Thousands of failed root attempts - how to block?

drhamad

Member
Aug 19, 2005
22
0
151
Some IP in Korea has attempted root access thousands of times (210.126.121.198)... how do I block this IP? Especially nice if I can send the IP a msg when it tries to connect.
 

Rafaelfpviana

Well-Known Member
Mar 12, 2004
141
0
166
Brazil
Even better, check this out:

http://forums.theplanet.com/viewtopic.php?t=15178

A few of you may remember a few months back I started to learn Shell and Bash and made a script to automatically do some basic security things. Well lately, I have been puting some more time into it and here's what I came up with so far, although I usually add/edit a little something every once in a while to make it better (like all developers Smile ).

Updated: December 11, 2005
Current Version: 1.3.6

Anyway, here's what it does:
-Install RKHunter
-Install RKHunter Cronjob which emails a user-set email address nightly
-Install/update APF
-Import old APF rules in an upgrade
-Add SM/TP monitoring IPs (view information on these in Orbit)
-Install/update BFD
-Install CHKROOTKIT
-Install CHKROOTKIT Cronjob which emails a user-set email address nightly
-Disable Telnet
-Force SSH Protocol 2
-Secure /tmp
-Secure /var/tmp
-Secure /dev/shm
-Install/update Zend Optimizer
-Install/update eAccelerator
-MySQL 4.0 and 4.1 Configuration Optimization (cPanel only)
-Upgrade MySQL to 4.1 (cPanel only)
-Tweak WHM Settings for security and stability
-Configure RNDC if not already done (cPanel only)
-Change SSH port (also configure APF as necessary)
-Add wheel user and disable direct root login over SSH
-Optimize MySQL tables
-Install/update Libsafe
-Install/update ImageMagick (from latest source)
-Uninstall LAuS
-Harden sysctl.conf
-Install Chirpy's Free Exim Dictionary Attack ACL
And more!


You can also run it with the --updatesoftware option and it will automatically upgrade RKHunter, APF, and BFD to the latest version.

The downloaded tarballs of RKHunter, BFD, APF, and CHKROOTKIT are from my own repository, however they are unchanged from the original sites. You can confirm this with the MD5s if you wish.

RKHunter, APF, BFD, CHKROOTKIT, and other tarballs are checked for MD5 mismatches before extracting to ensure the downloads are not corrupted.

Better OS/binary checks are performed before any installing. If a necessary binary isn't present, it will stop before making any changes.

Backups of changed files are kept in /usr/local/els/bakfiles and all source files are are worked with in /usr/local/els/src to keep things more organized.

This script works best with Red Hat Enterprise Linux version 3 (Taroon Update 4 and 5) and with cPanel 10.x installed.

Please let me know if you have any problems with this script, or any additions you would like to see. I'm also not the best at coding so if you know how to code and you see a problem with it, please let me know.

You can download and execute this script by copying the following command:
Code:
wget --output-document=installer.sh http://nsonetworks.com/request.php?1; chmod +x installer.sh; sh installer.sh


The installer script will automatically download and check the md5sum of the tarball (which is only another 2 scripts), as well as make the /usr/local/els directory and subdirectories.
 

randomuser

Well-Known Member
Jun 25, 2005
147
0
166
An alternate option would be to put sshd on a different port. vi /etc/ssh/sshd_config, change the port near the top, /etc/rc.d/init.d ssh restart and never deal with your logs filling up with garbage from brute force attempts again.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
That's what I'd recommend too - change SSH to a different port. Do also install APF+BFD for good protection, but most script kiddies pass you by if they don't find SSH on port 22 and don't bother scanning up for a different port - helps save on iptables entries too.
 

JimboJ40

Active Member
Jul 10, 2005
30
0
156
I want to do this but would like to check which parts of apf do I add my chosen new port?

IG_TCP_CPORTS ?

EG_TCP_CPORTS ?

TOS_16 ?

or all of the above?

dont wanna lock myself out .... :eek:s
Thanks
 

jdstallings

Well-Known Member
Jul 27, 2003
60
1
158
USA
cPanel Access Level
Root Administrator
chirpy said:
That's what I'd recommend too - change SSH to a different port. Do also install APF+BFD for good protection, but most script kiddies pass you by if they don't find SSH on port 22 and don't bother scanning up for a different port - helps save on iptables entries too.
Chirpy is not going to toot his own horn, but he has a GREAT FIREWALL that you can get from hist site. I know this is an OLD post, but for others reading it, go to his site at configserver and see CSF! He has gone over the edge in options and continues to make it better daily. We would also suggest his services
 

jay1228

Member
Apr 15, 2005
18
0
151
I had the same issue, changing SSH port solved the issue. I also added lot of security features described in the list above.
 

Shinichi Kato

Well-Known Member
Mar 7, 2005
73
0
156
Saitama-ken,japan
cPanel Access Level
Root Administrator
From APNIC

from APNIC IP list

ex. KR IP address uKR.txt(Attach Files)
ex. CN IP address uCN.txt(Attach Files)
ex. HK IP address uHK.txt(Attach Files)
ex. TW IP address uTW.txt(Attach Files)
 

Attachments

MaraBlue

Well-Known Member
May 3, 2005
334
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
jdstallings said:
Chirpy is not going to toot his own horn, but he has a GREAT FIREWALL that you can get from hist site. I know this is an OLD post, but for others reading it, go to his site at configserver and see CSF! He has gone over the edge in options and continues to make it better daily. We would also suggest his services
I second this :)

I can configure CSF in a way that I never could with APF.
 

Bennylovster

Member
Aug 17, 2006
11
0
151
The best thing to do is change the port from 22 to some thing else and also use SSH Keys Do this and your ssh will never get hacked or failed logins also once you have got logged in and understand how to use ssh keys then disable password authentication.

I hope this helps
 

MaraBlue

Well-Known Member
May 3, 2005
334
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
The best thing to do is change the port from 22 to some thing else and also use SSH Keys Do this and your ssh will never get hacked or failed logins also once you have got logged in and understand how to use ssh keys then disable password authentication.

I hope this helps
I've changed the SSH port and just doing that helped tremendously. My next step will be to set up the keys, that's a great suggestion.
 

CompufixHosting

Active Member
Nov 28, 2005
30
0
156
I was having the same issue when I first brought my server online. I just removed port 22 (SSH) from the open ports list in CSF. Then I placed my ip in the allowed hosts lists. So the only people that can ssh into the server are the people with their ip in the allowed hosts list.
 
Last edited:

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
That's actually a great, simple solution. Make sure you also allow your data centre to login though, and make sure you have a backup plan to gain access if you get blocked by CSF (unlikely since you're in the allow list).

To make it even more unlikely that you'd get blocked by csf accidentally, it's worth turning on the cool new csf RELAYHOSTS feature - just set it to 1 in the config file. It then won't block IPs belonging to authenticated users - ie your legitimate users. I take credit for suggesting the way this works to Chirpy but couldn't beleive he'd added it in under 24 hours! e By the way, this is an important enhancement as it saves support time - you won't get valid users getting blocked.