The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to stop these login attempts

Discussion in 'General Discussion' started by moFBush, Jun 17, 2006.

  1. moFBush

    moFBush Well-Known Member

    Joined:
    Dec 31, 2005
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I recently configured and started to use LogWatcher on my server that runs Webhost Manager and cPanel. The following information was sent to me from LogWatch

    Code:
     --------------------- SSHD Begin ------------------------ 
    
     
     Didn't receive an ident from these IPs:
        210.103.124.7: 5 Time(s)
        213.180.161.100 (cust.static.213-180-161-100.cybernet.ch): 5 Time(s)
        84.19.176.196 (ns.km21707-05.keymachine.de): 5 Time(s)
     
     Failed logins from:
        58.241.118.116: 15 times
           root/password: 15 times
        210.103.124.7: 105 times
           root/password: 81 times
           ftp/password: 8 times
           mysql/password: 3 times
           mail/password: 2 times
           news/password: 2 times
           adm/password: 1 time
           bin/password: 1 time
           games/password: 1 time
           lp/password: 1 time
           mailman/password: 1 time
           nobody/password: 1 time
           operator/password: 1 time
           rpm/password: 1 time
           sshd/password: 1 time
        213.180.161.100 (cust.static.213-180-161-100.cybernet.ch): 5 times
           root/password: 5 times
     
     Illegal users from:
        58.241.118.116: 30 times
           admin/password: 10 times
           test/password: 10 times
           guest/password: 5 times
           user/password: 5 times
        84.19.176.196 (ns.km21707-05.keymachine.de): 18 times
           test/password: 18 times
        210.103.124.7: 257 times
           admin/password: 14 times
           test/password: 10 times
           liviu/password: 9 times
           user/password: 8 times
           master/password: 7 times
           network/password: 7 times
           pgsql/password: 7 times
           password/password: 5 times
           fluffy/password: 4 times
           guest/password: 4 times
           sanda/password: 4 times
           username/password: 4 times
           webmaster/password: 4 times
           info/password: 3 times
           michael/password: 3 times
           shell/password: 3 times
           Zmeu/password: 2 times
           admins/password: 2 times
           apache/password: 2 times
           cmd/password: 2 times
           library/password: 2 times
           linux/password: 2 times
           mike/password: 2 times
           oracle/password: 2 times
           richard/password: 2 times
           unix/password: 2 times
           webadmin/password: 2 times
           word/password: 2 times
           wwwrun/password: 2 times
           Aaliyah/password: 1 time
           Aaron/password: 1 time
           Aba/password: 1 time
           Abel/password: 1 time
           Access/password: 1 time
           Exit/password: 1 time
           Ionut/password: 1 time
           Jewel/password: 1 time
           adam/password: 1 time
           add/password: 1 time
           address/password: 1 time
           adrian/password: 1 time
           alan/password: 1 time
           alex/password: 1 time
           alin/password: 1 time
           alina/password: 1 time
           alinus/password: 1 time
           amanda/password: 1 time
           andrei/password: 1 time
           angel/password: 1 time
           aron/password: 1 time
           at/password: 1 time
           backup/password: 1 time
           bash/password: 1 time
           bnc/password: 1 time
           bran/password: 1 time
           brett/password: 1 time
           cafe/password: 1 time
           cap/password: 1 time
           cgi/password: 1 time
           ch/password: 1 time
           char/password: 1 time
           com/password: 1 time
           commando/password: 1 time
           copy/password: 1 time
           danny/password: 1 time
           data/password: 1 time
           david/password: 1 time
           denied/password: 1 time
           dulap/password: 1 time
           edit/password: 1 time
           flopy/password: 1 time
           george/password: 1 time
           get/password: 1 time
           hacker/password: 1 time
           haxor/password: 1 time
           help/password: 1 time
           hk/password: 1 time
           http/password: 1 time
           httpd/password: 1 time
           hy/password: 1 time
           id/password: 1 time
           ident/password: 1 time
           if/password: 1 time
           internet/password: 1 time
           irc/password: 1 time
           ircop/password: 1 time
           is/password: 1 time
           it/password: 1 time
           john/password: 1 time
           kathi/password: 1 time
           kayten/password: 1 time
           kernel/password: 1 time
           ldap/password: 1 time
           max/password: 1 time
           mcedit/password: 1 time
           michi/password: 1 time
           mikael/password: 1 time
           name/password: 1 time
           net/password: 1 time
           nick/password: 1 time
           nickname/password: 1 time
           nicole/password: 1 time
           not/password: 1 time
           ok/password: 1 time
           open/password: 1 time
           oper/password: 1 time
           org/password: 1 time
           party/password: 1 time
           paul/password: 1 time
           pe/password: 1 time
           pico/password: 1 time
           pl/password: 1 time
           play/password: 1 time
           postfix/password: 1 time
           postmaster/password: 1 time
           print/password: 1 time
           printul/password: 1 time
           psybnc/password: 1 time
           radu/password: 1 time
           resin/password: 1 time
           rex/password: 1 time
           robert/password: 1 time
           rumeno/password: 1 time
           sabin/password: 1 time
           sales/password: 1 time
           samba/password: 1 time
           sara/password: 1 time
           search/password: 1 time
           sef/password: 1 time
           send/password: 1 time
           sex/password: 1 time
           sgi/password: 1 time
           sh/password: 1 time
           sharon/password: 1 time
           shop/password: 1 time
           smecher/password: 1 time
           squid/password: 1 time
           ssh/password: 1 time
           stan/password: 1 time
           station/password: 1 time
           stef/password: 1 time
           stephen/password: 1 time
           steven/password: 1 time
           sunny/password: 1 time
           sunsun/password: 1 time
           susan/password: 1 time
           suva/password: 1 time
           technicom/password: 1 time
           telnet/password: 1 time
           tgz/password: 1 time
           to/password: 1 time
           trib/password: 1 time
           uk/password: 1 time
           undernet/password: 1 time
           unseen/password: 1 time
           us/password: 1 time
           users/password: 1 time
           web/password: 1 time
           webpop/password: 1 time
           work/password: 1 time
           www-data/password: 1 time
           www/password: 1 time
           yahoo/password: 1 time
           za/password: 1 time
     
    How can I stop these attempts? There are two accounts on my machine, root and a account that runs my website. Each of which has a very strong password of at least 30+ alpha numerical and "special" characters so I firmly believe the passwords will not be cracked any time soon.

    Thanks
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    A common method is to use an iptables-based firewall to manage who can or can't access a given server coupled with a compatible 'failed login' checker that will then block IPs that use brute force methods.

    APF+BFD is a popular choice and configserver.com's CSF+LFD is a new and viable option.
     
  3. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    Re:

    hi,
    that seems to be some kinda attack to your SSH port, you may change the SSH port to a higher value than default "port 22" this will put you on a bit safer side as default ports are always prone to such login attempts.

    have a look at the below given discussion it has all the info you would need.
    http://forums.cpanel.net/showthread.php?t=40374&highlight=changing+ssh+port

    see ya,
    mohit
     
  4. moFBush

    moFBush Well-Known Member

    Joined:
    Dec 31, 2005
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Where is some documentation about APF+BFD?
     
  5. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
  6. morfargekko

    morfargekko Member

    Joined:
    Jul 3, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
Loading...

Share This Page