Well-Known Member

    Joined:
    Nov 3, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Templeton, CA
    I've been getting tons! :p
     
  10. fusioncroc

    fusioncroc Well-Known Member

    Joined:
    Sep 28, 2004
    Messages:
    261
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    U.K.
    i used to get 4 - 5 emails for 2 days before i changed the port and ip
     
  11. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Changing port will be more than enough on its own, there's no need to use an ip just for ssh.
     
  12. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    I think he meant that he setup ssh to listen on only one ip, instead of sshd listening on all the ips on the server (which is default). That makes sense if you're going to be the one using it... then you really only need it listening on the one ip that you'll use. And, while I expect you know this - I wanted to clarify your wording, it doesn't 'use' an ip... meaning he can't use the ip for anything else.
     
  13. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Well sure, if you want to. Changing the port would still suffice as <0.1% of the bruteforces people will see at the moment are actually done by a human who checked what port it was on first.

    Nono, I'm quite aware of that - I was responding to:

    ;)
     
  14. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    It's just part of reducing the number of ports open on your ips... simplicity helps keeps things easy for monitoring and understanding too.

    But IMHO, it's best to simply deny all access to ssh to anyone except myself... using hosts.deny/hosts.allow in conjunction with my firewall. Not for everybody of course, but if done right, practically 0.0% of anyone, bruteforce or otherwise, being able to connect to the port to try anything.
     
Loading...

Share This Page