The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Preventing annoying/lame hack attempts

Discussion in 'Security' started by santrix, Aug 31, 2009.

  1. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Hi,

    Every now and then I get a logwatch full of failed logins attempts, eg.

    LOGIN FAILED, user=admin, ip=[::ffff:213.92.11.165]: 39 Time(s)

    This time the list was about 300 usernames long, and consisted of about 2200 failed logins in total.

    Isn't this something that cpHulk should have blocked after the first set of failures? I'm a bit confused, as cpHulk seems to be a bit hit and miss.

    I also run APF firewall, but i expect getting this idiot's IP into the deny rules list other than vi'ing it in manually is going to involved all kinds of ninja level scripting.

    Any ideas? Thanks.
     
  2. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
  3. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    OK, I give in... this isn't the first time someone has sai try CSF...

    Although I'm reasonably comfortable tooling around my servers, doing routine admin and maintenance, checking logs etc, I'm not a linux ninja by any means...

    Installing APF, although uneventful and straightforward did raise the old blood pressure a bit, and I was somewhat relieved to find it all worked after the install. Unfortunately I don't now have a spare box to install CSF on, and both of mine are production machines with a few dozen users on each.

    Obviously I don't need to bugger thing up by trying to switch firewall applications.

    Has anyone else out there removed APF on a stock Cpanel install, and installed CSF in it's place? Any pointers/pitfalls? Is CSF as well suported/bug free as APF appears to be?
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    At this time cpHulk only works on services that use TCPWrappers. At this time, not all services cPanel/WHM relies upon use TCPWrappers.
     
  5. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    I would assume this is your SSH port
    Change your SSH port to a unused port
     
  6. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    I already did... it's not on 22! :) That was one of the first things I do to any new box. I guess they are persistent little buggers.
     
  7. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    then what are they trying to brute?
    install BFD with apf
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I can take care of this for you beyond your wildest dreams! ;)

    However, in the meantime ...

    Cpanel servers have "portsentry" but it is not configured correctly
    and is rendered basically useless by default. If setup correctly,
    it becomes a very powerful tool for blocking port scans trying
    to locate where you moved your SSH service and can react
    much more rapidly than LFD or other services for that.

    CSF / LFD is a "must have" for keeping up with primary activity and
    I would have that installed, configured correctly, and running along side
    other measures in place such as portsentry, rootkit scanners, & log monitors.

    Obviously as already previously discussed in this thread,
    SSH should not be on the default port 22, should be protocol 2,
    and preferably not direct root access. In some cases, users
    cannot use certificates for login but if you are able to do that,
    I recommend shutting down password authentication as that
    will complete eliminate any brute force type possibilities although
    a sufficiently long, random, and non-dictionary password will
    suffice for most instances too.

    The biggest thing to be concerned about is not that anyone is "trying"
    to break in to your server but rather "are they successful"?

    If your defenses are setup correctly, any hacking attempts on your
    server should be able to be put down to a rest almost instantaneously.
     
Loading...

Share This Page