New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How do I stop these?
Hello,
I have a VPS running Centos with DirectAdmin. I have fail2ban and CSF as well.
There are hundreds of ssh login attempts made to my VPS, such as this:
lfd on la1.*******.com: blocked 58.240.54.136 (CN/China/-)
Time: Wed May 20 12:06:43 2020 +0200
IP: 58.240.54.136 (CN/China/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
Log entries:
May 20 11:35:03 base sshd[30851]: Invalid user fz from 58.240.54.136 port 34650
May 20 11:35:05 base sshd[30851]: Failed password for invalid user fz from 58.240.54.136 port 34650 ssh2
May 20 11:56:01 base sshd[3426]: Invalid user tpe from 58.240.54.136 port 43911
May 20 11:56:03 base sshd[3426]: Failed password for invalid user tpe from 58.240.54.136 port 43911 ssh2
May 20 12:06:40 base sshd[6236]: Invalid user xsl from 58.240.54.136 port 48542
Attempts are mostly, from CHINA. I have changed the ssh port to something else, but still, they keep trying on random ports. I don't want to ignore these msg's since it's important to know and find out these.
Thanks in advance.
Comments
Block all of China's ip's
fail2ban, iptables, limit port 22 access to your IP only.
Just close SSH to a VPN IP or your own office IP.
Well, either:
I have CSF installed and it only can have 100 IP in the ban list i think (or i'm wrong?) and fail2ban is running as well, but still 100's of attempts are made.
What happen if your IP changed...
Dash to LET and ask for help of course.
ssh with google authenticator verification after login.
Change your SSH port.
Yes.
Yes.
That's not going to help reports of login attempts.
This will.
You're not really improving security but you radically cut down the amount of noise and LFD emails.
If it’s personal or office VPN so you are in control of your IP addresses. The other option is to reinstall server, but before that you can open a topic on LET and get some drama going so we be able to enjoy our popcorn 🍿😂
Setup your home IP with a dynamic DNS service (e.g., afraid.org) and write a script that queries and changes the firewall rules.
Try these options
1. Change port and disable ssh passeord, use only keys.
2. Or disable ssh login and just use console
I want to offer a different perspective: It's not, and you should. If you're comfortable with your security, really doesn't matter who tries to get in. Ignore the noise, focus on anything getting through. Maybe alerts for successful root logins, for example. Disable the email alerts for the rest.
Things like this are why I hesitated to install CSF on customer VPS back at hostgator. Inevitably they'd either lock themselves out, freak out from learning that brute force attempts happen all day, or both.
This. It's easy with csf.
Best thing I've noticed to help a lot is to change the ssh port #
Disable password login and use ssh keys. That will cut it right down...
Never thought about that, simple and efficient. Clever!
Console generally comes with VPS server only.
OP said he has a vps. Then he can do option 1 if he doesnt have console.
What? I don't quite know what this means, but this sounds like you're doing it wrong. Don't use port 2222, either.
I have already changed ssh port from 22 to something custom (not 2222), but still they keep trying to login using random ports.
Thank you all for your suggestions
Forbid root to login direct, enable ordinary users to login, and use su root.
Have you tried port 1234? No one ever guesses that port.
On a serious note, you could just use a random number generator to pick a port if you're worried that you're not picking a "random enough" port.
The problem here is you're running too few SSH services on your VPS so its port number will be easily detected. Try this.
When your VPS seems to have 4000 SSH services running, the chance of hackers hitting the real one will be much smaller.
did you follow options 3 on this link : https://help.directadmin.com/item.php?id=527 ?
or you can directly go to the guide :
https://forum.directadmin.com/threads/how-to-block-ips-with-brute-force-monitor-in-directadmin-using-csf.44839/#post-229244
https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm
you also can configure CSF from directadmin gui if you want to allow some port ( example for FTP usage https://forum.directadmin.com/threads/ftp-over-tls.50759/#post-262589 etc ).
I got same brouteforce message, and this step help me ...
How many?
Yes, I have already implemented that.