Brute Force Attempts climbing

Liquid_Squelch · #1 11-13-2010, 08:18 AM

I've had my VPS since September, and the number of daily attempts to various accounts on my VPS being blocked by Brute Force is climbing.

Are there any scripts / programs that I could or should install on my VPS to hunt down or build a signature list of IP addresses that I should ban from ever touching my server?

I looked into SNORT, but that seems too bloated to run on a VPS. I know someone who runs portsentry, but I think development stopped on that. Would something like that work for blocking those types of attacks?

I run ZB Block on one of my websites and it does a fantastic job of keeping the bots off that one site, but I need something to make sure my WHM and cPanel interfaces stay protected too.

What does everyone else use to protect their VPS?

dave g · #2 11-13-2010, 10:03 AM

I would recommend having ConfigServer Services (configserver.com) install there full set of software(a one time charge of $125.00) or you can install there free fire firewall it will do what you want to do.

Dave G

chaloupe · #3 11-13-2010, 10:11 AM

Liquid_Squelch,

For configserver firewall, please see this link for the installation instruction:

http://configserver.com/free/csf/install.txt

It's free !

***GatorJLavoy*** · #4 11-13-2010, 01:33 PM

Hello,

cPanel has it's own brute force protection inside of WHM. Once logged in, search for cPHulk or the word 'brute' and it should bring it up. This will monitor the WHM logins for root and block them after a number of attempts, depending on your configuration. I don't BELIEVE it blocks cPanel as well, but I could be mistaken. We generally don't see cPanel accounts being brute forced through actual cPanel, generally those come through FTP/ssh.

In regards to the other services, the first step we generally recommend is to move ssh to a non-standard port. Most SSH bruteforce attempts are coming from automated bots, that aren't smart enough to look at an nmap output and check every open port. I generally see all bruteforcing of SSH stop once the SSH port is changed.

Lastly, and this one is just personal preference, but I use a service called fail2ban on my server. It's free, and open source, and if configured correctly monitors all access attempts on whatever services you set it to watch. After x amount of failures, IP is banned for 15 minutes automatically. If you have experience with setting up linux applications (editing config files, compiling software) this may be something you may want to look into.

Hope this is helpful.

Liquid_Squelch · #5 11-14-2010, 09:35 PM

I've added a line into /etc/ssh/ssh_config as:
port xxxxx (xxxx = new port)

I then restarted SSHD via Parallels.

Then, I changed my firewall settings from port 22 to xxxxx (again, xxxxx = new port).
I restarted iptables via Parallels.

When I open PuTTY using the default settings, I always get a "Login" prompt at port 22.
If I try and start PuTTY on my custom port, it won't connect.

I've also "service sshd restart" from root as well.

What did I miss??

Liquid_Squelch · #6 11-14-2010, 09:59 PM

Crud.. now I did it..

I was modifying the SSH_Config not sshd_config

I restarted the service, but now I can't log in with my new port

I ran 'netstat' and my new port is set to "listening"
I've opened the port in my firewall. Looks like I'll open a ticket so I can get into SSH again.

Hey - if I can't get in, maybe my brute force will go down too

Liquid_Squelch · #7 11-14-2010, 11:19 PM

HG Support is the best.
They told me they had to open my port in their firewall too. After that was done the door was open!

HG is the best

Liquid_Squelch · #8 11-16-2010, 09:57 AM

Ahhh peace and quiet.. One full day of no brute force attacks..

chaloupe · #9 11-16-2010, 10:54 AM

Great to hear that it did resolve your brute force attempts!!

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How to Force 'www' in the URL?	Savage21	Shared Hosting Support	23	06-17-2008 01:15 PM