Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How do I stop these?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How do I stop these?

ChalipaChalipa Member

Hello,

I have a VPS running Centos with DirectAdmin. I have fail2ban and CSF as well.

There are hundreds of ssh login attempts made to my VPS, such as this:

lfd on la1.*******.com: blocked 58.240.54.136 (CN/China/-)

Time:     Wed May 20 12:06:43 2020 +0200
IP:       58.240.54.136 (CN/China/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SSHD]

Log entries:

May 20 11:35:03 base sshd[30851]: Invalid user fz from 58.240.54.136 port 34650
May 20 11:35:05 base sshd[30851]: Failed password for invalid user fz from 58.240.54.136 port 34650 ssh2
May 20 11:56:01 base sshd[3426]: Invalid user tpe from 58.240.54.136 port 43911
May 20 11:56:03 base sshd[3426]: Failed password for invalid user tpe from 58.240.54.136 port 43911 ssh2
May 20 12:06:40 base sshd[6236]: Invalid user xsl from 58.240.54.136 port 48542

Attempts are mostly, from CHINA. I have changed the ssh port to something else, but still, they keep trying on random ports. I don't want to ignore these msg's since it's important to know and find out these.

Thanks in advance.

Comments

  • Scott15Scott15 Member

    Block all of China's ip's

    Thanked by 1AlwaysSkint
  • LeviLevi Member

    fail2ban, iptables, limit port 22 access to your IP only.

  • BharatBBharatB Member, Patron Provider
    edited May 2020

    Just close SSH to a VPN IP or your own office IP.

  • Well, either:

    • you ban ssh logins based on GEO info on their IPs
    • you allow ssh only through a VPN
    • you live with it
  • ChalipaChalipa Member

    I have CSF installed and it only can have 100 IP in the ban list i think (or i'm wrong?) and fail2ban is running as well, but still 100's of attempts are made.

  • @BharatB said:
    Just close SSH to a VPN IP or your own office IP.

    What happen if your IP changed...

  • deankdeank Member, Troll

    Dash to LET and ask for help of course.

  • ssh with google authenticator verification after login.

  • Change your SSH port.

    Thanked by 1dontknow
  • raindog308raindog308 Administrator, Veteran

    Scott15 said: Block all of China's ip's

    Yes.

    BharatB said: Just close SSH to a VPN IP or your own office IP.

    Yes.

    styxtrooper said: ssh with google authenticator verification after login.

    That's not going to help reports of login attempts.

    chihcherng said: Change your SSH port.

    This will.

    You're not really improving security but you radically cut down the amount of noise and LFD emails.

    Thanked by 1Chalipa
  • WebProjectWebProject Host Rep, Veteran

    @greattomeetyou said:

    @BharatB said:
    Just close SSH to a VPN IP or your own office IP.

    What happen if your IP changed...

    If it’s personal or office VPN so you are in control of your IP addresses. The other option is to reinstall server, but before that you can open a topic on LET and get some drama going so we be able to enjoy our popcorn 🍿😂

  • raindog308raindog308 Administrator, Veteran

    greattomeetyou said: What happen if your IP changed...

    Setup your home IP with a dynamic DNS service (e.g., afraid.org) and write a script that queries and changes the firewall rules.

    Thanked by 1Chalipa
  • cazrzcazrz Member

    Try these options
    1. Change port and disable ssh passeord, use only keys.
    2. Or disable ssh login and just use console

  • jarjar Patron Provider, Top Host, Veteran
    edited May 2020

    Chalipa said: I don't want to ignore these msg's since it's important to know and find out these.

    I want to offer a different perspective: It's not, and you should. If you're comfortable with your security, really doesn't matter who tries to get in. Ignore the noise, focus on anything getting through. Maybe alerts for successful root logins, for example. Disable the email alerts for the rest.

    Things like this are why I hesitated to install CSF on customer VPS back at hostgator. Inevitably they'd either lock themselves out, freak out from learning that brute force attempts happen all day, or both.

  • MGarbisMGarbis Member

    @Scott15 said:
    Block all of China's ip's

    This. It's easy with csf.

  • DataIdeas-JoshDataIdeas-Josh Member, Patron Provider

    Best thing I've noticed to help a lot is to change the ssh port #

  • JordJord Moderator, Host Rep

    Disable password login and use ssh keys. That will cut it right down...

  • pbxpbx Member

    raindog308 said: Setup your home IP with a dynamic DNS service (e.g., afraid.org) and write a script that queries and changes the firewall rules.

    Never thought about that, simple and efficient. Clever! :smile:

  • SaahibSaahib Host Rep, Veteran

    @cazrz said:
    Try these options
    1. Change port and disable ssh passeord, use only keys.
    2. Or disable ssh login and just use console

    Console generally comes with VPS server only.

  • cazrzcazrz Member

    @Saahib said:

    @cazrz said:
    Try these options
    1. Change port and disable ssh passeord, use only keys.
    2. Or disable ssh login and just use console

    Console generally comes with VPS server only.

    OP said he has a vps. Then he can do option 1 if he doesnt have console.

  • @Chalipa said:

    I have changed the ssh port to something else, but still, they keep trying on random ports.

    What? I don't quite know what this means, but this sounds like you're doing it wrong. Don't use port 2222, either.

  • ChalipaChalipa Member

    @TimboJones said:

    What? I don't quite know what this means, but this sounds like you're doing it wrong. Don't use port 2222, either.

    I have already changed ssh port from 22 to something custom (not 2222), but still they keep trying to login using random ports.

    Thank you all for your suggestions :smile:

  • Forbid root to login direct, enable ordinary users to login, and use su root.

  • user123user123 Member

    @Chalipa said:

    @TimboJones said:

    What? I don't quite know what this means, but this sounds like you're doing it wrong. Don't use port 2222, either.

    I have already changed ssh port from 22 to something custom (not 2222), but still they keep trying to login using random ports.

    Thank you all for your suggestions :smile:

    Have you tried port 1234? No one ever guesses that port.

    On a serious note, you could just use a random number generator to pick a port if you're worried that you're not picking a "random enough" port.

  • @Chalipa said:
    I have already changed ssh port from 22 to something custom (not 2222), but still they keep trying to login using random ports.

    The problem here is you're running too few SSH services on your VPS so its port number will be easily detected. Try this.

    1. Run HAProxy as a TCP proxy, listening on lots of TCP ports. Remember to skip your SSH port (assuming it's port 2020) as the following shows:
    frontend fr_tcp
        mode tcp
        bind [your external IP]:1-2019
        bind [your external IP]:2021-4000
        default_backend bk_tcp
    1. Forward external TCP connections to a special SSH service on loopback IP (127.0.0.1):
    backend bk_tcp
        mode tcp
        server www-2 127.0.0.1:9504 maxconn 8
    1. That particular SSH should have a "DenyUsers *" directive so no one could successfully login. Put its log messages to another file so you won't be bothered.

    When your VPS seems to have 4000 SSH services running, the chance of hackers hitting the real one will be much smaller.

  • did you follow options 3 on this link : https://help.directadmin.com/item.php?id=527 ?

    or you can directly go to the guide :
    https://forum.directadmin.com/threads/how-to-block-ips-with-brute-force-monitor-in-directadmin-using-csf.44839/#post-229244

    https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

    you also can configure CSF from directadmin gui if you want to allow some port ( example for FTP usage https://forum.directadmin.com/threads/ftp-over-tls.50759/#post-262589 etc ).

    I got same brouteforce message, and this step help me ...

  • @Chalipa said:

    @TimboJones said:

    What? I don't quite know what this means, but this sounds like you're doing it wrong. Don't use port 2222, either.

    I have already changed ssh port from 22 to something custom (not 2222), but still they keep trying to login using random ports.

    Thank you all for your suggestions :smile:

    How many?

  • ChalipaChalipa Member

    @hardgamers said:
    did you follow options 3 on this link : https://help.directadmin.com/item.php?id=527 ?

    or you can directly go to the guide :
    https://forum.directadmin.com/threads/how-to-block-ips-with-brute-force-monitor-in-directadmin-using-csf.44839/#post-229244

    https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

    you also can configure CSF from directadmin gui if you want to allow some port ( example for FTP usage https://forum.directadmin.com/threads/ftp-over-tls.50759/#post-262589 etc ).

    I got same brouteforce message, and this step help me ...

    Yes, I have already implemented that.

Sign In or Register to comment.