New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Attempt at Brute Force?
HalfEatenPie
Veteran
Out of curiosity how often do you guys get logs about someone trying to brute force into your server? I find people trying to get into port 22 (obviously changed), WHM root, this and that. Its kinda annoying.
Comments
Strange thing is I get it on pop3 more than anything. I love lfd.
To be really honest i never check the logs on my servers as most run SSH (with key) only
Depends on the IP actually - some get it all the time, others never
I guess. I mean it just keeps you on your toes you know?
Not sure if a company's rep is really related. KnownHost > HostDime > LiquidWeb is our road map of where we've been as we've upgraded over the last year, and we've had brute force attempts consistently throughout all of it. Less attempts at SSH though I will say. Of course, it's not default port like it was back on KnownHost. A little wiser every day
I get emails 3-4 times a day from lfd that some IP has been temporarily been blocked due to too many failed attempts to connect to mail server, etc.
I never run ssh on port 22 because lots of skiddies just scan for 22 and go on to the next IP if it doesn't respond.
Change SSH port
nano /etc/ssh/sshd_config (no love for vi) :P
# What ports, IPs and protocols we listen for Port 1337
/etc/init.d/ssh restart
What? Oh yeah I don't know if I wrote it right but the first thing I did when I get any server is change the SSH port (at minimum) and implement key.
I'm just kinda weirded out that they're already after me. The server's been up about a week now.
On our servers used for shared / reseller hosting, it happens on hourly basis.
How do you guys deal with it? Ignore them or what do you do?
Not that often, any more :P
Used to get hundreds/day on 22 before I installed fail2ban. Mostly Chinese IPs.
All attempts at brute-forcing get blocked and nullrouted by our firewall. Properly configured firewall deals with this without any problem.
Shared servers? Every hour of the day. VPS nodes? Almost never.
I used to get around 2500 IPs banned each day in Fail2Ban due to incorrect SSH login.
Although since I changed my SSH port, its now 0.
2500?!
Good christ!
Francisco
Most from China and a few from Russia.
That is two a minute
I decided to be polite and assume the best of everyone. Ten failed logins = permanent ban. I just make sure to read every lfd report in case it catches a legitimate client, but a little over a year later, not one client has failed to login 10 times. Interesting to me is the recent increase from US IP addresses. I actually enjoy filing those abuse reports.
For me, maybe it's 10 IP/days. They're scanning the open port and also trying username combination.
Usually, I just copy the log, and send it to the ISP >_< But most of them don't care about it, lol.
Famous attempt were comes from Ubiquity, Leaseweb, Korean, and Rusian ip's.
Just wonder, what they want to do with just my small blog
So far this week 13213 failed login attempts.
...from 17 different IPs.
@ErawanArifNugroho .... botnet duh!
I found that my old Redstation node would be bruteforced rather muchly, then again, I "googled'" my broadcast IP and my main node IP, and found a paste bin with all the IP's allocated to my user, just public, sitting there... I got it removed, but it was strange how the ENTIRE block that was allocated to me, was on there.
On my Secured Server's node a while back, It was stupid, they were just recycling old IPV4's (as you do..) and they were all blocked on all the blacklists, had to manually go remove a bunch of them, safe to say SS had alot of abusers, and had alot of enemies. Atleast 1000 blocks/day on one block of IP's.
What is botnet use for?
When we used SecuredServer a year ago, we used to get reports from Spamhaus and etc about spam from our IP blocks even tho some of the IPs were inactive...and it turns out some of them were already blacklisted before we even used them!
Pretty common for me in every VPS.
Until I decided to move my ports long time ago.
Pretty sure securedserver has a pretty iffy history no?
They hosted razor1911 for the longest time and only got rid of them once it turned into a 10+ page thread on WHT.
Francisco
@Francisco Yea, we still decided to go with them back then as they had pretty good prices..but that's a huge mistake! Many network issues + bad IPs = never going back!
I current have 2 servers with them (The ones with 48 GB) and I love them. So far so good. I have no complaints with the for now.
During the period when we were with them, we had quite a few network issues, and that's ultimately one of the main reason we left them. But I gotta admit, their support staff are superb, answered my calls and tickets even when it's during the middle of the night. Had to call in when one of our servers went offline without reason, and turns out it's powered off.. :S