Rise in attempted hacking attempts?

agentblack

Well-Known Member
Mar 28, 2008
59
0
56
Indiana
I am just wondering if other Cpanel admins have noticed a major spike in hacking attempts to their systems? In the past two days I have been swamped with blocking international IP addresses from the network, including a government based IP address.

I will gladly share the IP's with anyone whos interested. It appears they are trying to brute force their way in via password. Appears to be via SSH which is disabled for all IP's except one (mine).

Other Cpanel admin's or Cpanel staff have any thoughts or ideas to further lock down the servers.

Thanks!

AB
 

Infopro

Well-Known Member
May 20, 2003
17,076
523
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I am just wondering if other Cpanel admins have noticed a major spike in hacking attempts to their systems?
Hacking attempts are a part of the landscape in my opinion. Out of date or poorly secured servers and website scripts are good targets and might get more activity at times of course. Do you have modsecurity installed? This part of your security can be a big help in closing some openings for a hacker to poke at.

It appears they are trying to brute force their way in via password. Appears to be via SSH which is disabled for all IP's except one (mine).
Have you moved SSH to another port?
 

agentblack

Well-Known Member
Mar 28, 2008
59
0
56
Indiana
Hacking attempts are a part of the landscape in my opinion. Out of date or poorly secured servers and website scripts are good targets and might get more activity at times of course. Do you have modsecurity installed? This part of your security can be a big help in closing some openings for a hacker to poke at.



Have you moved SSH to another port?
I have not installed modsecurity due to some mixed reviews i have heard about the software. Ive heard it's good, but at the same time i've heard it can be an admin nightmare if you get locked out.

Moved my ssh to port 22, but i should probably move it yet again since activity is picking up again
 

shads

Registered
Jan 6, 2010
3
0
51
I am just wondering if other Cpanel admins have noticed a major spike in hacking attempts to their systems? In the past two days I have been swamped with blocking international IP addresses from the network, including a government based IP address.

I will gladly share the IP's with anyone whos interested. It appears they are trying to brute force their way in via password. Appears to be via SSH which is disabled for all IP's except one (mine).

Other Cpanel admin's or Cpanel staff have any thoughts or ideas to further lock down the servers.

Thanks!

AB
Yes I know what you mean, even I was thinking it was quite strange in the number of attacks and login attempts being made all of a sudden.Most of mine seem to come from the Neatherlands now.
 

agentblack

Well-Known Member
Mar 28, 2008
59
0
56
Indiana
Yes I know what you mean, even I was thinking it was quite strange in the number of attacks and login attempts being made all of a sudden.Most of mine seem to come from the Netherlands now.
Yes that is where alot of mine are coming from as well, but I am getting alot from china, india, and the Philippines. Had a government agency in the Philippines attempt as well.
 

Infopro

Well-Known Member
May 20, 2003
17,076
523
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I have not installed modsecurity due to some mixed reviews i have heard about the software. Ive heard it's good, but at the same time i've heard it can be an admin nightmare if you get locked out.

Moved my ssh to port 22, but i should probably move it yet again since activity is picking up again
You might want to read a few more reviews. ;)
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
I have not installed modsecurity due to some mixed reviews i have heard about the software. Ive heard it's good, but at the same time i've heard it can be an admin nightmare if you get locked out.

Moved my ssh to port 22, but i should probably move it yet again since activity is picking up again
Using PORT 22, is like Giving a Invitation to Hacking problems.
Change this to a non-standard port, and install CSF.

if you are doing Shared hosting, where users use lot of open source like joomla, wordpress, Install Mod-security and use any free ruleset before its late.

I don't think one could live without mod-sec in this wild hacker world.
 

agentblack

Well-Known Member
Mar 28, 2008
59
0
56
Indiana
Using PORT 22, is like Giving a Invitation to Hacking problems.
Change this to a non-standard port, and install CSF.

if you are doing Shared hosting, where users use lot of open source like joomla, wordpress, Install Mod-security and use any free ruleset before its late.

I don't think one could live without mod-sec in this wild hacker world.
Ok. now im just not so sure in my abilities to install it properly LOL. i will look into them on Thursday. Thanks for the advice.
 

cactuscarl

Member
Aug 21, 2009
6
0
51
I'm certainly getting my share of hacking attempts come to find out :mad:

Is there a simple yum install for mod-sec? Where can I read about it? Also, how does one change ssh port?

Thanks!
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
you can change SSH port by editing
/etc/ssh/sshd_config
once you uncomment and change port from 22, make sure you remember the new port else you'll be locked out of server.

It would be better if you search and read through this forum before you try it out.
 

CDDHosting

Member
Feb 18, 2010
15
1
53
I have not installed modsecurity due to some mixed reviews i have heard about the software. Ive heard it's good, but at the same time i've heard it can be an admin nightmare if you get locked out.

Moved my ssh to port 22, but i should probably move it yet again since activity is picking up again
Port 22 is way to low, Always choose something really high. Above 50,000 will be good.
 

rackaid

Well-Known Member
Jan 18, 2003
89
28
168
Jacksonville, FL
cPanel Access Level
DataCenter Provider
We monitor a few hundred servers and have noticed a spike in SSH failures due to brute-force attacks. Late January, I wrote a blog post about rising SSH attacks. This trend was also spotted by Dshields.

When we dug into this, we found that it was basically bot-driven ssh attacks that pose a relatively minor threat. Only if you have poor password security would this lead to a compromise. However, the service interruptions on some systems led us to tweak SSH settings and deploy rate limiting via iptables.


Using IPtables, you can rate limit SSH accesses. I found this very effective in combating this issue and requires much less maintenance than block lists.

Block lists are relatively ineffective. I've seen reports stating that even using large block lists typically blocks less than 20% of attacks.

Also, you can use the same rate limiting rules to protect WHM/Cpanel Logins as well.

I had one client who's WHM was under constant attack and it was getting blocked due to cpHulk. We used the SSH rate limiting rules on the WHM ports and the problem was solved.

Check out Cpanel's firewall reference page for what ports the system needs open. Close anything you don't need.
 

agentblack

Well-Known Member
Mar 28, 2008
59
0
56
Indiana
We monitor a few hundred servers and have noticed a spike in SSH failures due to brute-force attacks. Late January, I wrote a blog post about rising SSH attacks. This trend was also spotted by Dshields.

When we dug into this, we found that it was basically bot-driven ssh attacks that pose a relatively minor threat. Only if you have poor password security would this lead to a compromise. However, the service interruptions on some systems led us to tweak SSH settings and deploy rate limiting via iptables.


Using IPtables, you can rate limit SSH accesses. I found this very effective in combating this issue and requires much less maintenance than block lists.

Block lists are relatively ineffective. I've seen reports stating that even using large block lists typically blocks less than 20% of attacks.

Also, you can use the same rate limiting rules to protect WHM/Cpanel Logins as well.

I had one client who's WHM was under constant attack and it was getting blocked due to cpHulk. We used the SSH rate limiting rules on the WHM ports and the problem was solved.

Check out Cpanel's firewall reference page for what ports the system needs open. Close anything you don't need.
Thanks for the info. I've done a little more digging into the two previous software pieces that were mentioned, and i think i would like to deploy them but i'm still not 100% sure if i can do it on my own without hosing something.

I understand i need to install them via ssh but is it pretty much a blind/automated set up from there? I would just access them from the cpanel/whm interface? How do you roll it back if something doesnt work correctly?
 

Secmas

Well-Known Member
Feb 18, 2005
387
21
168
Thanks for the info. I've done a little more digging into the two previous software pieces that were mentioned, and i think i would like to deploy them but i'm still not 100% sure if i can do it on my own without hosing something.

I understand i need to install them via ssh but is it pretty much a blind/automated set up from there? I would just access them from the cpanel/whm interface? How do you roll it back if something doesnt work correctly?
The easy way to install ModSec is via EasyApache in WHM, you select the option and EasyApache installs ModSec.

It comes with a few rules to start with, but they are not good. I suggest that you install GotRoot or ASL free rules, they are much better.

You will need to config modsec2.conf and modsec2.user.conf located at /usr/local/apache/conf/, remember to restart apache in order for modsec rules to work.
 
Thread starter Similar threads Forum Replies Date
Harlequin Security 11
B Security 5
D Security 2
beddo Security 9
M Security 3