The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd sshd bruteforce

Discussion in 'Security' started by knight_dedy, Mar 27, 2015.

  1. knight_dedy

    knight_dedy Member

    Joined:
    Mar 25, 2015
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    cPanel Access Level:
    DataCenter Provider
    Dear All
    I have so much attack notification from cpanel, how to defends sshd or other service bruteforces attack? although I have change my sshd port but still there an attack to sshd, how to prevent it?


    Code:
    Time:  Fri Mar 27 10:36:26 2015 +0700
    IP:  80.82.70.167 (NL/Netherlands/-)
    Failures: 5 (smtpauth)
    Interval: 3600 seconds
    Blocked:  Permanent Block
    
    Log entries:
    
    2015-03-27 09:44:21 dovecot_login authenticator failed for (User)
    [80.82.70.167]:35016: 535 Incorrect authentication data
    (set_id=test@enrichstardevelopment.com)
    2015-03-27 09:44:28 dovecot_login authenticator failed for (User)
    [80.82.70.167]:35016: 535 Incorrect authentication data
    (set_id=test@enrichstardevelopment.com)
    2015-03-27 09:44:39 dovecot_login authenticator failed for (User)
    [80.82.70.167]:35016: 535 Incorrect authentication data
    (set_id=test@enrichstardevelopment.com)
    2015-03-27 10:36:15 dovecot_login authenticator failed for (User)
    [80.82.70.167]:33963: 535 Incorrect authentication data
    (set_id=info@enrichstardevelopment.com)
    2015-03-27 10:36:22 dovecot_login authenticator failed for (User)
    [80.82.70.167]:33963: 535 Incorrect authentication data
    (set_id=info@enrichstardevelopment.com)
     
  2. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hey,

    Changing the SSH port to a custom one should reduce the number of brute-force
    attacks which you get. The above one which you posted is towards your mail-server.
    There is always these sort of attacks and the good thing is your LFD / CSF is blocking these
    sort of attacks ( as you can see from the above logs ). The IP which attempts to give in
    5 login credentials in a row within a time-frame of 3600 seconds is blocked permanently.
    Just make sure you dont have accounts such as test@domain.com with weak passwords.
    Make sure your passwords are strong and complex enough. These sort of attacks happen everytime.
     
  3. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, logs shows that attack is on your mail server. Set complicated password for that account or if that email account is present on the server then disable it temporary.
     
  4. knight_dedy

    knight_dedy Member

    Joined:
    Mar 25, 2015
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    cPanel Access Level:
    DataCenter Provider
    is there are other step for defends smto auth and imap? besides of make strong password for email?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The best options available to you are to use strong passwords, install a third-party firewall management tool such as CSF/LFD, and to enable cPHulk brute force protection.

    Thank you.
     
Loading...

Share This Page