Hundreds of failed root access each day

[Shood]

Hello,
There are a lot of trying access to root/user from around the world each day to my server!
Each few minutes I receive an email from my server system that there is an authentication failure to access the root of server or a user account
===========
lfd on [myServer]: blocked [IP] (Country), with details like this format:
IP:xxx (Country)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
===========
I'm wondering why they did this!
My server is one of the millions of servers around the world, I'm not Google or Microsoft to be a great prey for bad guys to hack! What this great benefit could achieved for those if they hack my root or an account I host?

However I think my server is well protected because I'm using this strategy:
1- Complex root password changed frequently.
2- I don't set an expected user name for the account name when I create a new one, for example: if I want to host a new domain "MyDomain.com" I set user name like: DomMyN
3- Firewall is on, SSL installed and cPanel is always updated to the latest version.

Am I really protected as I think? if not, what do you advice me to do more?
Thank you.

 

[24x7server]

Hi,

The best way is to protect your server using host access control feature provided by the cPanel in the WHM. You can use it to restrict the SSh to limited IPs, so the risk of getting SSH accessed will go down to zero.. More information in the below link:
Host Access Control - Version 68 Documentation - cPanel Documentation

 

[Shood]

Hello 24x7server, Thank you for your reply.
Yes I checked it and there's no unauthorized IPs, I found only a range of 8 IPs allowed, belongs to cPanel support.

 

[keat63]

Regarding why they do this, i thought exactly the same when I first got my server.
Within hours of it coming online it was being bombarded.
I guess if they get in, they have a free server to send out thousands of spam emails.
Think of it like this, if they scam an unsuspecting person out of a few thousand, and all they needed to do was hack your server, you'll understand why they do it.

Consider closing port 22 and moving it.

Consider installing CSF firewall.

Also, if you know that you will be the only SSH user and you have a static IP, input your IP in 'Host Access Control' against SSH.

and deny SSH to everyone else (All).

However, make sure you have a backdoor so to speak, make sure that you have your office IP, your home IP etc, then if one changes, you still have a route in.

Maybe consider adding the tech support IP from your server provider.

Install ModSecurity.

 

[Shood]

Thank you for the help reply,
Yes you're right,I wasn't aware about what they do that, it's a logical reason.
I will add my tech support IP now, great idea.

 

[cPanelLauren]

Hello @Shood

You may also want to take a look at the following documentation we have:
Tips to Make Your Server More Secure - cPanel Knowledge Base - cPanel Documentation

As well as run the Security Advisor in cPanel at WHM>>Security Center>>Security Advisor.

Thanks!

 

[rpvw]

Hi @Shood

Here are some notes and recommendations you might like to consider:

You are much more interested in anyone successfully achieving an SSH (root) login than with all the failed attempts, and you probably don't want to be adding thousands of failed SSHD IPs to your csf.deny file as it will quickly become unmanageable.

1. In ConfigServer Security & Firewall > Login Failure Blocking and Alerts > LF_SSHD=1 and LF_SSHD_Perm=(whatever temporary time you want as long as it is NOT 0 - I find a temp block for 10 mins is quite sufficient) and also set LF_SSH_EMAIL_ALERT=On
2. Use the Temp to Perm/Netblock Settings to ban them permanently only if they are persistent in trying to brute force your SSHD.
   
3. Make sure that the CSF/LFD email alerts are sent to an email address that you can set up a rule based on the subject line/content.
4. Set up a rule to drop (delete/send to /dev/null or Trash folder - whatever you can) based on FAILED SSHD login attempts. The rule should be carefully crafted to allow delivery of any successful SSHD login attempts. (After testing this, you might want to add your IP if it is static to the csf.allow file to prevent an email being sent every time you use SSHD).
5. If you connect from a static IP, consider using Host Access Control to limit access to your WHM and SSHD - I recommend you add (allow) the cPanel support IPs, and any data centre support IPs, and a fallover for yourself if you can.
   
6. You might also want to enable cPHulk Brute Force Protection, but ensure your administrative IP is on the whitelist (and a fallover just in case) so you don't get yourself blocked and locked out.

Hope this helps.

 

[Shood]

Hello @Shood

You may also want to take a look at the following documentation we have:
Tips to Make Your Server More Secure - cPanel Knowledge Base - cPanel Documentation

As well as run the Security Advisor in cPanel at WHM>>Security Center>>Security Advisor.

Thanks!

Thank you so much Lauren, amazing tips
How to get a list of unused ports? I will move SSH access to a different port

 

[Shood]

Hi @Shood

Here are some notes and recommendations you might like to consider:

You are much more interested in anyone successfully achieving an SSH (root) login than with all the failed attempts, and you probably don't want to be adding thousands of failed SSHD IPs to your csf.deny file as it will quickly become unmanageable.

1. In ConfigServer Security & Firewall > Login Failure Blocking and Alerts > LF_SSHD=1 and LF_SSHD_Perm=(whatever temporary time you want as long as it is NOT 0 - I find a temp block for 10 mins is quite sufficient) and also set LF_SSH_EMAIL_ALERT=On
2. Use the Temp to Perm/Netblock Settings to ban them permanently only if they are persistent in trying to brute force your SSHD.
   
3. Make sure that the CSF/LFD email alerts are sent to an email address that you can set up a rule based on the subject line/content.
4. Set up a rule to drop (delete/send to /dev/null or Trash folder - whatever you can) based on FAILED SSHD login attempts. The rule should be carefully crafted to allow delivery of any successful SSHD login attempts. (After testing this, you might want to add your IP if it is static to the csf.allow file to prevent an email being sent every time you use SSHD).
5. If you connect from a static IP, consider using Host Access Control to limit access to your WHM and SSHD - I recommend you add (allow) the cPanel support IPs, and any data centre support IPs, and a fallover for yourself if you can.
   
6. You might also want to enable cPHulk Brute Force Protection, but ensure your administrative IP is on the whitelist (and a fallover just in case) so you don't get yourself blocked and locked out.

Hope this helps.

So helpful, Thank you @rpvw

 

[cPanelLauren]

Hi @Shood

Rather than give you a list of ports that are unused which could be literally thousands it's easiest to show you how to find used ports:

netstat -tunlep | grep LISTEN | awk '{print $4}'

You also wouldn't want to use anything in the range of 32768 - 65535

Thanks!

 

[keat63]

I may be incorrect, but I was under the impression that the new port should be below 1024 ??

 

[cPanelLauren]

Hi @keat63

It doesn't have to be, but those are root privileged ports.