The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Warnings

Discussion in 'Security' started by Webmaster Mitch, Mar 9, 2009.

  1. Webmaster Mitch

    Joined:
    Jan 7, 2009
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    After installing the CSF Firewall, I started getting warning messages emailed to me such as;

    Subject: lfd on merlo.webhosting.com: 218.25.74.220 (CN/China/-) blocked for port scanning
    Time: Thu Mar 5 14:10:24 2009 -0800
    IP: 218.25.74.220 (CN/China/-)
    Hits: 11
    Blocked: temporarily for 3600 seconds
    Sample of block hits:
    Mar 5 14:10:11 merlo kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1b:21:0a:ca:31:00:05:74:94:35:00:08:00 SRC=218.25.74.220 DST=70.38.14.2 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=678 DF PROTO=TCP SPT=18223 DPT=1025 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 5 14:10:11 merlo kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1b:21:0a:ca:31:00:05:74 etc........

    I don't understand because I have my cPanel Host Access Control set to only allow 4 IPs in sshd and deny all others.

    What is it that I am not understanding, and am I leaving open a big 'ol security hole?
     
  2. ChrisRHS

    ChrisRHS Well-Known Member

    Joined:
    Jul 12, 2006
    Messages:
    292
    Likes Received:
    5
    Trophy Points:
    18
    Hi there, as the email states, this user was blocked for port scanning, not failed sshd attempts.
     
  3. Webmaster Mitch

    Joined:
    Jan 7, 2009
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Should I block the IP

    ChrisRHS,

    Thank you for your response. Should I be doing anything about this, or am I already protected by the firewall?
     
  4. ChrisRHS

    ChrisRHS Well-Known Member

    Joined:
    Jul 12, 2006
    Messages:
    292
    Likes Received:
    5
    Trophy Points:
    18
    Server security is a huge topic. The firewall is definitely a help though. :)
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    No, you're doing fine. That email is nothing to "worry" about - but you do always want to pay attention to those emails. In this case it's just a tidbit of useful information.

    Basically somebody remotely scanned for available open/active ports on your server. There is no reason for anybody to do this really. Sometimes people do it out of curiousity, but most of the time you see it happening it is probably an infected machine somewhere trying to connect your machine to look for exploitable services / sites.

    So it is a good thing that the firewall is firewalling the IP after it determines that port scanning activity is coming from it. That will keep that particular [potential/likely] evildoer from trying to investigate any further.

    If your firewall wasn't blocking IPs that port scan, then you might expect one or more of the following to occur after a portscan:
    1. nothing
    2. attempt to brute force password guess FTP/POP3/etc logins
    3. attempt to run an exploit against a particular service/site once the remote party / trojan process determines there is something worth pursuing.

    Mike
     
Loading...

Share This Page