Hundreds of failed root access each day

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator
Hello,
There are a lot of trying access to root/user from around the world each day to my server!
Each few minutes I receive an email from my server system that there is an authentication failure to access the root of server or a user account
===========
lfd on [myServer]: blocked [IP] (Country), with details like this format:
IP:xxx (Country)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
===========
I'm wondering why they did this!
My server is one of the millions of servers around the world, I'm not Google or Microsoft to be a great prey for bad guys to hack! What this great benefit could achieved for those if they hack my root or an account I host?

However I think my server is well protected because I'm using this strategy:
1- Complex root password changed frequently.
2- I don't set an expected user name for the account name when I create a new one, for example: if I want to host a new domain "MyDomain.com" I set user name like: DomMyN
3- Firewall is on, SSL installed and cPanel is always updated to the latest version.

Am I really protected as I think? if not, what do you advice me to do more?
Thank you.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
97
78
India
cPanel Access Level
Root Administrator
Twitter
  • Like
Reactions: Shood

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator
Hello 24x7server, Thank you for your reply.
Yes I checked it and there's no unauthorized IPs, I found only a range of 8 IPs allowed, belongs to cPanel support.
 

keat63

Well-Known Member
Nov 20, 2014
1,933
268
113
cPanel Access Level
Root Administrator
Regarding why they do this, i thought exactly the same when I first got my server.
Within hours of it coming online it was being bombarded.
I guess if they get in, they have a free server to send out thousands of spam emails.
Think of it like this, if they scam an unsuspecting person out of a few thousand, and all they needed to do was hack your server, you'll understand why they do it.

Consider closing port 22 and moving it.

Consider installing CSF firewall.

Also, if you know that you will be the only SSH user and you have a static IP, input your IP in 'Host Access Control' against SSH.

and deny SSH to everyone else (All).

However, make sure you have a backdoor so to speak, make sure that you have your office IP, your home IP etc, then if one changes, you still have a route in.

Maybe consider adding the tech support IP from your server provider.

Install ModSecurity.
 
  • Like
Reactions: Shood

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator
Thank you for the help reply,
Yes you're right,I wasn't aware about what they do that, it's a logical reason.
I will add my tech support IP now, great idea.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,293
1,279
313
Houston
  • Like
Reactions: Shood

rpvw

Well-Known Member
Jul 18, 2013
1,101
466
113
UK
cPanel Access Level
Root Administrator
Hi @Shood

Here are some notes and recommendations you might like to consider:

You are much more interested in anyone successfully achieving an SSH (root) login than with all the failed attempts, and you probably don't want to be adding thousands of failed SSHD IPs to your csf.deny file as it will quickly become unmanageable.

  1. In ConfigServer Security & Firewall > Login Failure Blocking and Alerts > LF_SSHD=1 and LF_SSHD_Perm=(whatever temporary time you want as long as it is NOT 0 - I find a temp block for 10 mins is quite sufficient) and also set LF_SSH_EMAIL_ALERT=On
  2. Use the Temp to Perm/Netblock Settings to ban them permanently only if they are persistent in trying to brute force your SSHD.
  3. Make sure that the CSF/LFD email alerts are sent to an email address that you can set up a rule based on the subject line/content.
  4. Set up a rule to drop (delete/send to /dev/null or Trash folder - whatever you can) based on FAILED SSHD login attempts. The rule should be carefully crafted to allow delivery of any successful SSHD login attempts. (After testing this, you might want to add your IP if it is static to the csf.allow file to prevent an email being sent every time you use SSHD).
  5. If you connect from a static IP, consider using Host Access Control to limit access to your WHM and SSHD - I recommend you add (allow) the cPanel support IPs, and any data centre support IPs, and a fallover for yourself if you can.
  6. You might also want to enable cPHulk Brute Force Protection, but ensure your administrative IP is on the whitelist (and a fallover just in case) so you don't get yourself blocked and locked out.
Hope this helps.
 
Last edited:

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator
Hi @Shood

Here are some notes and recommendations you might like to consider:

You are much more interested in anyone successfully achieving an SSH (root) login than with all the failed attempts, and you probably don't want to be adding thousands of failed SSHD IPs to your csf.deny file as it will quickly become unmanageable.

  1. In ConfigServer Security & Firewall > Login Failure Blocking and Alerts > LF_SSHD=1 and LF_SSHD_Perm=(whatever temporary time you want as long as it is NOT 0 - I find a temp block for 10 mins is quite sufficient) and also set LF_SSH_EMAIL_ALERT=On
  2. Use the Temp to Perm/Netblock Settings to ban them permanently only if they are persistent in trying to brute force your SSHD.
  3. Make sure that the CSF/LFD email alerts are sent to an email address that you can set up a rule based on the subject line/content.
  4. Set up a rule to drop (delete/send to /dev/null or Trash folder - whatever you can) based on FAILED SSHD login attempts. The rule should be carefully crafted to allow delivery of any successful SSHD login attempts. (After testing this, you might want to add your IP if it is static to the csf.allow file to prevent an email being sent every time you use SSHD).
  5. If you connect from a static IP, consider using Host Access Control to limit access to your WHM and SSHD - I recommend you add (allow) the cPanel support IPs, and any data centre support IPs, and a fallover for yourself if you can.
  6. You might also want to enable cPHulk Brute Force Protection, but ensure your administrative IP is on the whitelist (and a fallover just in case) so you don't get yourself blocked and locked out.
Hope this helps.
So helpful, Thank you @rpvw
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,293
1,279
313
Houston
Hi @Shood

Rather than give you a list of ports that are unused which could be literally thousands it's easiest to show you how to find used ports:

Code:
netstat -tunlep | grep LISTEN | awk '{print $4}'
You also wouldn't want to use anything in the range of 32768 - 65535

Thanks!
 
  • Like
Reactions: Shood