Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


help
New on LowEndTalk? Please Register and read our Community Rules.

help

ChalipaChalipa Member

hey everyone,

i get 100's of attacks like the one below in my vps from different IPs, is there anyway i can stop this?

--

Brute Force attempt against “[email protected]**********.com”.
A device at the “37.79.248.139” IP address has made a large number of invalid login attempts against the account “[email protected]**********.com”. This brute force attempt has exceeded the maximum number of failed login attempts that the system allows. For security purposes, the system has temporarily blocked this IP address in order to prevent further attempts.

Service: pure-ftpd
Local IP Address: ..*.
Local Port: 21
Remote IP Address: 37.79.248.139
Authentication Database: ftp
Username: [email protected]**********.com
Number of authentication failures: 5

Maximum number allowed: 5

when i wake up i get 200+ emails like this, am i under attack? any way i can stop these?

Comments

  • Looks like you are already blocking them.

  • is there any way csf can block these?

  • BruceBruce Member

    use iptables to block geo-ip from certain countries ?

  • they don't come from a specific country like russia or china, most of them are from european countries and US ips too

  • BruceBruce Member

    stop using ftp ?
    stop allowing password authentication ?

    need more info about what you're needing to do. if you need passwords and ftp, then you don't have much choice. you could just block all traffic, except for a whitelist

    Thanked by 1KwiceroLTD
  • The generic answer is fail2ban. I don't use FTP, but it definitely works wonders for dictionary attacks of email and constant scans for Wordpress/PHP vulnerabilities.

  • sdglhmsdglhm Member

    impossiblystupid said: The generic answer is fail2ban.

    +1 and also change the default port to something else.

  • 4n0nx4n0nx Member

    If the password is long enough, it does not really matter. No need for fail2ban then. Changing port is just security through obscurity, yet it may help you figure out if someone is targeting you specifically.

  • sdglhmsdglhm Member

    4n0nx said: Changing port is just security through obscurity

    And prevent most of the scanners ;)

  • @sdglhm said:
    +1 and also change the default port to something else.

    Depending on your goals. Not changing the ports is like running a honeypot (so long as the service is essentially secure). You can then collect as much data as possible and act against the abusive subnets before they come along and attack one of the new vulnerabilities you didn't know about and can't hide behind a non-standard port. Every attempt to get to my root account via ssh is just that much smaller an attack vector I have to worry about in general. Why would I want to stop that?

  • 4n0nx4n0nx Member

    sdglhm said: And prevent most of the scanners ;)

    Which are not successful anyway. Since you use a strong password and not merely security through obscurity.

  • elgselgs Member

    Every tried fail2ban?

  • fail2ban is installed.

  • shutdown -h now will 100% save you from any attack. :p
    How already written - don't use ftp, use scp instead. Disable root login, set secure password or disable pw authentication.

    Thanked by 1netomx
  • komputerkingkomputerking Member, Host Rep

    Are you sure that your fail2ban is configured correctly and is enabled? you need to enable ssh and ftp protection with it. You can also run commands to see the ips that are connecting to your server, and manually block them using iptables.

    A combination of fail2ban, iptables and also potentially changing your setup to only allow connections on that port in iptables may be necessary.

    Also, is it just more of an annoyance, or are they actually logging into your server?

  • mikhomikho Member, Host Rep

    The messages looks like those that cPanel sends when it is blocking access because of failed logins.

    Is this the case?

    Thanked by 1linuxthefish
  • You don't need password auth for SSH on a cPanel server if it's causing you issues, keys or password through whm.

  • Prevention is better than cure... change your default port(s) and you will save yourself half the scan attacks

  • @mikho yes it's a server with cpanel.

    [email protected] [~]# service fail2ban status
    fail2ban-server (pid 1353) is running...
    Status
    |- Number of jail: 1
    `- Jail list: ssh-iptables

  • wychwych Member

    You could always raise the bantime, or just turn off the mail notifications...

  • csf + mod_security will do just fine

  • @4n0nx said:
    Which are not successful anyway. Since you use a strong password and not merely security through obscurity.

    I hate this response.

    Seems like people think it's either default port and strong password or different port and password1

    There's nothing wrong with having a different port AND a strong password.

  • 4n0nx4n0nx Member

    hostnoob said: There's nothing wrong with having a different port AND a strong password.

    I hate this response.

    There is no reason to choose a different port, ever. The bots will not get through either way and if someone really wants to bruteforce your password, they'll do it on any port.

  • wychwych Member
    edited July 2015

    4n0nx said: There is no reason to choose a different port, ever

    So why did the software designers/developers allow and build that option in the config?

  • hostnoobhostnoob Member
    edited July 2015

    @4n0nx said:
    There is no reason to choose a different port, ever. The bots will not get through either way and if someone really wants to bruteforce your password, they'll do it on any port.

    But it helps cut out the amount of failed login errors, and this way, if someone IS attacking you on the random port you selected, you know there's a good chance you're being targetted rather than being hit by a random bot scanning every server.

    Also, when an exploit is discovered for a software , and someone automatically scans servers for it, they're not going to check every port of every machine, they'll just check the port that the software listens on by default, unless someone is targetting you specifically in which case it doesn't make a difference, but give me a good reason to NOT change to a different port?

    And not that "privileged ports" rubbish since that requires someone to have access to the machine, at which point you're probably fucked already.

    Thanked by 2Maounique netomx
  • 4n0nx4n0nx Member

    hostnoob said: But when an exploit is discovered for a software , and someone automatically scans servers for it, they're not going to check every port of every machine, they'll just check the port that the software listens on by default, unless someone is targetting you specifically in which case it doesn't make a difference, but give me a good reason to NOT change to a different port?

    Well then I suggest you change your HTTP port and others :D lol

  • hostnoob said: But it helps cut out the amount of failed login errors, and this way, if someone IS attacking you on the random port you selected, you know there's a good chance you're being targetted rather than being hit by a random bot scanning every server.

    True, automated scans do not scan all the ports to see if a certain service listens on non-standard ones.
    If someone insists on a non-standard port, you know you have an enemy.

    Thanked by 2netomx hostnoob
  • @Maounique said:

    Yup, I watched a good video on masscan the other day actually

Sign In or Register to comment.