Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Hundreds of failed root access each day

Discussion in 'Security' started by Shood, Jun 17, 2018.

  1. Shood

    Shood Well-Known Member

    Joined:
    Aug 12, 2015
    Messages:
    49
    Likes Received:
    8
    Trophy Points:
    83
    Location:
    Middle East
    cPanel Access Level:
    Root Administrator
    Hello,
    There are a lot of trying access to root/user from around the world each day to my server!
    Each few minutes I receive an email from my server system that there is an authentication failure to access the root of server or a user account
    ===========
    lfd on [myServer]: blocked [IP] (Country), with details like this format:
    IP:xxx (Country)
    Failures: 5 (sshd)
    Interval: 3600 seconds
    Blocked: Permanent Block [LF_SSHD]
    ===========
    I'm wondering why they did this!
    My server is one of the millions of servers around the world, I'm not Google or Microsoft to be a great prey for bad guys to hack! What this great benefit could achieved for those if they hack my root or an account I host?

    However I think my server is well protected because I'm using this strategy:
    1- Complex root password changed frequently.
    2- I don't set an expected user name for the account name when I create a new one, for example: if I want to host a new domain "MyDomain.com" I set user name like: DomMyN
    3- Firewall is on, SSL installed and cPanel is always updated to the latest version.

    Am I really protected as I think? if not, what do you advice me to do more?
    Thank you.
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,861
    Likes Received:
    89
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Shood likes this.
  3. Shood

    Shood Well-Known Member

    Joined:
    Aug 12, 2015
    Messages:
    49
    Likes Received:
    8
    Trophy Points:
    83
    Location:
    Middle East
    cPanel Access Level:
    Root Administrator
    Hello 24x7server, Thank you for your reply.
    Yes I checked it and there's no unauthorized IPs, I found only a range of 8 IPs allowed, belongs to cPanel support.
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    998
    Likes Received:
    44
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Regarding why they do this, i thought exactly the same when I first got my server.
    Within hours of it coming online it was being bombarded.
    I guess if they get in, they have a free server to send out thousands of spam emails.
    Think of it like this, if they scam an unsuspecting person out of a few thousand, and all they needed to do was hack your server, you'll understand why they do it.

    Consider closing port 22 and moving it.

    Consider installing CSF firewall.

    Also, if you know that you will be the only SSH user and you have a static IP, input your IP in 'Host Access Control' against SSH.

    and deny SSH to everyone else (All).

    However, make sure you have a backdoor so to speak, make sure that you have your office IP, your home IP etc, then if one changes, you still have a route in.

    Maybe consider adding the tech support IP from your server provider.

    Install ModSecurity.
     
    Shood likes this.
  5. Shood

    Shood Well-Known Member

    Joined:
    Aug 12, 2015
    Messages:
    49
    Likes Received:
    8
    Trophy Points:
    83
    Location:
    Middle East
    cPanel Access Level:
    Root Administrator
    Thank you for the help reply,
    Yes you're right,I wasn't aware about what they do that, it's a logical reason.
    I will add my tech support IP now, great idea.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Shood likes this.
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    779
    Likes Received:
    274
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Hi @Shood

    Here are some notes and recommendations you might like to consider:

    You are much more interested in anyone successfully achieving an SSH (root) login than with all the failed attempts, and you probably don't want to be adding thousands of failed SSHD IPs to your csf.deny file as it will quickly become unmanageable.

    1. In ConfigServer Security & Firewall > Login Failure Blocking and Alerts > LF_SSHD=1 and LF_SSHD_Perm=(whatever temporary time you want as long as it is NOT 0 - I find a temp block for 10 mins is quite sufficient) and also set LF_SSH_EMAIL_ALERT=On
    2. Use the Temp to Perm/Netblock Settings to ban them permanently only if they are persistent in trying to brute force your SSHD.
    3. Make sure that the CSF/LFD email alerts are sent to an email address that you can set up a rule based on the subject line/content.
    4. Set up a rule to drop (delete/send to /dev/null or Trash folder - whatever you can) based on FAILED SSHD login attempts. The rule should be carefully crafted to allow delivery of any successful SSHD login attempts. (After testing this, you might want to add your IP if it is static to the csf.allow file to prevent an email being sent every time you use SSHD).
    5. If you connect from a static IP, consider using Host Access Control to limit access to your WHM and SSHD - I recommend you add (allow) the cPanel support IPs, and any data centre support IPs, and a fallover for yourself if you can.
    6. You might also want to enable cPHulk Brute Force Protection, but ensure your administrative IP is on the whitelist (and a fallover just in case) so you don't get yourself blocked and locked out.
    Hope this helps.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 rpvw, Jun 18, 2018
    Last edited: Jun 18, 2018
    Shood and cPanelLauren like this.
  8. Shood

    Shood Well-Known Member

    Joined:
    Aug 12, 2015
    Messages:
    49
    Likes Received:
    8
    Trophy Points:
    83
    Location:
    Middle East
    cPanel Access Level:
    Root Administrator
  9. Shood

    Shood Well-Known Member

    Joined:
    Aug 12, 2015
    Messages:
    49
    Likes Received:
    8
    Trophy Points:
    83
    Location:
    Middle East
    cPanel Access Level:
    Root Administrator
    So helpful, Thank you @rpvw
     
  10. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Shood

    Rather than give you a list of ports that are unused which could be literally thousands it's easiest to show you how to find used ports:

    Code:
    netstat -tunlep | grep LISTEN | awk '{print $4}'
    You also wouldn't want to use anything in the range of 32768 - 65535

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Shood likes this.
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    998
    Likes Received:
    44
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I may be incorrect, but I was under the impression that the new port should be below 1024 ??
     
  12. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,721
    Likes Received:
    186
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @keat63

    It doesn't have to be, but those are root privileged ports.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice