• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

About security

M

MaRiOs

Guest
This is not really about plesk but...
i think you may be insterested.

I am fed up of watching lines like this one :

Sep 19 07:30:18 linux7 sshd(pam_unix)[13414]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=gsinternational.com
Sep 19 07:30:21 linux7 sshd(pam_unix)[13420]: check pass; user unknown

in my logs.

Is there any way to lock some one from the firewall by using the hostname?
cause if i ping gsinternational.com i get an ip and I block it with the firewall module,but i think they use fake hostnames,so can I block the hostname?
 
they can't really use fake hostnames, but if you want to keep trying to block them you will be pretty busy as you get them from all different people every day. I just wokeup and my morning log has these, and this is a daily occurence everyone has to deal with.

Failed logins from these:
ftp/password from 124-110-60-69.serverpronto.com (69.60.110.124): 3 Time(s)
lp/password from 124-110-60-69.serverpronto.com (69.60.110.124): 3 Time(s)
root/password from 124-110-60-69.serverpronto.com (69.60.110.124): 36 Time(s)
root/password from petrointrade-2.ip.PeterStar.net (82.140.81.26): 9 Time(s)

the safest thing todo is if you don't offer SSH to your users firewall it from everyone but yourself so you can get in. you should have PermitRootLogins no in SSH server config anyway so all the root attempts are useless as even if they somehow get the password it won't let them in. and make sure you can't get into the other common accounts they try (lp,mail,ftp,postmaster,named,operator,halt,shutdown,sync,uucp,gopher,daemon,games ,adm,news) are a few off hand. you could disable password logins entirely so only public/private key authentication is allowed too. obviously firewall everyone is the best method if you don't offer SSH.
 
i have followed your last step, i did some script for automatic keys creation so i will disable pass login, but i just want to know if i can block these ppl.


they are not attackin on ssh but on ftp etc too.
 
Marios, I believe the short answer to your question is there is no way to block based on just the hostname, firewalls deal with IP addresses.

For an automated setup, check into installing both APF and BFD, some minor configurations and it can and will block repeated failed attempts automatically.

DO NOT do your initial tests on a live production server. Until you are familiar enough with these, you should be doing it on a TEST SERVER. If this is not possible, then I advise much CAUTION since initially they may block too much until you get them configured properly.

They work well with Plesk servers, I believe there is at least one post in the forums which details how to get it setup.

You can do the search on freshmeat.net and elsewhere, but who knows if any given package may be Plesk friendly or not. At least APF and BFD can be used on Plesk servers and work well together as an automated solution.
 
I like simple solutions.
My sshd deamon is constantly hammered by Scriptkiddies using random dictionary attacks.
One simple way to prevent most is changing the port where sshd listens on, or use an unusual portmapping.
I dont really like that however. Dont ask me why, it has probably something to do with my bad memory. I keep forgetting those ports.

Two other simple mechanisms which you could implement are:

1) restricting allowed useraccounts. Esp. if you dont have a very common username like Jack or John:

AllowUsers secretuser [email protected].*

By adding the ipaddress you only allow login from that particular ipaddress for that particular user.

2) rectrict the number of tries for password guessing

MaxStartups 10:30:60


From the manpages:

Specifies the maximum number of concurrent unauthenticated con-
nections to the sshd daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10.

read more at this blogentry at ap-lawrence.
http://aplawrence.com/Blog/B1117.html
 
Originally posted by jamesyeeoc
For an automated setup, check into installing both APF and BFD, some minor configurations and it can and will block repeated failed attempts automatically.

They work well with Plesk servers, I believe there is at least one post in the forums which details how to get it setup.
Click to expand...

I agree with this. We are running APF and BFD, wich works great and is blocking about 4 ip addresses every day. You will get an e-mail about every block, in case it is a false positive. However we never had a false positive untill today!

Check out this thread, for a great tutorial how to secure your plesk server and installing apf and bfd.

http://forum.plesk.com/showthread.php?s=&threadid=19876&highlight=howto+setup+new+plesk
 
these are very interesting ideas I have to consider,especially the last one.
thank you!
 
APF Also has a development mode, if you need to install it in production environment. If you make a failure, you wait for 5 minutes and everything turns normal.

Check it out great stuff!
 
@rvdmeer

I added these 2 lines :

MaxStartups 10:30:60
LoginGraceTime 120

in my /etc/ssh/ssh_config

but I still see ppl hammering the server like that :

Sep 28 04:35:33 linux7 sshd(pam_unix)[21059]:
Sep 28 04:35:36 linux7 sshd(pam_unix)[21061]:
Sep 28 04:35:36 linux7 sshd(pam_unix)[21061]:
Sep 28 04:35:37 linux7 sshd(pam_unix)[21063]:
Sep 28 04:35:37 linux7 sshd(pam_unix)[21063]:
Sep 28 04:35:40 linux7 sshd(pam_unix)[21065]:

for more than 30 times in a row .

the options i added should prevent that happening...shouldnt they ?
 
Any ideas ?

I dont understand, I had put the options you said in the conf file of sshd and restarted the server
and still I see ppl hammering my server like this :

Oct 13 19:35:19 linux7 sshd(pam_unix)[11393]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:21 linux7 sshd(pam_unix)[11395]: check pass; user unknown
Oct 13 19:35:21 linux7 sshd(pam_unix)[11395]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:22 linux7 sshd(pam_unix)[11397]: check pass; user unknown
Oct 13 19:35:22 linux7 sshd(pam_unix)[11397]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:24 linux7 sshd(pam_unix)[11402]: check pass; user unknown
Oct 13 19:35:24 linux7 sshd(pam_unix)[11402]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:24 linux7 sshd(pam_unix)[11404]: check pass; user unknown
Oct 13 19:35:24 linux7 sshd(pam_unix)[11404]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:26 linux7 sshd(pam_unix)[11406]: check pass; user unknown
Oct 13 19:35:26 linux7 sshd(pam_unix)[11406]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:27 linux7 sshd(pam_unix)[11408]: check pass; user unknown
Oct 13 19:35:27 linux7 sshd(pam_unix)[11408]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:29 linux7 sshd(pam_unix)[11411]: check pass; user unknown
Oct 13 19:35:29 linux7 sshd(pam_unix)[11411]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:29 linux7 sshd(pam_unix)[11413]: check pass; user unknown
Oct 13 19:35:29 linux7 sshd(pam_unix)[11413]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:31 linux7 sshd(pam_unix)[11415]: check pass; user unknown
Oct 13 19:35:31 linux7 sshd(pam_unix)[11415]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:32 linux7 sshd(pam_unix)[11417]: check pass; user unknown
Oct 13 19:35:32 linux7 sshd(pam_unix)[11417]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:34 linux7 sshd(pam_unix)[11419]: check pass; user unknown
Oct 13 19:35:34 linux7 sshd(pam_unix)[11419]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:34 linux7 sshd(pam_unix)[11421]: check pass; user unknown
Oct 13 19:35:34 linux7 sshd(pam_unix)[11421]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
Oct 13 19:35:36 linux7 sshd(pam_unix)[11423]: check pass; user unknown
 
Please read the full post referenced by rvdmeer.

An additional piece of info about the 10:30:60 is:
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.,
"10:30:60"). sshd will refuse connection attempts with a proba-
bility of ``rate/100'' (30%) if there are currently ``start''
(10) unauthenticated connections. The probability increases lin-
early and all connection attempts are refused if the number of
unauthenticated connections reaches ``full'' (60).
Click to expand...
So you may want to play with the numbers. When reading ap-lawrence's blog post, keep in mind that his paths may be slightly different than yours.
 
So if I change it to MaxStartups 10:50:15
that means that after 10 failed tries the server will deny 50% of the next tries? and when they get to 15 it will deny his access completely,right?
 
If there are currently 10 unauthenticated connections, then additional connection attempts will be refused with a probability of 50%, and after there are 15 unauthenticated connections then all additional connection attempts (from anyone) will be refused.

So when there are 10 unauthorized connections, then the probability factor comes into play. At this point any additional connection attempts will fail half the time due to the 50.

Of the other half attempts, once there are 15 unauthorized connections, then ALL further connection attempts made by ANYONE will be refused.

That's how I understand the blog post info.
 
You must log in or register to reply here.

Similar threads

A
Resolved Unable to start Apache
Replies
1
Views
2K
menderes
menderes
Mike23
Resolved Server Error 500 Zend_Db_Adapter_Exception SQLSTATE[HY000] [2002] No such file or directory
Replies
1
Views
2K
Mike23
Mike23
S
Issue SSH / Git Auth failure
Replies
3
Views
1K
IgorG
IgorG
H
Issue fail2ban iptables error, ban doesn't work
Replies
1
Views
2K
hotwert
H
UnS3eN
Issue No FTP (proFTP) access after 17.8.11 upgrade
Replies
4
Views
3K
UnS3eN
UnS3eN
Back
Top