Log in attempts

[AJA]

I recently enabled the email notification for failed lo in attempts to see what was happening, A lot from the places you might expect, Russia, China etc.

So today we get one from theplanet.com
nice.........

[freeman]

Quote:

Originally Posted by AJA

I recently enabled the email notification for failed lo in attempts to see what was happening, A lot from the places you might expect, Russia, China etc.

So today we get one from theplanet.com
nice.........

Relax, there is nothing to worry about, that's usually. People are trying....


Regards,
George B.

[AJA]

I understand, just the fact that one of them is coming from within.

[quietFinn]

Quote:

Originally Posted by AJA

I understand, just the fact that one of them is coming from within.

When there is a datacenter where there are thousands of servers, there are at least a few servers that are compromised.

[gbh]

Quote:

Originally Posted by AJA

I understand, just the fact that one of them is coming from within.

That kind of raised my eyebrows, when I first saw it, too, but I get so many brute force attacks from the usual suspects (China, Russia, Ukraine, Thailand, Vietnam, Moldova, GoDaddy, etc.) that I just consider them all the same, regardless of where they originate.

Even though all HostGator domains are on ThePlanet, not all ThePlanet domains are within HostGator.

[striddy]

Quote:

Originally Posted by gbh

Even though all HostGator domains are on ThePlanet, not all ThePlanet domains are within HostGator.

Actually it's SoftLayer not The Planet

[gbh]

Quote:

Originally Posted by striddy

Actually it's SoftLayer not The Planet

That's right, but the attacking IP addresses are often still registered as "ThePlanet.com Internet Services, Inc." though they now belong to SoftLayer.

[aeons]

If you are getting hit by the same IP over and over, report it to their ISP and send excerpts of the log showing them blocked. Time-stamped logs are crucial when reporting, so the host can lookup the attempt on their end to confirm.

Almost all hosts will act on it and warn/remove the abuser, as it eats up their network resources.

A log excerpt will look something like this:
[Thu Feb 09 11:08:30 2012] [error] [client ip.address.here] /whatever they were trying to do here.

Most of the abusers are hacked sites/servers from either careless/unknowing webmasters. Not usually the host's fault, unless they don't take action against abuse complaints.

[mrintech]

Quote:

Originally Posted by gbh

That kind of raised my eyebrows, when I first saw it, too, but I get so many brute force attacks from the usual suspects (China, Russia, Ukraine, Thailand, Vietnam, Moldova, GoDaddy, etc.) that I just consider them all the same, regardless of where they originate.

Even though all HostGator domains are on ThePlanet, not all ThePlanet domains are within HostGator.

[gbh]

Quote:

Originally Posted by aeons

If you are getting hit by the same IP over and over, report it to their ISP...

Yes, I am quite familiar with the procedure, but it is not the same IP address. There are a number of miscreants probing other servers from The Planet's IP address range.

[beiker]

This is what they call brute force I think. Trying possible combination until it gets in. One possible option here is to limit login attempts from a sepcifi source IP. Say 5 failed login attempts from a source IP will disable to function until 4h or so.

Question is, is this doable?

[quietFinn]

Quote:

Originally Posted by beiker

This is what they call brute force I think. Trying possible combination until it gets in. One possible option here is to limit login attempts from a sepcifi source IP. Say 5 failed login attempts from a source IP will disable to function until 4h or so.

Question is, is this doable?

Sure it is, just install CSF:
http://www.configserver.com/cp/csf.html

[aeons]

Quote:

Originally Posted by gbh

Yes, I am quite familiar with the procedure, but it is not the same IP address. There are a number of miscreants probing other servers from The Planet's IP address range.

The attacker likely started probing a set of IPs and landed with a bunch of Softlayer's servers that were run by owners that didn't do the necessities to harden their server and thus hacked.

Every now and then you'll get a sysadmin (rarely SL) that will reply to your abuse report and explain their customer was hacked and mention they had an exploit script running on their box that was attacking other servers.
One reply I received over the summer when I was under heavy attack, mentioned the exploit script had my server's IP stored in some database.

You probably got unlucky and landed in one of those databases and just by coincidence keep seeing the same providers.