The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Editing BFD "Sensitivity"?

Discussion in 'General Discussion' started by Boriskag, Apr 22, 2006.

  1. Boriskag

    Boriskag Well-Known Member

    Joined:
    Apr 8, 2006
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Hi. I've been using cPanel for about a week and a half and it's a huge leap forward compared to what I used to use (VHCS). I'm not that experienced in Linux, but I can pretty much follow instructions to complete a task.

    Anyways, one of the main reasons why I did all the upgrades was for security reasons. VHCS gets hacked in about 2 seconds by 12 year olds, thats how bad it is. Now using cPanel and Brute Force Detector + APF, I've got around 10 or 12 ips in the deny_hosts file of hack attempts on SSH and FTP.

    I'm glade that it caught all the hack attempts, but it usually ends up being a huge list of attempts over a prolonged beriod of time. Just last night, I blocked someone trying to login to ftp using the name "Administrator" 17 times.

    Anyways, before I start rambling on again, lemme get to the point of this post. :rolleyes:

    I searched the forums several times and did an extensive search on google just to find how to install BFD and APF, what I want to try and do is to set BFD's "detector" to be very sensitive, say 5 wrong passwords in 10 minutes or even 20 minutes. (All the hacked attempts I get are usually attempted logins in 1 or 2 minutes intervals).

    I also remeber reading about something about a Dictionary Word Detector (I forgot what it's called) Is that any good?

    And here are the list of ips I have in my denied list.
    (I checked a few of them, not all, but I think they are all from Turkey.)

    207.75.166.67
    84.94.225.101
    218.188.16.96
    24.165.154.119
    85.96.187.166
    222.112.249.123
    67.15.203.25
    69.135.187.19
    213.80.123.21
    70.85.71.226
    69.13.187.191
     
    #1 Boriskag, Apr 22, 2006
    Last edited: Apr 22, 2006
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Firstly, I suggest you change the SSH port number and/or restrict the IP ranges allowed to access the standard SSH port. This will reduce the volume of attempts getting logged.

    Secondly, if you're running BFD, you want to run the command:

    Code:
    echo /etc/relayhosts >> /usr/local/bfd/exclude.files
    This will cause authenticated IPs (ie who logged into POP successfully) not to get blocked - an awfully nice feature that will prevent real users getting blocked.

    Chirpy has a free install -- see configserver.com - for a dictionary attack blocker, definitely install it. Probably also worth getting his server security service installed, that way you won't have to worry about server security for a while and it'll give you time to learn (that's not free, but the dictionary attack code is). The dictionary attack code is a must have, simply because otherwise an active dictionary attack will absorb about 30%+ of your machine.
     
  3. Boriskag

    Boriskag Well-Known Member

    Joined:
    Apr 8, 2006
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    ok, thanks alot. I already installed the dictionary attach code while I was waiting for a reply...

    I would still like to set BFD to ban the ip after, say the first 5 attempts in 20 minutes if thats possible.
     
  4. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Honestly, don't waste your time by going there. Just change the SSH port. Why? Not only does it take you away from the script kiddies, and reduce the volume of "noise" in your logfile; it also makes it much harder for an automated attack to succeed.

    What I mean by this is, if at some hypothetical future point an SSH compromise emerges, you are then protected as they won't find your SSH on port 22 and will skip by your machine. I think this is just a simple win-win.

    Good system admin keeps things simple - this is a key part of doing things right. Changing the SSH port is a simple, clean solution. Installing and configuring complex monitoring software that may need tuning as time goes on - and which provides less benefit than changing the port number - is going to cost you time, money and effort and you don't want that!

    To find how to change the port number, Google for "SSH port number change" or similar.
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    ps: denyhosts does look cool! :) If you do that AND change the port number, you'll be laughing!
     
  7. Boriskag

    Boriskag Well-Known Member

    Joined:
    Apr 8, 2006
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    I understand the advantages of changing the port number, but the attacks seem to attack high numbered ports like i.e.

    Apr 22 21:04:52 localhost sshd[27331]: Did not receive identification string from ::ffff:80.95.70.171
    Apr 22 21:11:34 localhost sshd[27499]: Failed password for root from ::ffff:80.95.70.171 port 32864 ssh2
    Apr 22 21:11:35 localhost sshd[27501]: Invalid user admin from ::ffff:80.95.70.171
    Apr 22 21:11:38 localhost sshd[27501]: Failed password for invalid user admin from ::ffff:80.95.70.171 port 33213 ssh2
    Apr 22 21:11:39 localhost sshd[27503]: Invalid user test from ::ffff:80.95.70.171
    Apr 22 21:11:42 localhost sshd[27503]: Failed password for invalid user test from ::ffff:80.95.70.171 port 33548 ssh2
    Apr 22 21:11:43 localhost sshd[27505]: Invalid user guest from ::ffff:80.95.70.171
    Apr 22 21:11:45 localhost sshd[27505]: Failed password for invalid user guest from ::ffff:80.95.70.171 port 33891 ssh2

    I don't even think I have those ports open by APF. Maybe an even securer way of doing this is to simply allow the specific ports through the router port fowarding, that way - ports like 32864 wouldn't even get to the server period.
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Boris, we thinks you are getting confused dude! :)

    The port numbers you see there are the remote ports, on the originating machines, completely irrelevant for our purposes. The attacks are still coming in on port 22. Change your SSH port number to something else (make sure you verify that you'll still be able to access it first, if possible enable both ports initially).

    Note - when you change "your SSH port number" - you're actually changing the incoming port number.
     
  9. Boriskag

    Boriskag Well-Known Member

    Joined:
    Apr 8, 2006
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Oh. ok.

    Yes, your right, I was getting confused. I don't know much about linux and all that, I just run the server through cPanel. :eek:
     
Loading...

Share This Page