Preventing annoying/lame hack attempts

[santrix]

Hi,

Every now and then I get a logwatch full of failed logins attempts, eg.

LOGIN FAILED, user=admin, ip=[::ffff:213.92.11.165]: 39 Time(s)

This time the list was about 300 usernames long, and consisted of about 2200 failed logins in total.

Isn't this something that cpHulk should have blocked after the first set of failures? I'm a bit confused, as cpHulk seems to be a bit hit and miss.

I also run APF firewall, but i expect getting this idiot's IP into the deny rules list other than vi'ing it in manually is going to involved all kinds of ninja level scripting.

Any ideas? Thanks.

 

[verdon]

You should try the ConfigServer firewall from here
ConfigServer Security & Firewall

 

[santrix]

OK, I give in... this isn't the first time someone has sai try CSF...

Although I'm reasonably comfortable tooling around my servers, doing routine admin and maintenance, checking logs etc, I'm not a linux ninja by any means...

Installing APF, although uneventful and straightforward did raise the old blood pressure a bit, and I was somewhat relieved to find it all worked after the install. Unfortunately I don't now have a spare box to install CSF on, and both of mine are production machines with a few dozen users on each.

Obviously I don't need to bugger thing up by trying to switch firewall applications.

Has anyone else out there removed APF on a stock Cpanel install, and installed CSF in it's place? Any pointers/pitfalls? Is CSF as well suported/bug free as APF appears to be?

 

[cPanelDavidG]

Hi,

Every now and then I get a logwatch full of failed logins attempts, eg.

LOGIN FAILED, user=admin, ip=[::ffff:213.92.11.165]: 39 Time(s)

This time the list was about 300 usernames long, and consisted of about 2200 failed logins in total.

Isn't this something that cpHulk should have blocked after the first set of failures? I'm a bit confused, as cpHulk seems to be a bit hit and miss.

I also run APF firewall, but i expect getting this idiot's IP into the deny rules list other than vi'ing it in manually is going to involved all kinds of ninja level scripting.

Any ideas? Thanks.

At this time cpHulk only works on services that use TCPWrappers. At this time, not all services cPanel/WHM relies upon use TCPWrappers.

 

[dalem]

I would assume this is your SSH port

LOGIN FAILED, user=admin, ip=[::ffff:213.92.11.165]: 39 Time(s)

Change your SSH port to a unused port

 

[santrix]

I already did... it's not on 22! That was one of the first things I do to any new box. I guess they are persistent little buggers.

 

[dalem]

then what are they trying to brute?
install BFD with apf

 

[Spiral]

I already did... it's not on 22! That was one of the first things I do to any new box. I guess they are persistent little buggers.

I can take care of this for you beyond your wildest dreams!

However, in the meantime ...

Cpanel servers have "portsentry" but it is not configured correctly
and is rendered basically useless by default. If setup correctly,
it becomes a very powerful tool for blocking port scans trying
to locate where you moved your SSH service and can react
much more rapidly than LFD or other services for that.

CSF / LFD is a "must have" for keeping up with primary activity and
I would have that installed, configured correctly, and running along side
other measures in place such as portsentry, rootkit scanners, & log monitors.

Obviously as already previously discussed in this thread,
SSH should not be on the default port 22, should be protocol 2,
and preferably not direct root access. In some cases, users
cannot use certificates for login but if you are able to do that,
I recommend shutting down password authentication as that
will complete eliminate any brute force type possibilities although
a sufficiently long, random, and non-dictionary password will
suffice for most instances too.

The biggest thing to be concerned about is not that anyone is "trying"
to break in to your server but rather "are they successful"?

If your defenses are setup correctly, any hacking attempts on your
server should be able to be put down to a rest almost instantaneously.