The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brute Force Attacks

Discussion in 'General Discussion' started by RJH Hosting, Jun 30, 2005.

  1. RJH Hosting

    RJH Hosting Registered

    Joined:
    Jun 29, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Regina, Saskatchewan, Canada
    I searched through the board to try and find someone with a similar problem, but was unable to find anything on quite the scale I am experiencing it.

    I am receiving approximately 1200 Brute Force Attack Messages every day - :eek: - yes, Twelve Hundred. 98% of them are targeting EXIM, with the other 2% targeting SSH - I believe....I honestly do not read each and every single one.

    I have about 20 accounts on a single VPS. Each EXIM attack shows that they are trying to use false usernames from a single domain name.

    I used to be on a VPS that BFA software was not installed so I am not sure if this is a new problem, or one that I just never saw before.

    My VPS provider tells me there is nothing to worry about. But, from looking at past posts here, it looks like people are getting around 4 or 5 messages a day, or 20 a week, or numbers like that - nothing like my 1200 daily!

    Any recommendations or suggestions?
     
  2. azimpact

    azimpact Member

    Joined:
    May 27, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I get a few here and there.

    I'll check the IP number and if it's US based, I fire off an email I set up to the abuse for that IP. Any of the foreign base IPs are a waste of time so I just delete the warning.

    I know people have reported mixed results doing this, but I've had a few email me back telling me the system the IP was on had been compromised and they were addressing it.

    I've also set my BFD to run every 5 minutes so that when they try an attack, the don't very get many trys at it before their IP is banned. Also, I set the limit to only 2 screwups before it gets banned. (You have to be extra careful when logging in so you don't ban yourself)

    I don't have alot of accounts on this VPS so I can afford the overhead to run it every 5 minutes.

    I'll actually go a few days and won't get any at all!

    As long as you have a solid password and you set up your BFD to ban the offending IPs, I wouldn't worry about it. There is not a lot you can do other than install some of the other security features listed on this board.
     
  3. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    is bfd installed on your server ?
     
  4. RJH Hosting

    RJH Hosting Registered

    Joined:
    Jun 29, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Regina, Saskatchewan, Canada
    My password is a random combination of letters and numbers that is over 20 characters long - so pretty solid. :) I know...I am anal - oh well. :rolleyes:

    It does ban the IP's as you said and I had to clean that file out the other day as it had over 10,000 entries and was taking way to long to process.

    yep.....
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    eglwolf likes this.
  6. RJH Hosting

    RJH Hosting Registered

    Joined:
    Jun 29, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Regina, Saskatchewan, Canada
    Here is a copy of exactly what I get. I counted today from noon yesterday and I received exactly 1000 of these messages in the last 24 hours.

    I replaced my IP address and my clients domain name of course within the output.

    ----------------------------------- START -----------------------------------

    The remote system 221.155.10.197 was found to have exceeded acceptable login failures on MY.DOMAIN.NAME. As such the attacking host has been banned from further accessing this system; for the integrity of your host you should investigate this event as soon as possible.

    The following are event logs for exceeded login failures from 221.155.10.197 on service exim (all time stamps are GMT -0600):
    ----
    - Executed actions:
    /etc/apf/apf -d 221.155.10.197 {bfd.exim}

    - Log events from /var/log/exim_mainlog:
    2005-06-30 20:33:55 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <rodriquez@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:55 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <romero@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:57 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <rose@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:58 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <rowe@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:58 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <ruiz@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:59 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <ryan@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:01 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <salazar@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:02 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <santiago@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:03 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <santos@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:03 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <schmidt@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:04 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <schneider@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:06 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <schultz@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:06 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <sharp@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:10 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <shaw@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:11 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <shelton@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:14 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <silva@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:14 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <simpson@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:15 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <sims@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:16 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <slipcoat7@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:17 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <sliper3824@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:18 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <slipgirl16@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:20 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slk98@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:20 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slmitchelljr@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:21 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slogic@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:22 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slong_ooi@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:23 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slovacek@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:23 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slp921@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:25 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slsi@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:26 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slt1022@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:27 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <sluggy4@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:28 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slumpff84@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:29 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <sluttish7@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:30 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slvrty4@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:31 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slwaln@CLIENTSDOMAIN.NAME>: no such address here
    ----

    - Thank you;
    root@MY.DOMAIN.NAME

    ----------------------------------- END -----------------------------------

    There has got to be something I can do to decrease the amount of work my server is doing to block each attempt and to send me an e-mail after every 20 or so attempts.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's exactly with the ACL I listed would help block.
     
  8. smachol

    smachol Well-Known Member

    Joined:
    Oct 19, 2001
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    If you don't mind my asking, what's BFD and how do you install and use it?
     
  9. cbwass

    cbwass Well-Known Member

    Joined:
    Mar 29, 2002
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    BFD should be used in conjunction with APF firewall.
    http://www.rfxnetworks.com/proj.php

    Install BFD (Brute Force Detection)

    To install BFD, SSH into server and login as root.

    At command prompt type: cd /root/

    At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

    At command prompt type: tar -xvzf bfd-current.tar.gz

    At command prompt type: cd bfd-0.4 (change 0.4 for the current edition)

    At command prompt type: ./install.sh


    After BFD has been installed, you need to edit the configuration file.

    At command prompt type: pico /usr/local/bfd/conf.bfd


    Under Enable brute force hack attempt alerts:

    Find

    ALERT_USR="0"

    and change it to

    ALERT_USR="1"


    Find

    EMAIL_USR="root"

    and change it to

    EMAIL_USR="your@email.com"


    Save the changes then exit.


    To start BFD

    At command prompt type: /usr/local/sbin/bfd -s
    ---------------------------------------------------------------
    in the future anytime you install apf / bfd you should type

    apf -a YOURIP

    ------------------------------------------------------------------
    BFD 0.6 [bfd@r-fx.org]

    Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
    Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


    1) Introduction:
    BFD is a modular shell script for parsing applicable logs and checking for
    authentication failures. There is not much complexity or detail to BFD yet and
    likewise it is very straight-forward in its installation, configuration and
    usage. The reason behind BFD is very simple; the fact there is little to no
    authentication and brute force auditing programs in the linux community that
    work in conjunction with a firewall or real-time facility to place bans.

    2) Installation:
    There is an included 'install.sh' script that installs all files to
    '/usr/local/bfd/' and places a 8-minute cronjob in '/etc/cron.d/bfd'. The setup
    is really as simple as that.

    3) Configuration:
    The configuration file for BFD is located at '/usr/local/bfd/conf.bfd'; it is
    very straight forward and the comments in themself explain what each option
    is for. Of the options, you should idealy configure the ALERT_USR toggle to
    enable or disable user email alerts and likewise in conjunction configure the
    EMAIL_USR var with your email addresses you would like to receive alerts at.

    An ignore file is present at '/usr/local/bfd/ignore.hosts'; this is a line
    seperated file to place hosts into that you would like to be ignored for
    authentication failures. An internal function will attempt to fetch all
    local ip's bound on the installed system and there-in internally ignore
    events appearing to be from such addresses.

    ----------------------------------------------------------------
     
  10. smachol

    smachol Well-Known Member

    Joined:
    Oct 19, 2001
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Thanks cbwass! :)
     
  11. heyjohnboy

    heyjohnboy Well-Known Member

    Joined:
    Oct 7, 2003
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Valencia, CA
    BFD vulnerability?

    BFD has been working great for us until this weekend, when made hundreds of attempts to access one of our boxes, but yet BFD DID NOT deny them. The only thing we can that is different from all the other attacks is that this person (I use the term loosely) seems to have used a different port with each attempt. Does anyone know if this is a vulnerability of BFD? Are there any suggestions regarding how to strengthen this possible weakness?

    I've included a link to a short excerpt from a rather lengthly break-in attempt so you can see how the ports are changed each time.

    attempt log
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Which version of BFD are you running (Just type bfd to find out). Any version prior to v0.8 was quite buggy and could easily have missed such an attempt. If you're already using v0.8 then it certainly ought to have worked.
     
  13. heyjohnboy

    heyjohnboy Well-Known Member

    Joined:
    Oct 7, 2003
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Valencia, CA
    Well, thanks for pointing out the obvious Chirpy. We were not running .8 (but we are NOW). :)

    BTW, we had a problem when we tried to install the dictionary attack ACL. Have you installed it successfully, and if so, did you encounter any issues along the way that might guide us when we try again?
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I've installed the ACL several hundred times by now ;) The main thing is to follow the instructions on the web page very carefully. One of the main mistakes people make is to not put blank lines where they are required and specified in the instructions. If you still cannot get it to work, feel free to PM me.
     
  15. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    Is it ok to install this on a server running APF & BFD or will thy conflict with each other? Thanks for the help!

     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You certainly can do, yes. There's no cross-over between the two, just be sure to remove /usr/local/bfd/rules/exim if it exists as it's a poor method to blocking dictionarry attacks.
     
  17. Zaf

    Zaf Well-Known Member

    Joined:
    Aug 22, 2005
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    I experienced a similar situation as posted by 'RJH Hosting' but the number of mails were less than 100 in my case. The ip addresses of my clients were being banned too. I had to literally have a cron job running to unban their ip every 15 mins.
    I did exactly what chirpy mentioned above and was always wondering whether I was right until I saw this post of chirpy. Thanks chirpy for the post, I'm so relaxed now knowing that I was right in disabling bfd for banning those ips. Well I still have a cron to clear the exim_deny (yes i am using chirpy's dictionary attack ACLs) file very regularly. At the same time, I'm working with the clients to get their entire network of computers checked for spyware and viruses.
     
Loading...

Share This Page