Issue Hundreds IPs banned after new Plesk installation.

[Paula1]

5 years ago, my Plesk server was hacked.

After of that experience I tried to implement all the security measures that Plesk Forum and documentation recommend.

However, 2 weeks ago my server was hacked again. (I found all of the index.php modified and thousands of duplicated files filling the disk up. )

This is what I did:

I reinstall a new server from scratch and applied all the security measures that I could find.

Nothing bad has happened yet, except that right now I have 677 banned Ips under recidive jail.

Using Cloudflare firewall I already blocked most of countries from Asia and Eastern Europe but the Ips haven stop getting banned. (before of using CF Firewall, most Ips were from China and Russia, but now they are from Netherlands, France, Germany...etc)

I don’t host any kind of government nor military nor political content in the websites...but for some reason someone or something is determined to hack my server again.

I need advises in what to do. Thanks in advance.

-----------------------------------------------------------

The following are just 5 minutes of fail2ban logs:


2020-11-19 00:01:00,637 fail2ban.filter [2362]: INFO [ssh] Found 51.158.20.200 - 2020-11-19 00:01:00

2020-11-19 00:01:01,491 fail2ban.filter [2362]: INFO [ssh] Found 181.48.28.13 - 2020-11-19 00:01:01

2020-11-19 00:01:01,583 fail2ban.actions [2362]: NOTICE [ssh] Ban 181.48.28.13

2020-11-19 00:01:01,587 fail2ban.filter [2362]: INFO [recidive] Found 181.48.28.13 - 2020-11-19 00:01:01

2020-11-19 00:01:49,053 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:01:48

2020-11-19 00:01:49,865 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:01:49

2020-11-19 00:02:28,201 fail2ban.filter [2362]: INFO [ssh] Found 193.105.207.42 - 2020-11-19 00:02:28

2020-11-19 00:02:30,914 fail2ban.filter [2362]: INFO [ssh] Found 193.105.207.42 - 2020-11-19 00:02:30

2020-11-19 00:02:33,620 fail2ban.filter [2362]: INFO [ssh] Found 103.205.180.188 - 2020-11-19 00:02:33

2020-11-19 00:02:33,728 fail2ban.actions [2362]: NOTICE [ssh] Ban 103.205.180.188

2020-11-19 00:02:33,729 fail2ban.filter [2362]: INFO [recidive] Found 103.205.180.188 - 2020-11-19 00:02:33

2020-11-19 00:02:35,553 fail2ban.filter [2362]: INFO [ssh] Found 103.205.180.188 - 2020-11-19 00:02:35

2020-11-19 00:02:40,494 fail2ban.filter [2362]: INFO [ssh] Found 106.75.141.160 - 2020-11-19 00:02:40

2020-11-19 00:02:42,596 fail2ban.filter [2362]: INFO [ssh] Found 106.75.141.160 - 2020-11-19 00:02:42

2020-11-19 00:03:50,863 fail2ban.filter [2362]: INFO [ssh] Found 150.158.156.214 - 2020-11-19 00:03:50

2020-11-19 00:03:52,748 fail2ban.filter [2362]: INFO [ssh] Found 150.158.156.214 - 2020-11-19 00:03:52

2020-11-19 00:03:53,715 fail2ban.filter [2362]: INFO [ssh] Found 51.158.20.200 - 2020-11-19 00:03:53

2020-11-19 00:03:56,430 fail2ban.filter [2362]: INFO [ssh] Found 51.158.20.200 - 2020-11-19 00:03:56

2020-11-19 00:04:01,879 fail2ban.actions [2362]: NOTICE [ssh] Unban 167.99.110.42

2020-11-19 00:04:12,628 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:04:12

2020-11-19 00:04:13,129 fail2ban.actions [2362]: NOTICE [ssh] Ban 192.95.37.160

2020-11-19 00:04:13,133 fail2ban.filter [2362]: INFO [recidive] Found 192.95.37.160 - 2020-11-19 00:04:13

2020-11-19 00:04:14,695 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:04:14

 

[Bitpalast]

It's perfectly alright to have hundreds of IPs banned. Actually, even if it was 2,000 or more, it would still be o.k. That's what fail2ban is for. The hacking attempts that you are experiencing are just normal noise on the Internet. It's nothing specific to your server.

 

[pleskpanel]

Do you have a firewall or appliance sitting in front of your server? You might consider blocking traffic to your SSH port and only allowing your IP address which would effectively kill all of those SSH requests. Alternatively you could also change your SSH port to a non-reserved port however this just has the effect of keeping this activity out of your logs so you may still want to add IP limitations to your SSH services.

 

[Dave W]

Might also be worth checking if your server is spewing anything out that would make it a target?
Dave_W

 

[Paula1]

Thank you very much for the suggestions.
Two weeks later, the number of banned IPs have been reduced in 50%.
Apparently Cloudflare firewall has helped a lot to my Plesk server. (even reduced the CPU load and use of ram)
Also Fail2ban is working great.
Thanks.