The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help. INTRUDERS!

Discussion in 'General Discussion' started by audigy, Jan 31, 2005.

  1. audigy

    audigy Member

    Joined:
    Feb 29, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Hey hopefully someone here can help me..


    How do I stop this?

    sshd:
    Invalid Users:
    Unknown Account: 10 Time(s)
    Authentication Failures:
    root (lcg00131.grid.sinica.edu.tw ): 555 Time(s)
    unknown (lcg00131.grid.sinica.edu.tw ): 9 Time(s)
    unknown (211.234.112.140 ): 1 Time(s)


    I have not tried to login to the server ALL day with SSh and ALL of the useraccounts do not have SSH enabled so thsi is obviously a hacker trying to get in.
     
  2. nerdzoll

    nerdzoll Well-Known Member

    Joined:
    Oct 4, 2004
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    A couple of things

    Firstly I would install APF and BFD (www.rfxnetworks.com) this will give you a good firewall and brute force attack stopper.
    Also I would run SSH on a non standard port (and also preferably on an IP with no web addresses attached).
    Finally I would dissalow the root user to log into SSH directly and create a new user that can be added to the "wheel" of users that can su- into root.

    If you do a search on these forums you can get the details of how to do most of that... but at minnimum APF and BFD are a good start

    EDIT: see http://forums.cpanel.net/showthread.php?t=14443&highlight=secure+server
     
    #2 nerdzoll, Jan 31, 2005
    Last edited: Jan 31, 2005
  3. audigy

    audigy Member

    Joined:
    Feb 29, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, The root user cant login to SSh directly I have added a "regular" user to the wheel group but it was just staring to get me worried I will try the firewalls and see if that slows it down any.

    Again Thanks
     
  4. Finley Ave

    Finley Ave Active Member

    Joined:
    Feb 28, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    San Ramon, CA
    This was probably an automated attack from an infected box. BFD is overrated for this kind of attack. The infected box will just try dumb passwords and move on to another victim. As soon as you block that box from making dumb attempts on you, some other box will come around the next day. Your best defense against this kind of attack is non standard ssh port and to have passwords better than something like 'test'. If your password is "4dGwR22Y", a brute force attack is going to take a little more than 555 attempts.
     
  5. Norman

    Norman Well-Known Member

    Joined:
    Sep 20, 2004
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    This actually happens ALOT.

    It's probes and attacks from script kiddies trying to break in.. most of the time they start on a IP block and workt hier way through.

    If you haven't installed apf/bfd I would do so.

    If you need help, let us know we can always help, but there is alot of info on these boards on how to install it.

    There is one server I admin that get BFD (Brute Force Detection) emails 4 - 5 times a day..
     
Loading...

Share This Page