The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Thousands of failed root attempts - how to block?

Discussion in 'General Discussion' started by drhamad, Jan 23, 2006.

  1. drhamad

    drhamad Member

    Joined:
    Aug 19, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Some IP in Korea has attempted root access thousands of times (210.126.121.198)... how do I block this IP? Especially nice if I can send the IP a msg when it tries to connect.
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
  3. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil
    Even better, check this out:

    http://forums.theplanet.com/viewtopic.php?t=15178

     
  4. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    200
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Be very careful with that rich gannon script. I've used it on a test rig and it does work, but as I recall it made a mess of a few files. I wouldn't try it out on a production server if you just want to peek. ;)
     
  6. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    An alternate option would be to put sshd on a different port. vi /etc/ssh/sshd_config, change the port near the top, /etc/rc.d/init.d ssh restart and never deal with your logs filling up with garbage from brute force attempts again.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's what I'd recommend too - change SSH to a different port. Do also install APF+BFD for good protection, but most script kiddies pass you by if they don't find SSH on port 22 and don't bother scanning up for a different port - helps save on iptables entries too.
     
  8. JimboJ40

    JimboJ40 Active Member

    Joined:
    Jul 10, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    I want to do this but would like to check which parts of apf do I add my chosen new port?

    IG_TCP_CPORTS ?

    EG_TCP_CPORTS ?

    TOS_16 ?

    or all of the above?

    dont wanna lock myself out .... :eek:s
    Thanks
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The most important is to add it to IG_TCP_CPORTS and then restart APF.
     
  10. jdstallings

    jdstallings Well-Known Member

    Joined:
    Jul 27, 2003
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Chirpy is not going to toot his own horn, but he has a GREAT FIREWALL that you can get from hist site. I know this is an OLD post, but for others reading it, go to his site at configserver and see CSF! He has gone over the edge in options and continues to make it better daily. We would also suggest his services
     
  11. jay1228

    jay1228 Member

    Joined:
    Apr 15, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    I had the same issue, changing SSH port solved the issue. I also added lot of security features described in the list above.
     
  12. Shinichi Kato

    Shinichi Kato Well-Known Member

    Joined:
    Mar 7, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Saitama-ken,japan
    From APNIC

    from APNIC IP list

    ex. KR IP address uKR.txt(Attach Files)
    ex. CN IP address uCN.txt(Attach Files)
    ex. HK IP address uHK.txt(Attach Files)
    ex. TW IP address uTW.txt(Attach Files)
     

    Attached Files:

    • uKR.txt
      File size:
      3.9 KB
      Views:
      66
    • uCN.txt
      File size:
      6.1 KB
      Views:
      38
    • uHK.txt
      File size:
      5.2 KB
      Views:
      33
    • uTW.txt
      File size:
      2.7 KB
      Views:
      38
  13. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    I second this :)

    I can configure CSF in a way that I never could with APF.
     
  14. Bennylovster

    Bennylovster Member

    Joined:
    Aug 17, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    The best thing to do is change the port from 22 to some thing else and also use SSH Keys Do this and your ssh will never get hacked or failed logins also once you have got logged in and understand how to use ssh keys then disable password authentication.

    I hope this helps
     
  15. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    I've changed the SSH port and just doing that helped tremendously. My next step will be to set up the keys, that's a great suggestion.
     
  16. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil

    What IP list is this? What do you use it for? Where did you get it?
     
  17. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    You obviously missed the link (under "APNIC") - that's where he got it from!
     
  18. CompufixHosting

    CompufixHosting Active Member

    Joined:
    Nov 28, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    I was having the same issue when I first brought my server online. I just removed port 22 (SSH) from the open ports list in CSF. Then I placed my ip in the allowed hosts lists. So the only people that can ssh into the server are the people with their ip in the allowed hosts list.
     
    #18 CompufixHosting, Dec 6, 2006
    Last edited: Dec 8, 2006
  19. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    That's actually a great, simple solution. Make sure you also allow your data centre to login though, and make sure you have a backup plan to gain access if you get blocked by CSF (unlikely since you're in the allow list).

    To make it even more unlikely that you'd get blocked by csf accidentally, it's worth turning on the cool new csf RELAYHOSTS feature - just set it to 1 in the config file. It then won't block IPs belonging to authenticated users - ie your legitimate users. I take credit for suggesting the way this works to Chirpy but couldn't beleive he'd added it in under 24 hours! e By the way, this is an important enhancement as it saves support time - you won't get valid users getting blocked.
     
Loading...

Share This Page