The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Configure cPHulk, LogWatch showing thousands of login attempts!

Discussion in 'Security' started by louish, Oct 31, 2008.

  1. louish

    louish Member

    Joined:
    Feb 2, 2006
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    I have my cPHulk set to maxium failures from IP is 5, if thats the case, how come almost every day, when I get my LogWatch email, it shows THOUSANDS of login attempts.


    sshd:
    Authentication Failures:
    unknown (79.171.21.6): 2286 Time(s)
    unknown (189-19-242-3.dsl.telesp.net.br): 193 Time(s)
    root (189-19-242-3.dsl.telesp.net.br): 160 Time(s)
    unknown (63.81.37.52): 124 Time(s)
    root (79.171.21.6): 41 Time(s)
    root (63.81.37.52): 15 Time(s)

    -- SNIP --

    Received disconnect:
    11: Bye Bye
    ::ffff:189.19.242.3 : 357 Time(s)
    ::ffff:213.217.58.139 : 10 Time(s)
    ::ffff:63.81.37.52 : 168 Time(s)
    ::ffff:79.171.21.6 : 2434 Time(s)
    ::ffff:88.40.238.138 : 8 Time(s)



    The email is very long, showing thousands of different login attempts.

    This happens on all my servers, (about 6). Is there a way to actually block someones IP automatically so they cant even attempt to login?
     
  2. SB-Nick

    SB-Nick Well-Known Member

    Joined:
    Aug 26, 2008
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    It might be than the cPHulk daemon is not working properly.
    Are you sure cPHulk says "Enabled" at the top?
    Otherwise you can try installing BFD (Brute Force Detection) or disable root login on the /etc/ssh/sshd.conf config file.
    This will reduce the brute force attempts a lot.
     
  3. louish

    louish Member

    Joined:
    Feb 2, 2006
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    I have root ssh login disabled on all my servers. Whatever script kitty is doing this, trys many usernames, not just root. Attached to this message is a sample log file, from the other day.

    I only have ssh enabled on a couple accounts, which is good, but as you can see from this log below, they're trying to hack in through more services than just ssh. They try pop too.

    Also, one of my settings in teh cPHulk is "Maxium Failures Per IP" is set to 5, but then in the list of failed logins below my settings, I can clearly see more than 5 attempts per IP all on the same day, within a few minutes.

    You can see from this snippet below that they are attempting many different usernames from the same IP. It seems my "5" failure setting only applies to the POP3 logins, but not SSH. Isnt there a way to completely block someones IP if they fail too many times, on any service?

    Am I the only one having these issues. Every cpanel/whm server I have has the same problem. Each server are completely different domains, not related at all. Usually a few months after having the server up and running, it starts to get many login attempts.


    --------------------- pam_unix Begin ------------------------

    sshd:
    Authentication Failures:
    root (194.72.73.247): 128 Time(s)
    unknown (220.164.144.180): 125 Time(s)
    unknown (194.72.73.247): 76 Time(s)
    root (220.164.144.180): 15 Time(s)
    adm (220.164.144.180): 1 Time(s)
    alex (220.164.144.180): 1 Time(s)
    apache (220.164.144.180): 1 Time(s)
    bin (220.164.144.180): 1 Time(s)
    daemon (220.164.144.180): 1 Time(s)
    ftp (220.164.144.180): 1 Time(s)
    games (220.164.144.180): 1 Time(s)
    gopher (220.164.144.180): 1 Time(s)
    halt (220.164.144.180): 1 Time(s)
     

    Attached Files:

  4. louish

    louish Member

    Joined:
    Feb 2, 2006
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    I just setup my hosts.allow file to restrict all sshd access from ALL except my own set of personal IPs.

    We'll see if this helps with my daily massive amounts of LogWatch failed attempts.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I don't use cPHulk, I use CSF. http://www.configserver.com/cp/csf.html Also SSH is moved to another port. 5 failed logins and they're auto blocked, permanent.
     
  6. louish

    louish Member

    Joined:
    Feb 2, 2006
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    Maybe someone can help me out.

    I locked down SSHD by using the example in the cPHulk pages:

    Daemon Access List Action Comment
    sshd 192.168.0.0/255.255.255.0 allow Allow local SSH access
    sshd 198.66.254.254 allow Allow SSH from my specific IP
    sshd ALL deny Deny access from all other IPs


    But then I have some clients complaining that they cant connect to FTP. When they sent me a screen shot of them trying to connect, I noticed that the screen shot included text like:

    State Change: SSH_STATE_UNINITIALIZED->SSH_STATE_CONNECTING
    State Change: SSH_STATE_CONNECTING->SSH_STATE_EXPECT_IDENTIFIER
    connected
    RECV: TCP/IP close
    State Change: SSH_STATE_EXPECT_IDENTIFIER->SSH_STATE_CLOSED
    Control connection could not be established


    We use proftpd, so im confused at why the log appears to be using some type of SSH. Its blocking him access now.

    Any suggestons?
     
  7. nxweb

    nxweb Active Member

    Joined:
    Oct 29, 2008
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    By only allowing your IPs you blocked the clients ability to authenticate. Best solution is just to move SSH to a new port, disable password login, and force the use of SSH Keys.
     
Loading...

Share This Page