The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables, audit.log & Brute force detection

Discussion in 'Security' started by JeffPaetkau, Nov 13, 2014.

  1. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    On my server I have iptables setup so ssh (on port 22) only allows connections from a limited set of IP's (tested such that when I comment out my IP I can't connect). However, I notice in audit.log thousands of messages like:

    type=USER_AUTH msg=audit(1415905373.817:1993316): user pid=28071 uid=0 auid=0 ses=29944 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=192.126.120.93 addr=192.126.120.93 terminal=ssh res=failed'

    and in the messages log hundreds of:

    Nov 13 08:30:02 host PAM-hulk[22289]: Brute force detection active: 580 LOGIN DENIED -- TOO MANY FAILURES -- IP TEMP BANNED

    also aureport reports:

    Number of logins: 6
    Number of failed logins: 6835
    Number of authentications: 12
    Number of failed authentications: 41589

    Does anyone have any ideas on why these invalid attempts are not being blocked by iptables?

    Thanks for any insight.

    Jeff Paetkau
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Change port number to something else. You should find the docs useful I think:
    How to Secure SSH - cPanel Documentation
     
  4. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    Thanks. those are both good suggestions. However, they don't really answer my question which is: why am I seeing these messages at all if iptables is blocking port 22?

    Jeff
     
Loading...

Share This Page