The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rise in attempted hacking attempts?

Discussion in 'Security' started by agentblack, Feb 22, 2010.

  1. agentblack

    agentblack Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Indiana
    I am just wondering if other Cpanel admins have noticed a major spike in hacking attempts to their systems? In the past two days I have been swamped with blocking international IP addresses from the network, including a government based IP address.

    I will gladly share the IP's with anyone whos interested. It appears they are trying to brute force their way in via password. Appears to be via SSH which is disabled for all IP's except one (mine).

    Other Cpanel admin's or Cpanel staff have any thoughts or ideas to further lock down the servers.

    Thanks!

    AB
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hacking attempts are a part of the landscape in my opinion. Out of date or poorly secured servers and website scripts are good targets and might get more activity at times of course. Do you have modsecurity installed? This part of your security can be a big help in closing some openings for a hacker to poke at.

    Have you moved SSH to another port?
     
  3. agentblack

    agentblack Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Indiana
    I have not installed modsecurity due to some mixed reviews i have heard about the software. Ive heard it's good, but at the same time i've heard it can be an admin nightmare if you get locked out.

    Moved my ssh to port 22, but i should probably move it yet again since activity is picking up again
     
  4. shads

    shads Registered

    Joined:
    Jan 6, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Yes I know what you mean, even I was thinking it was quite strange in the number of attacks and login attempts being made all of a sudden.Most of mine seem to come from the Neatherlands now.
     
  5. agentblack

    agentblack Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Indiana
    Yes that is where alot of mine are coming from as well, but I am getting alot from china, india, and the Philippines. Had a government agency in the Philippines attempt as well.
     
  6. shads

    shads Registered

    Joined:
    Jan 6, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Not to mention the increase in Port scanning :confused:
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might want to read a few more reviews. ;)
     
  8. agentblack

    agentblack Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Indiana
    granted it was very early 2009 when i last looked into the product so maybe things have changed, i dont know. we will have to see.
     
  9. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    Using PORT 22, is like Giving a Invitation to Hacking problems.
    Change this to a non-standard port, and install CSF.

    if you are doing Shared hosting, where users use lot of open source like joomla, wordpress, Install Mod-security and use any free ruleset before its late.

    I don't think one could live without mod-sec in this wild hacker world.
     
  10. agentblack

    agentblack Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Indiana
    Ok. now im just not so sure in my abilities to install it properly LOL. i will look into them on Thursday. Thanks for the advice.
     
  11. cactuscarl

    cactuscarl Member

    Joined:
    Aug 21, 2009
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I'm certainly getting my share of hacking attempts come to find out :mad:

    Is there a simple yum install for mod-sec? Where can I read about it? Also, how does one change ssh port?

    Thanks!
     
  12. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    you can change SSH port by editing
    /etc/ssh/sshd_config
    once you uncomment and change port from 22, make sure you remember the new port else you'll be locked out of server.

    It would be better if you search and read through this forum before you try it out.
     
  13. CDDHosting

    CDDHosting Member

    Joined:
    Feb 18, 2010
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    Port 22 is way to low, Always choose something really high. Above 50,000 will be good.
     
  14. stugster

    stugster Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, UK
    cPanel Access Level:
    Root Administrator
    We use ConfigServer (ConfigServer Services) and we've noticed a massive spike in port scans in the past week or so.
     
  15. cpanelinfoseeker

    cpanelinfoseeker Well-Known Member

    Joined:
    Oct 25, 2002
    Messages:
    323
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    NE Illinois
    cPanel Access Level:
    Root Administrator
    You are not the only one! Mine have been way higher than normal on one server, the other one is still "normal".

    Ron
     
  16. rackaid

    rackaid Active Member

    Joined:
    Jan 18, 2003
    Messages:
    42
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Jacksonville, FL
    cPanel Access Level:
    DataCenter Provider
    We monitor a few hundred servers and have noticed a spike in SSH failures due to brute-force attacks. Late January, I wrote a blog post about rising SSH attacks. This trend was also spotted by Dshields.

    When we dug into this, we found that it was basically bot-driven ssh attacks that pose a relatively minor threat. Only if you have poor password security would this lead to a compromise. However, the service interruptions on some systems led us to tweak SSH settings and deploy rate limiting via iptables.


    Using IPtables, you can rate limit SSH accesses. I found this very effective in combating this issue and requires much less maintenance than block lists.

    Block lists are relatively ineffective. I've seen reports stating that even using large block lists typically blocks less than 20% of attacks.

    Also, you can use the same rate limiting rules to protect WHM/Cpanel Logins as well.

    I had one client who's WHM was under constant attack and it was getting blocked due to cpHulk. We used the SSH rate limiting rules on the WHM ports and the problem was solved.

    Check out Cpanel's firewall reference page for what ports the system needs open. Close anything you don't need.
     
  17. agentblack

    agentblack Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Indiana
    Thanks for the info. I've done a little more digging into the two previous software pieces that were mentioned, and i think i would like to deploy them but i'm still not 100% sure if i can do it on my own without hosing something.

    I understand i need to install them via ssh but is it pretty much a blind/automated set up from there? I would just access them from the cpanel/whm interface? How do you roll it back if something doesnt work correctly?
     
  18. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    The easy way to install ModSec is via EasyApache in WHM, you select the option and EasyApache installs ModSec.

    It comes with a few rules to start with, but they are not good. I suggest that you install GotRoot or ASL free rules, they are much better.

    You will need to config modsec2.conf and modsec2.user.conf located at /usr/local/apache/conf/, remember to restart apache in order for modsec rules to work.
     
Loading...
Similar Threads - Rise attempted hacking
  1. barlee
    Replies:
    5
    Views:
    452
  2. dorac
    Replies:
    2
    Views:
    371
  3. keat63
    Replies:
    13
    Views:
    1,070

Share This Page