i get 100's of attacks like the one below in my vps from different IPs, is there anyway i can stop this?
Brute Force attempt against “[email protected]**********.com”.
A device at the “22.214.171.124” IP address has made a large number of invalid login attempts against the account “[email protected]**********.com”. This brute force attempt has exceeded the maximum number of failed login attempts that the system allows. For security purposes, the system has temporarily blocked this IP address in order to prevent further attempts.
Local IP Address: ..*.
Local Port: 21
Remote IP Address: 126.96.36.199
Authentication Database: ftp
Username: [email protected]**********.com
Number of authentication failures: 5
Maximum number allowed: 5
when i wake up i get 200+ emails like this, am i under attack? any way i can stop these?
Looks like you are already blocking them.
is there any way csf can block these?
use iptables to block geo-ip from certain countries ?
they don't come from a specific country like russia or china, most of them are from european countries and US ips too
stop using ftp ?
stop allowing password authentication ?
need more info about what you're needing to do. if you need passwords and ftp, then you don't have much choice. you could just block all traffic, except for a whitelist
The generic answer is fail2ban. I don't use FTP, but it definitely works wonders for dictionary attacks of email and constant scans for Wordpress/PHP vulnerabilities.
+1 and also change the default port to something else.
If the password is long enough, it does not really matter. No need for fail2ban then. Changing port is just security through obscurity, yet it may help you figure out if someone is targeting you specifically.
And prevent most of the scanners
Depending on your goals. Not changing the ports is like running a honeypot (so long as the service is essentially secure). You can then collect as much data as possible and act against the abusive subnets before they come along and attack one of the new vulnerabilities you didn't know about and can't hide behind a non-standard port. Every attempt to get to my root account via ssh is just that much smaller an attack vector I have to worry about in general. Why would I want to stop that?
Which are not successful anyway. Since you use a strong password and not merely security through obscurity.
Every tried fail2ban?
fail2ban is installed.
shutdown -h nowwill 100% save you from any attack.
How already written - don't use ftp, use scp instead. Disable root login, set secure password or disable pw authentication.
Are you sure that your fail2ban is configured correctly and is enabled? you need to enable ssh and ftp protection with it. You can also run commands to see the ips that are connecting to your server, and manually block them using iptables.
A combination of fail2ban, iptables and also potentially changing your setup to only allow connections on that port in iptables may be necessary.
Also, is it just more of an annoyance, or are they actually logging into your server?
The messages looks like those that cPanel sends when it is blocking access because of failed logins.
Is this the case?
You don't need password auth for SSH on a cPanel server if it's causing you issues, keys or password through whm.
Prevention is better than cure... change your default port(s) and you will save yourself half the scan attacks
@mikho yes it's a server with cpanel.
You could always raise the bantime, or just turn off the mail notifications...
csf + mod_security will do just fine
I hate this response.
Seems like people think it's either default port and strong password or different port and password1
There's nothing wrong with having a different port AND a strong password.
I hate this response.
There is no reason to choose a different port, ever. The bots will not get through either way and if someone really wants to bruteforce your password, they'll do it on any port.
So why did the software designers/developers allow and build that option in the config?
But it helps cut out the amount of failed login errors, and this way, if someone IS attacking you on the random port you selected, you know there's a good chance you're being targetted rather than being hit by a random bot scanning every server.
Also, when an exploit is discovered for a software , and someone automatically scans servers for it, they're not going to check every port of every machine, they'll just check the port that the software listens on by default, unless someone is targetting you specifically in which case it doesn't make a difference, but give me a good reason to NOT change to a different port?
And not that "privileged ports" rubbish since that requires someone to have access to the machine, at which point you're probably fucked already.
Well then I suggest you change your HTTP port and others lol
True, automated scans do not scan all the ports to see if a certain service listens on non-standard ones.
If someone insists on a non-standard port, you know you have an enemy.
Yup, I watched a good video on masscan the other day actually