Over 20.000 Bruteforce Login attempts in one night?

Frankenstone

Member
Jan 10, 2019
18
0
1
Germany
cPanel Access Level
Root Administrator
Hey Guys,

last night was very hard - we got over 20.000 login attempts and over 6.000 IPs got time banned automatically. Were send over 300 Abuse mails to known hosting companys like OVH, DigitalOcean and more.

Is their any way for more automatically? Are this normal stats? Any ideas how to stop this much Bruteforce? Their just 3 systems (2 dns servers and 1 shared server) fresh installed and setup and so much bruteforce dont seems normal.

Is their a way to combine our own blocklist with public lists?

Thank u in advice.

Greetings
 
Last edited:

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,542
207
343
Chesapeake, VA
cPanel Access Level
DataCenter Provider
That does seem excessive. How you deal with it depends largely on what specifically they are brute forcing. Is it a system service like ssh or ftp or is it a website login like wp-login?
 
  • Like
Reactions: Frankenstone

Frankenstone

Member
Jan 10, 2019
18
0
1
Germany
cPanel Access Level
Root Administrator
Hey,

our servers handling fine and dont rly have problems with loadtimes or network (Dont ask me why, their just 3 little VPS xD). I think this last night was a any coordinated operation - I could not imagine what else it should have been - in the last 13 hours we became 104 reports from (after i banned the most subnets where the attempts came from) CPHulk about login attempts. Does this seems more normaly?

CPHulk say its coming from sshd -> we actually use the default port (I wanted to change last night, but was disturbed by the attack.).

Actually we're just build up the systems and no customer except us is online with any website or product.

Is their a way to configure CPHulk like an IP-adress can be blocked 3 times with time ban - on the 4th ban its a permanent with messaging us, and not on every time ban?

Thank you in advance.

//Edit
Found after connecting to SSH (login message) - in just 10 hours over 15.000 failed logins....that cant be normal! Their fu**ing absolute fresh servers with blocking the most countrys....But nice, that no successfull login - thats the only good thing.

Code:
Last failed login: Sun Jan 13 16:12:10 CET 2019 from xx.xxx.xx.x on ssh:notty
There were 15449 failed login attempts since the last successful login.
Last login: Sat Jan 12 02:13:43 2019 from xx.xx.xx.xx
Greetings
 
Last edited:

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,542
207
343
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I would either change eh ssh port or close it entirely in the firewall. SSH bot attacks are extraordinarily common.

You can use CSF to enable permanent bans.
 
  • Like
Reactions: Frankenstone

Frankenstone

Member
Jan 10, 2019
18
0
1
Germany
cPanel Access Level
Root Administrator
I would either change eh ssh port or close it entirely in the firewall.
Jep, we want to change SSH Port - but.....

You can use CSF to enable permanent bans.
...did I read that right that CSF will done SSH Port change on installation, if its on default?

Thank for the Tip with CSF - i will read me in and setup. Tomorrow i will report if its helped us out of this bot attacks.
 

Frankenstone

Member
Jan 10, 2019
18
0
1
Germany
cPanel Access Level
Root Administrator
Silent like the night should be. I think i overlooked csf in Documentation until u showed me *embarrassing*

After initial setup with security check -> all OK and we gonna get nothing. Thank u for more good nights :P