5 years ago, my Plesk server was hacked.
After of that experience I tried to implement all the security measures that Plesk Forum and documentation recommend.
However, 2 weeks ago my server was hacked again. (I found all of the index.php modified and thousands of duplicated files filling the disk up. )
This is what I did:
I reinstall a new server from scratch and applied all the security measures that I could find.
Nothing bad has happened yet, except that right now I have 677 banned Ips under recidive jail.
Using Cloudflare firewall I already blocked most of countries from Asia and Eastern Europe but the Ips haven stop getting banned. (before of using CF Firewall, most Ips were from China and Russia, but now they are from Netherlands, France, Germany...etc)
I don’t host any kind of government nor military nor political content in the websites...but for some reason someone or something is determined to hack my server again.
I need advises in what to do. Thanks in advance.
-----------------------------------------------------------
The following are just 5 minutes of fail2ban logs:
2020-11-19 00:01:00,637 fail2ban.filter [2362]: INFO [ssh] Found 51.158.20.200 - 2020-11-19 00:01:00
2020-11-19 00:01:01,491 fail2ban.filter [2362]: INFO [ssh] Found 181.48.28.13 - 2020-11-19 00:01:01
2020-11-19 00:01:01,583 fail2ban.actions [2362]: NOTICE [ssh] Ban 181.48.28.13
2020-11-19 00:01:01,587 fail2ban.filter [2362]: INFO [recidive] Found 181.48.28.13 - 2020-11-19 00:01:01
2020-11-19 00:01:49,053 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:01:48
2020-11-19 00:01:49,865 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:01:49
2020-11-19 00:02:28,201 fail2ban.filter [2362]: INFO [ssh] Found 193.105.207.42 - 2020-11-19 00:02:28
2020-11-19 00:02:30,914 fail2ban.filter [2362]: INFO [ssh] Found 193.105.207.42 - 2020-11-19 00:02:30
2020-11-19 00:02:33,620 fail2ban.filter [2362]: INFO [ssh] Found 103.205.180.188 - 2020-11-19 00:02:33
2020-11-19 00:02:33,728 fail2ban.actions [2362]: NOTICE [ssh] Ban 103.205.180.188
2020-11-19 00:02:33,729 fail2ban.filter [2362]: INFO [recidive] Found 103.205.180.188 - 2020-11-19 00:02:33
2020-11-19 00:02:35,553 fail2ban.filter [2362]: INFO [ssh] Found 103.205.180.188 - 2020-11-19 00:02:35
2020-11-19 00:02:40,494 fail2ban.filter [2362]: INFO [ssh] Found 106.75.141.160 - 2020-11-19 00:02:40
2020-11-19 00:02:42,596 fail2ban.filter [2362]: INFO [ssh] Found 106.75.141.160 - 2020-11-19 00:02:42
2020-11-19 00:03:50,863 fail2ban.filter [2362]: INFO [ssh] Found 150.158.156.214 - 2020-11-19 00:03:50
2020-11-19 00:03:52,748 fail2ban.filter [2362]: INFO [ssh] Found 150.158.156.214 - 2020-11-19 00:03:52
2020-11-19 00:03:53,715 fail2ban.filter [2362]: INFO [ssh] Found 51.158.20.200 - 2020-11-19 00:03:53
2020-11-19 00:03:56,430 fail2ban.filter [2362]: INFO [ssh] Found 51.158.20.200 - 2020-11-19 00:03:56
2020-11-19 00:04:01,879 fail2ban.actions [2362]: NOTICE [ssh] Unban 167.99.110.42
2020-11-19 00:04:12,628 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:04:12
2020-11-19 00:04:13,129 fail2ban.actions [2362]: NOTICE [ssh] Ban 192.95.37.160
2020-11-19 00:04:13,133 fail2ban.filter [2362]: INFO [recidive] Found 192.95.37.160 - 2020-11-19 00:04:13
2020-11-19 00:04:14,695 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:04:14
After of that experience I tried to implement all the security measures that Plesk Forum and documentation recommend.
However, 2 weeks ago my server was hacked again. (I found all of the index.php modified and thousands of duplicated files filling the disk up. )
This is what I did:
I reinstall a new server from scratch and applied all the security measures that I could find.
Nothing bad has happened yet, except that right now I have 677 banned Ips under recidive jail.
Using Cloudflare firewall I already blocked most of countries from Asia and Eastern Europe but the Ips haven stop getting banned. (before of using CF Firewall, most Ips were from China and Russia, but now they are from Netherlands, France, Germany...etc)
I don’t host any kind of government nor military nor political content in the websites...but for some reason someone or something is determined to hack my server again.
I need advises in what to do. Thanks in advance.
-----------------------------------------------------------
The following are just 5 minutes of fail2ban logs:
2020-11-19 00:01:00,637 fail2ban.filter [2362]: INFO [ssh] Found 51.158.20.200 - 2020-11-19 00:01:00
2020-11-19 00:01:01,491 fail2ban.filter [2362]: INFO [ssh] Found 181.48.28.13 - 2020-11-19 00:01:01
2020-11-19 00:01:01,583 fail2ban.actions [2362]: NOTICE [ssh] Ban 181.48.28.13
2020-11-19 00:01:01,587 fail2ban.filter [2362]: INFO [recidive] Found 181.48.28.13 - 2020-11-19 00:01:01
2020-11-19 00:01:49,053 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:01:48
2020-11-19 00:01:49,865 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:01:49
2020-11-19 00:02:28,201 fail2ban.filter [2362]: INFO [ssh] Found 193.105.207.42 - 2020-11-19 00:02:28
2020-11-19 00:02:30,914 fail2ban.filter [2362]: INFO [ssh] Found 193.105.207.42 - 2020-11-19 00:02:30
2020-11-19 00:02:33,620 fail2ban.filter [2362]: INFO [ssh] Found 103.205.180.188 - 2020-11-19 00:02:33
2020-11-19 00:02:33,728 fail2ban.actions [2362]: NOTICE [ssh] Ban 103.205.180.188
2020-11-19 00:02:33,729 fail2ban.filter [2362]: INFO [recidive] Found 103.205.180.188 - 2020-11-19 00:02:33
2020-11-19 00:02:35,553 fail2ban.filter [2362]: INFO [ssh] Found 103.205.180.188 - 2020-11-19 00:02:35
2020-11-19 00:02:40,494 fail2ban.filter [2362]: INFO [ssh] Found 106.75.141.160 - 2020-11-19 00:02:40
2020-11-19 00:02:42,596 fail2ban.filter [2362]: INFO [ssh] Found 106.75.141.160 - 2020-11-19 00:02:42
2020-11-19 00:03:50,863 fail2ban.filter [2362]: INFO [ssh] Found 150.158.156.214 - 2020-11-19 00:03:50
2020-11-19 00:03:52,748 fail2ban.filter [2362]: INFO [ssh] Found 150.158.156.214 - 2020-11-19 00:03:52
2020-11-19 00:03:53,715 fail2ban.filter [2362]: INFO [ssh] Found 51.158.20.200 - 2020-11-19 00:03:53
2020-11-19 00:03:56,430 fail2ban.filter [2362]: INFO [ssh] Found 51.158.20.200 - 2020-11-19 00:03:56
2020-11-19 00:04:01,879 fail2ban.actions [2362]: NOTICE [ssh] Unban 167.99.110.42
2020-11-19 00:04:12,628 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:04:12
2020-11-19 00:04:13,129 fail2ban.actions [2362]: NOTICE [ssh] Ban 192.95.37.160
2020-11-19 00:04:13,133 fail2ban.filter [2362]: INFO [recidive] Found 192.95.37.160 - 2020-11-19 00:04:13
2020-11-19 00:04:14,695 fail2ban.filter [2362]: INFO [ssh] Found 192.95.37.160 - 2020-11-19 00:04:14