1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Hacker/illegal abuse on server - can I stop it?

Discussion in 'Plesk for Linux - 8.x and Older' started by kuhle, Feb 18, 2007.

  1. kuhle

    kuhle Guest

    0
     
    In the last 2 weeks or so, I have had daily reports which are causing great concern. It is spammers/hackers trying to log into the server.

    Can anyone tell me how I can stop them, or deny them access when it detects that they are running many of these? The sort of extracts I get are as follows - they are SO LONG that I have only included a few entries and these are all from one day's log:
    ================================
    sshd:
    Authentication Failures:
    root (203.123.176.242): 22 Time(s)
    adm (210.114.223.66): 16 Time(s)
    ftp (210.114.223.66): 14 Time(s)
    james (210.114.223.66): 14 Time(s)
    mail (210.114.223.66): 14 Time(s)
    mysql (210.114.223.66): 14 Time(s)
    apache (210.114.223.66): 12 Time(s)
    postfix (210.114.223.66): 12 Time(s)
    postgres (210.114.223.66): 12 Time(s)
    postgres (203.123.176.242): 8 Time(s)
    mailman (203.123.176.242): 4 Time(s)
    mailnull (203.123.176.242): 2 Time(s)
    mysql (203.123.176.242): 2 Time(s)
    pcap (203.123.176.242): 2 Time(s)
    root (prx.funetia.pl): 2 Time(s)
    smmsp (203.123.176.242): 2 Time(s)
    tomcat4 (203.123.176.242): 2 Time(s)
    uucp (203.123.176.242): 2 Time(s)
    Invalid Users:
    Unknown Account: 2725 Time(s)
    Unknown Entries:
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.114.223.66 : 1584 Time(s)
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=203.123.176.242 : 780 Time(s)
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=125.215.206.110 : 355 Time(s)
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=duy194.internetdsl.tpnet.pl : 4 Time(s)
    authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=219.235.231.103 : 2 Time(s)
    ======================================

    Failed logins from these:
    Clara/password from ::ffff:125.215.206.110: 2 Time(s)
    Claudia/password from ::ffff:125.215.206.110: 2 Time(s)
    Jana/password from ::ffff:125.215.206.110: 1 Time(s)
    achim/password from ::ffff:125.215.206.110: 1 Time(s)
    adam/password from ::ffff:210.114.223.66: 14 Time(s)
    adelbert/password from ::ffff:125.215.206.110: 1 Time(s)
    adele/password from ::ffff:125.215.206.110: 2 Time(s)
    adm/password from ::ffff:210.114.223.66: 16 Time(s)
    admin/password from ::ffff:203.123.176.242: 16 Time(s)
    admin/password from ::ffff:210.114.223.66: 6 Time(s)
    admin2/password from ::ffff:203.123.176.242: 2 Time(s)
    administrator/password from ::ffff:203.123.176.242: 2 Time(s)
    adrian/password from ::ffff:125.215.206.110: 1 Time(s)


    ============================

    Illegal users from these:
    Clara/none from ::ffff:125.215.206.110: 2 Time(s)
    Clara/password from ::ffff:125.215.206.110: 2 Time(s)
    Claudia/none from ::ffff:125.215.206.110: 2 Time(s)
    Claudia/password from ::ffff:125.215.206.110: 2 Time(s)
    Jana/none from ::ffff:125.215.206.110: 1 Time(s)
    Jana/password from ::ffff:125.215.206.110: 1 Time(s)
    achim/none from ::ffff:125.215.206.110: 1 Time(s)
    achim/password from ::ffff:125.215.206.110: 1 Time(s)
    adam/none from ::ffff:210.114.223.66: 14 Time(s)
    adam/password from ::ffff:210.114.223.66: 14 Time(s)
    adelbert/none from ::ffff:125.215.206.110: 1 Time(s)
    adelbert/password from ::ffff:125.215.206.110: 1 Time(s)
    adele/none from ::ffff:125.215.206.110: 2 Time(s)
    adele/password from ::ffff:125.215.206.110: 2 Time(s)
    admin/none from ::ffff:203.123.176.242: 16 Time(s)
    admin/none from ::ffff:210.114.223.66: 6 Time(s)
    admin/password from ::ffff:203.123.176.242: 16 Time(s)
    admin/password from ::ffff:210.114.223.66: 6 Time(s)
    admin2/none from ::ffff:203.123.176.242: 2 Time(s)
    admin2/password from ::ffff:203.123.176.242: 2 Time(s)
    administrator/none from ::ffff:203.123.176.242: 2 Time(s)
    administrator/password from ::ffff:203.123.176.242: 2 Time(s)
     
  2. CryoGenID

    CryoGenID Regular Pleskian

    25
    90%
    Joined:
    Apr 14, 2004
    Messages:
    150
    Likes Received:
    0
    Well,

    the easiest thing to do:
    Change the SSH-Port :)

    Away from 22 to something much higher (40122 or so)...

    Then those attempts will decrease _enormously_ :)
     
  3. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    Or close for default SSH port 22 and open only to your IP from firewall. See in my signature on HOW TO.
     
  4. kuhle

    kuhle Guest

    0
     
    Thank you both very much for those suggestions.

    If I change SSH port, will this affect customers who need to get into their web management? Please can you tell me how to check/change the SSH port?

    I could restrict access to my IP only, but that would not help when I am elsewhere which I often am.

    I was hoping also to be able to block IP ranges on the firewall, but in my Plesk 8.1, it looks as if the IP ranges that you put in are those which will be ACCEPTED, and clearly I want to blacklist IP ranges. Can you tell me how to do that?
     
  5. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    First of all is important which firewall you use.
    Plesk one or other, like Kiss, APF?
    Plesk one has GUI interface, easier to set, but not so advanced.
    APF is much more advanced.

    Regarding SSH port, if you don't have static IP, then change your port.
    Clients will login into PLESK, not with SSH, so only you should use it.
     
  6. kuhle

    kuhle Guest

    0
     
    I am using the Plesk firewall - the GUI makes it easier for me, accepting that it is not as advanced as others.

    I personally have a static IP, but if I need to do things remotely, that is why I want to just change the SSH port. Can you tell me how to do that?

    THANK YOU for your help.
     
  7. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    I think (not sure) that you cannot from PLESK ... I use apf.
     
  8. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    My 2 cents here, Im not a fan of changing the port. At best this just stops worms that dont port scan a host before trying to brute force the service. This is the real threat, moving the port does nothing to defend against it, and at worst adds admin overhead.

    1) DONT USE PASSWORDS. Passwords are a bad security model, people forget them, use easily guessed ones, and regularly lose them. SSH has had a 2 factor authentication system for 12 years now, take advantage of it. Futhermore if you're managing 10's or 100's of systems with passwords you've either got to remember them, save them, or duplicate them across those systems. Again increasing your exposure when a password is compromised. Disable password authentication completely, and these brute force attacks are completely benign. Use keys and you've got 1 set of keys for every system. Edit /etc/ssh/sshd_config and set the following:
    PasswordAuthentication no

    Create your ssh keys, upload them to the box, test them, and then restart sshd.


    2) Assuming you've done item 1, and you dont care to see the access attempts in your logs any more, you can restrict access with firewall rules, or my personal preference, use an IDS like logwatch or DenyHosts to automatically shun someone when they attempt to brute force the system. There is value in detecting this type of event, as it allows you to detect known attackers, and block their access to other services. I've seen brute forcers try on the SMTP port at the same time they're going after ssh.
     
  9. kuhle

    kuhle Guest

    0
     
    thank you both, and thanks for your useful post, atomicturtle.

    Were all the attacks listed in the original post SSH ones?

    I will do some research on IDS.

    THANK YOU all, once again for your help.
     
  10. Highland

    Highland Guest

    0
     
    Another option not mentioned here is fail2ban (requires iptables to work). Keeps the brute force people at bay. Keep in mind that if you install APF for your firewall that when you restart APF it will wipe the f2b bans.
     
  11. kuhle

    kuhle Guest

    0
     
    I have been looking at various IDS. It would seem sensible to stick with Logwatch as that is already on my server, and is what reports the multitude of attempted hacks.

    Is there a way that Logwatch can be used to blacklist these IP addresses? It would seem that it is possible from what atomicturtle said, but I cannot fathom out how.

    Grateful for any advice.
     
  12. thesafa

    thesafa Guest

    0
     
    how to change SSH port?

    I am using Plesk 8.1 for Unix, and getting tons of failed attempts to connect to SSH in my daily logwatch.

    I'd very much appreciate if you could explain how you can change the SSH port.

    Thank you!
     
  13. CryoGenID

    CryoGenID Regular Pleskian

    25
    90%
    Joined:
    Apr 14, 2004
    Messages:
    150
    Likes Received:
    0
    That's easy :D

    /etc/ssh/sshd.conf
    -> change the port to something else but 22 (40022 for example)

    then run a "service sshd restart"

    That's it :D
     
  14. Mr.Yes

    Mr.Yes Guest

    0
     
    Hi Ivalics,

    since yesterday i used Plesk Firewall module but today i installed your APF firewall. Now i need to know if i have to deinstall Plesk Module to work with APF or not.

    Again i would like you check my conf.apf file,
    thank you



    PHP:
    # Common ingress (inbound) TCP ports
    IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"

    # Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="37,53,873"

    # Common ICMP (inbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any
    IG_ICMP_TYPES="3,5,11,0,30,8"


    # Egress filtering [0 = Disabled / 1 = Enabled]
    EGF="1"

    # Common egress (outbound) TCP ports
    EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465,873,5224"

    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="53,873"

    # Common ICMP egress (outbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any
    EG_ICMP_TYPES="all"
     
  15. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    I close port 22 for all and open in /etc/apf/allow.... for IP.
    APF will overwrite PLESK firewall.
     
  16. Mr.Yes

    Mr.Yes Guest

    0
     
    Ciao Valics,

    do you remove port 22 in

    IG_TCP_CPORTS (inbound) as well in
    EG_TCP_CPORTS (outbound) ??

    So if APF win on Plesk firewall i don't need to uninstall it? Good news, i remember i red in this forum in the past i had to uninstall it to work with APF

    thanx
     
  17. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    Yes, we remove port 22 cause we allow it to IP ...

    As far as I know not need to uninstall.
     
  18. nullbarriere

    nullbarriere Guest

    0
     
    Um zu verhindern, dass bei jedem automatischen Portscan der offene SSH Port erkannt wird, kann man den Standardport des SSH Dienstes ändern.

    SSH Dienst Konfigurationsdatei ändern
    Dazu muss man in der Konfigurationsdatei die Portnummer überschreiben. Die Konfigurationsdatei liegt gewöhnlich im Verzeichnis /etc/ssh/sshd_config (Achtung! Nicht: ... ssh_config verwenden, sondern sshd_config). Falls die Datei nicht dort ist: mal mit "find -name sshd_config" probieren.

    Der SSH-Standardport 22 ist zugleich der Defaultwert für den Dienst, deshalb ist die Anweisung "Port 22" standardgemäß auskommentiert: "#Port 22". Da sshd nicht so hoch springen kann, muss der Zaun (#) entfernt werden. Dann kann man eine eigene (unbenutzte!) Portnummer angeben, z.B. "Port 12345".

    Mit "netstat -nlt" kann man sich zuvor versichern, dass die gewählte Portnummer tatsächlich unbenutzt ist:
    der Output sollte folgende Zeile nicht enthalten:

    tcp 0 0 127.0.0.1:12345 0.0.0.0:*

    SSH Dienst neustarten
    Um die Änderung an der sshd_config zu aktivieren, muss sshd neu gestartet werden: "/etc/init.d/sshd reload" (Achtung! Nicht: "ssh reload", sondern "sshd reload").

    Ein erneutes "netstat -nlt" sollte den Erfolg bestätigen.

    Viel Spass!
    Beim nächsten Einloggen nicht vergessen, die Portänderung im Terminalprogramm anzugeben!
     
  19. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    For those of you who do not speak German, here is what he said

    Note: I dont speak german either, I just used this translator :p
    http://babelfish.altavista.com/tr
     
Loading...