cpHulk security warning on deactived sshd service.
Hello,
I have a strange security issue.
I have deactivated sshd service but cpHulk gave security me this message:
A device at the "139.59.26.69" IP address has made a large number of invalid login attempts against the account "root". This brute force attempt has exceeded the maximum number of failed login attempts that the system allows. For security purposes, the system has temporarily blocked this IP address in order to prevent further attempts.
This is very strage because sshd port is blocked at firewall level in the azure cloud and service is disabled. I ensured it"s still disabled:
Jan 03 16:00:58 sshd[15156]: input_userauth_request: invalid user benny [preauth]
Jan 03 16:00:58 sshd[15156]: Received disconnect from 103.17.48.8 port 41602:11: Bye Bye [preauth]
Jan 03 16:00:58 sshd[15156]: Disconnected from 103.17.48.8 port 41602 [preauth]
Jan 03 16:01:03 sshd[15174]: Received disconnect from 43.153.69.181 port 53714:11: Bye Bye [preauth]
Jan 03 16:01:03 sshd[15174]: Disconnected from 43.153.69.181 port 53714 [preauth]
Jan 03 16:01:04 sshd[15177]: Received disconnect from 213.202.223.97 port 34268:11: Bye Bye [preauth]
Jan 03 16:01:04 sshd[15177]: Disconnected from 213.202.223.97 port 34268 [preauth]
Jan 03 16:01:07 systemd[1]: Stopping OpenSSH server daemon...
Jan 03 16:01:07 sshd[11906]: Received signal 15; terminating.
Jan 03 16:01:07 systemd[1]: Stopped OpenSSH server daemon.
I have country block to block almost all countries in cpHulk too.
but this IP address is from India. And India has a country block in cpHulk.
This is very very Strange... it"s a fresh server install running for about one month or two..
......
Service disabled. Blocked by provider firewall.. CpHulk Country block and max 2 failures before block.!!!
There must be a real thread for WHM servers! I"m Running CentOS 7.9.
I can"t explain how they triggered bruteforce detection on sshd service....
....................
IP Address-based Protection
ON OFF
IP Address-based protection tracks login attempts from specific IP addresses. When disabled, cPHulk will not block IP addresses, but existing blocks will remain.
IP Address-based Brute Force Protection Period (in minutes)
Maximum Failures per IP Address
1
Command to Run When an IP Address Triggers Brute Force Protection
Block IP addresses at the firewall level if they trigger brute force protection
...................................................
This notice is the result of a request made by a computer with the IP address of "139.59.26.69" through the "sshd" service on the server.
The remote computer"s location appears to be: India (IN).
The remote computer"s IP address is assigned to the provider: "DigitalOcean, LLC"
The remote computer"s network link type appears to be: "Ethernet or modem".
The remote computer"s operating system appears to be: "Linux" with version "3.11 and newer".
............................................
Edit: Seems Like my server logs are manipulated.... they"re in.. Breach Time around 03-12 CET... Logs manipulated till 15 CET on 11th January 2023
Service: | sshd |
Remote IP Address: | 139.59.26.69 |
Authentication Database: | system |
Username: | root |
Number of authentication failures: | 28 |
Maximum number allowed: | 2 |
-
Hey there! I'm sorry to hear about that breach. Let me know if you need anything from our end. 0
Please sign in to leave a comment.
Comments
2 comments