I don't think cPHulk is working right (with ssh)
Hello,
Every day, in the morning, my server seems to get attacked. It's some sort of brute-force attack. My log is just flooded with stuff like this:
The IP address changes a little each day. Maybe by one number or so. Anyway, I have cPHulk installed and configured, correctly, I think, but for some reason, it doesn't seem to be detecting the ssh connections. I have password auth disabled and only key authentication enabled. Is there away for me to get my system to automatically block these IP addresses after, lets say, 5 failed login attempts? I'd like to block them indefinitely. Thanks!
2:12 jetbbs sshd[27380]: input_userauth_request: invalid user nagios
Jan 23 10:12:12 jetbbs sshd[27380]: Received disconnect from 104.208.39.227: 11: Bye Bye
Jan 23 10:12:13 jetbbs sshd[27381]: Invalid user git from 104.208.39.227
Jan 23 10:12:13 jetbbs sshd[27382]: input_userauth_request: invalid user git
Jan 23 10:12:13 jetbbs sshd[27382]: Received disconnect from 104.208.39.227: 11: Bye Bye
Jan 23 10:12:14 jetbbs sshd[27383]: Invalid user vagrant from 104.208.39.227
Jan 23 10:12:14 jetbbs sshd[27384]: input_userauth_request: invalid user vagrant
Jan 23 10:12:14 jetbbs sshd[27384]: Received disconnect from 104.208.39.227: 11: Bye Bye
Jan 23 10:12:14 jetbbs sshd[27385]: Invalid user oracle from 104.208.39.227
Jan 23 10:12:14 jetbbs sshd[27386]: input_userauth_request: invalid user oracle
Jan 23 10:12:14 jetbbs sshd[27386]: Received disconnect from 104.208.39.227: 11: Bye Bye
Jan 23 10:12:15 jetbbs sshd[27388]: Received disconnect from 104.208.39.227: 11: Bye Bye
Jan 23 10:12:15 jetbbs sshd[27389]: Invalid user oracle from 104.208.39.227
Jan 23 10:12:15 jetbbs sshd[27390]: input_userauth_request: invalid user oracle
Jan 23 10:12:15 jetbbs sshd[27390]: Received disconnect from 104.208.39.227: 11: Bye Bye
Jan 23 10:12:16 jetbbs sshd[27391]: Invalid user git from 104.208.39.227
Jan 23 10:12:16 jetbbs sshd[27392]: input_userauth_request: invalid user git
Jan 23 10:12:16 jetbbs sshd[27392]: Received disconnect from 104.208.39.227: 11: Bye Bye
Jan 23 10:12:17 jetbbs sshd[27393]: Invalid user vagrant from 104.208.39.227
Jan 23 10:12:17 jetbbs sshd[27394]: input_userauth_request: invalid user vagrant
Jan 23 10:12:17 jetbbs sshd[27394]: Received disconnect from 104.208.39.227: 11: Bye Bye
Jan 23 10:12:17 jetbbs sshd[27395]: Invalid user nagios from 104.208.39.227
Jan 23 10:12:17 jetbbs sshd[27396]: input_userauth_request: invalid user nagios
Jan 23 10:12:17 jetbbs sshd[27396]: Received disconnect from 104.208.39.227: 11: Bye Bye
The IP address changes a little each day. Maybe by one number or so. Anyway, I have cPHulk installed and configured, correctly, I think, but for some reason, it doesn't seem to be detecting the ssh connections. I have password auth disabled and only key authentication enabled. Is there away for me to get my system to automatically block these IP addresses after, lets say, 5 failed login attempts? I'd like to block them indefinitely. Thanks!
-
This thread should be of some use to you: [Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening) 0 -
This thread should be of some use to you: [Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening)
Thank you Infopro. I've read that article. Unfortunately though, it doesn't tell me how to auto-block failed login attempts. Granted, hardening sshd is a great idea and I'm already using key authentication and have password authentication disabled. I can change the port, which wouldn't be a bad idea, and allow only my main user to be allowed to login. Here's the thing though. There's definitely someone trying to get in. I have over 12,000 lines in my /var/log/secure file, mostly failed login attempts. Even if they cannot get in via ssh, who's to say they don't find some remote exploit later in the future? Or, maybe they have one already and just haven't gotten around to running it, you know, trying various things, in order, trying to get in? I'd like to just have the failed logins get the IP addressed banned so they can't even see my domain / server. I'm familiar with programs like fail2ban. But I thought cPHulk was supposed to handle all of this for me, so I didn't need another program, like fail2ban. Thanks!0 -
ConfigServer Firewall can be of great use. I can change the port, which wouldn't be a bad idea
Changing SSH port is very important to quiet this sort of thing. Searching google for just one snip of your log yields quite a lot of results: input_userauth_request: invalid user nagios Here's one of them: Invalid users trying to log in to my server0 -
ConfigServer Firewall can be of great use. Changing SSH port is very important to quiet this sort of thing. Searching google for just one snip of your log yields quite a lot of results: input_userauth_request: invalid user nagios Here's one of them: Invalid users trying to log in to my server
Thanks Infopro. I knew it was some sort of script that was running, just by how quickly and how many times they were attempting to log in. Roughly 3 usernames per second or so. I think I might have to ban a whole network class? Every day, it seems to be getting worse but the IPs change, just enough. So, what's this ConfigServer Firewall? Is that part of cPanel / WHM? Or is that a third party program? I'm just curious as to what cPHulk is actually for if it can't successfully identify these types of attacks. I mean, it does recognize brute-force type attacks on my mail server, but that's about it. Thanks!0 -
Thanks Infopro. I knew it was some sort of script that was running, just by how quickly and how many times they were attempting to log in. Roughly 3 usernames per second or so. I think I might have to ban a whole network class? Every day, it seems to be getting worse but the IPs change, just enough. So, what's this ConfigServer Firewall? Is that part of cPanel / WHM? Or is that a third party program? I'm just curious as to what cPHulk is actually for if it can't successfully identify these types of attacks. I mean, it does recognize brute-force type attacks on my mail server, but that's about it. Thanks!
I've been reading up ConfigServer. If I have to install a third-party program, I'll probably go for something like that. I wish there was some cPanel / WHM plugin, like there is for cPHulk, so I could see everything graphically. I only have 1GB of RAM. Do you know how memory intensive this ConfigServer Firewall is? I know when I installed clamd or whatever the anti-virus program is called, it just about ate up all the memory I had and I had to uninstall it. Thanks.0 -
I've decided to check out ConfigServer Firewall and I do have to say, this is an amazing piece of hardware! Unfortunately, during the installation process, I got a warning that a few options would be disabled because of some missing iptables modules (ipt_REDIRECT and ipt_DNAT). ipt_REDIRECT is a very handy module for writing iptable redirect rules and I can't really understand why GoDaddy doesn't have it enabled for my virtual server. I got off the phone with tech support for the hosting and unfortunately, it was a very disappointing conversation. For some reason, the tech support person kept on thinking I just didn't know how to use iptables. He kept on saying that it's my responsibility to learn how to setup iptables. I could pay around 160$ and have them setup the iptable rules. He also said the guy who sold me the vps should of went over stuff like this and asked if I've ever ran a server before, before allowing me to get one. I kept trying to tell him that the problem wasn't me not knowing how to setup iptables rules or anything. I just needed a module added to /etc/sysconfig/iptables-config and /etc/sysconfig/vz at the hardware / parent node, outside of the virtual environment. He just kept saying that iptables was there and I could just google how to set it up. I felt that he didn't understand my issue and whenever I tried explaining it to him, he felt that he knew what the problem was and wasn't listening. I'm not sure what features would be disabled because of these missing modules but I have a feeling the ConfigServer Firewall will still be able to do everything that I need it to do. Thank you so much for pointing me towards this piece of software. 0 -
Hello :) I've seen past discussions where a VPS provider implemented a policy that disallowed the use of these modules. I suggest following up with their support team to receive an official answer. Thank you. 0 -
Hello :) I've seen past discussions where a VPS provider implemented a policy that disallowed the use of these modules. I suggest following up with their support team to receive an official answer. Thank you.
Thanks for the reply cPanelMichael. However, I no longer need cPHulk to work properly. I'm now using a cPanel add-on suite called ConfigServer Firewall. I do have to say, it's very nice. I'm glad there's a cPanel plugin. It'd be real nice if it came with cPanel automatically. I honestly can't see where it'd hurt anything. cPanel could have an option where it's disabled until the administrator of the server enables it. Anyway, thanks for the help!0 -
It'd be real nice if it came with cPanel automatically.
I am happy to see that CSF is working well for you. It's a third-party application so it's not a utility that we would include by default per the comments in this feature request: Integrate ConfigServer Security & Firewall (CSF/LFD) & Remove cPHulk Thank you.0 -
I am happy to see that CSF is working well for you. It's a third-party application so it's not a utility that we would include by default per the comments in this feature request: Integrate ConfigServer Security & Firewall (CSF/LFD) & Remove cPHulk Thank you.
Thanks again cPanelMichael. From reading the comments that you linked me to, I have a question about Travis Ellis's statement:We have no plan of removing cPHulk. It is vital for the authentication system.
The question is about the cPHulk being vital for the authentication system. Does this mean if I have ConfigServer Firewall installed, I should keep cPHulk enabled? From all the reading I've done, CSF, when properly configured, seems to be able to replace cPHulk. Would there be any downfalls from disabling cPHulk and using just CSF? Or is it one of those things where if I don't have something like CSF, cPHulk is vital, and if I have CSF, I can safely disable cPHulk? Thanks!0 -
Does this mean if I have ConfigServer Firewall installed, I should keep cPHulk enabled?
It's acceptable to disable cPHulk without affecting authentication services. Thank you.0 -
Good to go! 0
Please sign in to leave a comment.
Comments
12 comments