The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is someone trying to hack my VPS?

Discussion in 'Security' started by cactuscarl, Feb 24, 2010.

  1. cactuscarl

    cactuscarl Member

    Joined:
    Aug 21, 2009
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    This comes from the /var/log/secure file and there's a LOT of it:

    Feb 21 16:43:00 vps sshd[28022]: Did not receive identification string from 69.42.213.18
    Feb 21 17:33:04 vps sshd[10065]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:06 vps sshd[10065]: Failed password for root from 69.42.213.18 port 41824 ssh2
    Feb 22 01:33:06 vps sshd[10066]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:07 vps sshd[10072]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:09 vps sshd[10072]: Failed password for root from 69.42.213.18 port 41937 ssh2
    Feb 22 01:33:09 vps sshd[10073]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:09 vps sshd[10075]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:11 vps sshd[10075]: Failed password for root from 69.42.213.18 port 42034 ssh2
    Feb 22 01:33:11 vps sshd[10076]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:11 vps sshd[10077]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:13 vps sshd[10077]: Failed password for root from 69.42.213.18 port 42122 ssh2
    Feb 22 01:33:13 vps sshd[10078]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:14 vps sshd[10079]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:16 vps sshd[10079]: Failed password for root from 69.42.213.18 port 42230 ssh2
    Feb 22 01:33:16 vps sshd[10080]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:17 vps sshd[10082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:19 vps sshd[10082]: Failed password for root from 69.42.213.18 port 42349 ssh2
    Feb 22 01:33:19 vps sshd[10083]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:20 vps sshd[10088]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:21 vps sshd[10088]: Failed password for root from 69.42.213.18 port 42471 ssh2
    Feb 22 01:33:21 vps sshd[10089]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:22 vps sshd[10090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:24 vps sshd[10090]: Failed password for root from 69.42.213.18 port 42565 ssh2
    Feb 22 01:33:24 vps sshd[10091]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:25 vps sshd[10092]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:27 vps sshd[10092]: Failed password for root from 69.42.213.18 port 42679 ssh2
    Feb 22 01:33:27 vps sshd[10093]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:27 vps sshd[10094]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:29 vps sshd[10094]: Failed password for root from 69.42.213.18 port 48248 ssh2
    Feb 22 01:33:29 vps sshd[10095]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:30 vps sshd[10103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:32 vps sshd[10103]: Failed password for root from 69.42.213.18 port 48344 ssh2
    Feb 22 01:33:32 vps sshd[10104]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:32 vps sshd[10105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:34 vps sshd[10105]: Failed password for root from 69.42.213.18 port 48439 ssh2
    Feb 22 01:33:34 vps sshd[10106]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:34 vps sshd[10107]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:36 vps sshd[10107]: Failed password for root from 69.42.213.18 port 48537 ssh2
    Feb 22 01:33:36 vps sshd[10108]: Received disconnect from 69.42.213.18: 11: Bye Bye
    Feb 21 17:33:36 vps sshd[10109]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=69.42.213.18 user=root
    Feb 21 17:33:39 vps sshd[10109]: Failed password for root from 69.42.213.18 port 48638 ssh2
    Feb 22 01:33:39 vps sshd[10110]: Received disconnect from 69.42.213.18: 11: Bye Bye


    It looks as though someone or something is trying all kinds of ports to log into my server or something. I'm also getting all kinds of errors related to "cannot allocate memory" and now my Wordpress blogs are failing with similar errors and now just a simple "Internal Server Error"

    Can anyone lend a brother a hand? :eek:
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Yes, looks like someone is trying to brute force your SSH ...

    This is very common and I would not be too alarmed by that alone but I would read through your logs just to make sure that none of those attempts were successful

    If you don't already have a long random and sufficiently strong password or cert setup then I would certainly go ahead and do that.

    Moving your SSH port (See /etc/ssh/sshd_config) to a new port can help curb such attacks but you will probably want to supplement that by disabling direct root logins as well.

    I would also limit your SSH to "Protocol 2" only and fixed to a specific IP.

    After you move SSH to another port, you can either block access to the original port in your firewall or do what I do sometimes and setup portsentry to operate as a "hacker trap" on the original port.

    Hope that helps you out. If you don't understand any part of what I just said or need more help, feel free to hunt me down.
     
  3. CDDHosting

    CDDHosting Member

    Joined:
    Feb 18, 2010
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    Yeah it does look like someone has tried to brute force you.

    If you have not done already change your SSH port.
     
  4. tomdchi

    tomdchi Well-Known Member

    Joined:
    Feb 24, 2008
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
    cPanel Access Level:
    DataCenter Provider
    1. Disable ssh password auth. Under security settings on left side in WHM
    2. Get CSF firewall. configserver.com
     
Loading...

Share This Page