The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacks bypassing BFD.

Discussion in 'General Discussion' started by SuperBaby, Jan 9, 2005.

  1. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I installed BFD and almost everyday I received email notification that BFD bans certain IPs that tried to hack into my server. But I still get this from LogWatch:

    sshd:
    Authentication Failures:
    root (ftp.kkc.ac.th ): 63 Time(s)
    unknown (ftp.kkc.ac.th ): 139 Time(s)
    Invalid Users:
    Unknown Account: 139 Time(s)

    Why didn't BFD bans this user?
     
  2. fikse

    fikse Well-Known Member

    Joined:
    May 10, 2003
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    are you sure the cron job is running every few minutes to parse the logs and ban users?
     
  3. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    Yes. Every 10 minutes. It is working. That is why I am getting email notification that it has banned certain IPs (a few such emails everyday).
     
  4. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    If the attempted logins are coming in at say 10 or 20 attempted logins per minute, the attacking server can potentially get in a hundred or two logins attempts before the bfd cron runs and blocks them.

    I simply use hosts.deny/hosts.allow and APF to deny access to the SSH port itself to anyone by me (by ip). Even if I have to leave a /24 open in hosts.allow when I'm on a dynamic dialup ip, it essentially keeps any of these hosts from even attempting to login.
     

Share This Page