The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Serious Problem - My SSH is trying to be hacked

Discussion in 'General Discussion' started by Chew, Aug 5, 2004.

  1. Chew

    Chew Well-Known Member

    Joined:
    Dec 31, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Maryland
    Serious Problem - My SSH is being hacked

    I've been noticing in the last couple weeks, that my SSH server is being hammered by numerous IP's trying to get passwords for root, and even try accounts that don't exist like admin, guest, test, etc.

    Is there a way to prevent logins to ssh from all other IP's except a given range I designate?

    I'm on dsl, however as you know, it's static to a point. However I know what my DSL company's IP range is, and would like to restrict logins to just that range.

    Or is there an easier way than just blocking the IP's? Because that's what I've been doing.

    Thanks in advance,
    Chew
     
    #1 Chew, Aug 5, 2004
    Last edited: Aug 5, 2004
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's a very common attack at the moment. You should be able to restrict access to SSH through /etc/hosts.deny and hosts.allow:
    man hosts.deny

    Or, if you have APF, you could simply only allow access to port 22 from your IP address or range using the /etc/apf/allow_hosts.rules and deny_hosts.rules
     
  3. Chew

    Chew Well-Known Member

    Joined:
    Dec 31, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Maryland
    ahh I didn't think about using apf for restrictions.

    Thanks again Chirpy!
    Chew
     
  4. Chew

    Chew Well-Known Member

    Joined:
    Dec 31, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Maryland
    one other thing.

    Say my IP is 64.155.58.12
    I want to always allow 64.55.x.x to connect.

    Would I enter the following?
    tcp:in:d=22:s=64.155.0.0/16 ?

    What's the correct format for the entry?

    Thanks,
    Chew
     
  5. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    Don't forget...

    If you have APF installed, you should install Brute Force Protection (BFD) from the same vendor. This script will automatically update/deny the IP's of the kiddies running the hack attempts.
     
  6. deanstev

    deanstev Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    0
    I have the exact same problem - happening loads over the last few weeks - I don't have APF, just a plain old miniserver at memset.. what can I do to stop it?

    Any ideas gratefully received.


    Regards,
    Dean
    :)
     
  7. sjackson909

    sjackson909 Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus, OH
    If you can't use firewall rules to block out connections, you can block on username also. Add this line to your sshd_config.

    AllowUsers user1,user2

    Only add users you want to connect.

    Thanks
    -Seth
     
  8. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    How do you do this in APF? What is the syntax? Does it only restict it user root or all users?
     
  9. sjackson909

    sjackson909 Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus, OH
    You don't filter on user name in APF, just on bits. edit your sshd_config to filter based on username.

    Thanks
    -Seth
     
  10. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    I was getting hit for about 2 weeks and then I simply changed the SSH port and closed 22 with APF and all went quiet.
     
  11. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    How do you close a port with APF?
     
  12. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    What do you mean but "just on bits"?
     
  13. SonServers

    SonServers Well-Known Member

    Joined:
    Oct 24, 2001
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Let's say you allow "user1" but not root. If you login as "user1" will SSH still allow you to SU to root (assuming "user1" is in the wheel group)?
     
  14. sjackson909

    sjackson909 Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus, OH
    yep, ssh is just the tranport to get you to the shell. AbeFroman, I know not one thing about APF.. I use ipfw on FreeBSD. No linux for me. :)

    Thanks
    -Seth
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    TBH, I find it simpler to move SSH to a different port (just modify /etc/ssh/sshd_config and restart sshd). It won't stop port range scanners, but it will bounce the skiddie scripts like the one currently doing the rounds.
     
  16. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    Whats your ip and what did you change the port to?
     
  17. sjackson909

    sjackson909 Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus, OH
    It wouldn't hurt to add an extra layer of security. :)
     
Loading...

Share This Page