Over 20.000 Bruteforce Login attempts in one night?

[Frankenstone]

Hey Guys,

last night was very hard - we got over 20.000 login attempts and over 6.000 IPs got time banned automatically. Were send over 300 Abuse mails to known hosting companys like OVH, DigitalOcean and more.

Is their any way for more automatically? Are this normal stats? Any ideas how to stop this much Bruteforce? Their just 3 systems (2 dns servers and 1 shared server) fresh installed and setup and so much bruteforce dont seems normal.

Is their a way to combine our own blocklist with public lists?

Thank u in advice.

Greetings

 

[GOT]

That does seem excessive. How you deal with it depends largely on what specifically they are brute forcing. Is it a system service like ssh or ftp or is it a website login like wp-login?

 

[Frankenstone]

Hey,

our servers handling fine and dont rly have problems with loadtimes or network (Dont ask me why, their just 3 little VPS xD). I think this last night was a any coordinated operation - I could not imagine what else it should have been - in the last 13 hours we became 104 reports from (after i banned the most subnets where the attempts came from) CPHulk about login attempts. Does this seems more normaly?

CPHulk say its coming from sshd -> we actually use the default port (I wanted to change last night, but was disturbed by the attack.).

Actually we're just build up the systems and no customer except us is online with any website or product.

Is their a way to configure CPHulk like an IP-adress can be blocked 3 times with time ban - on the 4th ban its a permanent with messaging us, and not on every time ban?

Thank you in advance.

//Edit
Found after connecting to SSH (login message) - in just 10 hours over 15.000 failed logins....that cant be normal! Their fu**ing absolute fresh servers with blocking the most countrys....But nice, that no successfull login - thats the only good thing.

Last failed login: Sun Jan 13 16:12:10 CET 2019 from xx.xxx.xx.x on ssh:notty
There were 15449 failed login attempts since the last successful login.
Last login: Sat Jan 12 02:13:43 2019 from xx.xx.xx.xx

Greetings

 

[GOT]

I would either change eh ssh port or close it entirely in the firewall. SSH bot attacks are extraordinarily common.

You can use CSF to enable permanent bans.

 

[Frankenstone]

I would either change eh ssh port or close it entirely in the firewall.

Jep, we want to change SSH Port - but.....

You can use CSF to enable permanent bans.

...did I read that right that CSF will done SSH Port change on installation, if its on default?

Thank for the Tip with CSF - i will read me in and setup. Tomorrow i will report if its helped us out of this bot attacks.

 

[Frankenstone]

Silent like the night should be. I think i overlooked csf in Documentation until u showed me *embarrassing*

After initial setup with security check -> all OK and we gonna get nothing. Thank u for more good nights :P

 

[cPanelMichael]

Hello @Frankenstone,

I'm glad to see you were able to sort through the issue. Going forward, the following resource is useful if you want to make the SSH service more secure:

Tutorial - Interested in increasing the security of your server? Read this. (sshd hardening)

Thank you.