The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking a single IP

Discussion in 'General Discussion' started by linuxman, Jan 8, 2005.

  1. linuxman

    linuxman Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    We have someone constanting trying to break into our server, the IP is allover our logs. Is there any way I can permanately keep this IP from connecting or evening attempting to connect. They are actually trying to SSH in and other mean of access, literally 100s of times per day, almost like they think it is their server and forgot the passwords. Thanks
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you're running on Linux (!), I'd suggest installing APF (with anti-dos enabled and configured) and BFD if you can:
    http://www.rfxnetworks.com/proj.php

    Alternatively, you can block the IP address by adding it into iptables (replace 11.22.33.44 with the IP address in question):

    iptables -I INPUT -p tcp -s 11.22.33.44 -j DROP
     
  3. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Sounds like you're just getting scanned by the lame ssh worm, like everyone else. You'll find blocking this one IP wont make the problem go away, as you'll soon start getting hit by someone else. As long as you dont have any of the accounts it's trying with really lame passwords (I dont actually know what the set of passwords are it tries) then you can just ignore it. It's only if you're finding it attempting to bruteforce one single account that it should concern you (the worm tries about 30-50 account names at last check, each 5-10 times).

    If it really bothers you just send an abuse email to the abuse address for the netblock the IP belongs to.
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider

    That is a very poor answer and should be ignored by all. The proper way to deal with this type of thing is as chirpy and others have said many times on the forum. Use APF with BFD.
     
  5. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    IF you've got accounts weak enough to get broken into by the SSH worm, you've got bigger problems to worry about. Password policies and auditing are the proper solution.
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    I will agree with that, but also using BFD to block the offending IP's is also a proper security approach. Unfortunatly there are a lot of people using/running hosting servers who do not understand policies and auditing, you also have to remember that the hoster has no control on what a user changes their password to which is even worse if that user has been granted SSH access.
     
  7. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Sure, but certain BFD configurations (too insensitve, too long between checks) won't stop them getting into the weak account and setting themselves up with another way to get into the system before they're found out - and in the case of the worm, where the uploading of the exploit is completely automated and then started, firewalling off the host that put the worm there won't immediately solve the problem (you'll need to clean up the SSH worm too). A lot can happen between BFD scans. :)
     
  8. linuxman

    linuxman Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for all the answers, after really looking at the attempts, it appears, they can try regardless of what you do.
     
Loading...

Share This Page