The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd on server1.mydomain.com: blocked 198.3.68.101

Discussion in 'Security' started by J.C, Sep 30, 2008.

  1. J.C

    J.C Member

    Joined:
    Jul 24, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dumfriesshire
    I keep receiving these emails from root@server1.mydomain.com.

    Code:
    Time:     Tue Sep 30 23:56:49 2008 -0400
    IP:       198.3.68.101 (US/United States/-)
    Failures: 5 (sshd)
    Interval: 5 seconds
    Blocked:  Yes
    
    Log entries:
    
    Sep 30 23:56:40 server1 sshd[5508]: Invalid user sarah from 198.3.68.101
    Sep 30 23:56:42 server1 sshd[5508]: Failed password for invalid user sarah from 198.3.68.101 port 50799 ssh2
    Sep 30 23:56:43 server1 sshd[5510]: Invalid user sarah from 198.3.68.101
    Sep 30 23:56:45 server1 sshd[5510]: Failed password for invalid user sarah from 198.3.68.101 port 50959 ssh2
    Sep 30 23:56:46 server1 sshd[5520]: Invalid user sarah from 198.3.68.101

    What's happening? I've received 36 between 21:08 and 00:01.
     
  2. SB-Nick

    SB-Nick Well-Known Member

    Joined:
    Aug 26, 2008
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Someone with the ip 198.3.68.101 is trying to access your server over SSH using sarah username.
    Its probably a bruteforce hack attempt of someone is using an invalid password.

     
  3. weetabix

    weetabix Well-Known Member

    Joined:
    Oct 26, 2006
    Messages:
    56
    Likes Received:
    1
    Trophy Points:
    8
    well, something isn't what it should be.

    that ip should be blocked by csf, and you should not get more than one mail about it. if the brute force is coming from different ips you will get one mail per block.

    you need to check that csf/lfd is working as intended.
     
Loading...

Share This Page