Hundreds of failed root access each day

Hi,

The best way is to protect your server using host access control feature provided by the cPanel in the WHM. You can use it to restrict the SSh to limited IPs, so the risk of getting SSH accessed will go down to zero.. More information in the below link:
Host Access Control - Version 68 Documentation - cPanel Documentation

 

Regarding why they do this, i thought exactly the same when I first got my server.
Within hours of it coming online it was being bombarded.
I guess if they get in, they have a free server to send out thousands of spam emails.
Think of it like this, if they scam an unsuspecting person out of a few thousand, and all they needed to do was hack your server, you'll understand why they do it.

Consider closing port 22 and moving it.

Consider installing CSF firewall.

Also, if you know that you will be the only SSH user and you have a static IP, input your IP in 'Host Access Control' against SSH.

and deny SSH to everyone else (All).

However, make sure you have a backdoor so to speak, make sure that you have your office IP, your home IP etc, then if one changes, you still have a route in.

Maybe consider adding the tech support IP from your server provider.

Install ModSecurity.

 

Hi @Shood

Here are some notes and recommendations you might like to consider:

You are much more interested in anyone successfully achieving an SSH (root) login than with all the failed attempts, and you probably don't want to be adding thousands of failed SSHD IPs to your csf.deny file as it will quickly become unmanageable.

1. In ConfigServer Security & Firewall > Login Failure Blocking and Alerts > LF_SSHD=1 and LF_SSHD_Perm=(whatever temporary time you want as long as it is NOT 0 - I find a temp block for 10 mins is quite sufficient) and also set LF_SSH_EMAIL_ALERT=On
2. Use the Temp to Perm/Netblock Settings to ban them permanently only if they are persistent in trying to brute force your SSHD.
   
3. Make sure that the CSF/LFD email alerts are sent to an email address that you can set up a rule based on the subject line/content.
4. Set up a rule to drop (delete/send to /dev/null or Trash folder - whatever you can) based on FAILED SSHD login attempts. The rule should be carefully crafted to allow delivery of any successful SSHD login attempts. (After testing this, you might want to add your IP if it is static to the csf.allow file to prevent an email being sent every time you use SSHD).
5. If you connect from a static IP, consider using Host Access Control to limit access to your WHM and SSHD - I recommend you add (allow) the cPanel support IPs, and any data centre support IPs, and a fallover for yourself if you can.
   
6. You might also want to enable cPHulk Brute Force Protection, but ensure your administrative IP is on the whitelist (and a fallover just in case) so you don't get yourself blocked and locked out.

Hope this helps.

 

I may be incorrect, but I was under the impression that the new port should be below 1024 ??