Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Dozens of SSH connections per second


Dozens of SSH connections per second




Posted by Etian, 11-07-2011, 07:23 PM
I had a terminal open as an unprivileged user, and I needed a root window, so I tried to open another as root, and it kept rejecting the connection. Fortunately I had the other terminal open, so I could su root and look through the logs and see what was happening. bfd didn't block the IP because no authentication was attempted. So I added the IP to deny_hosts.rules and reloaded apf, which ended the attack. What was the attacker trying to accomplish? The attacker's IP was 59.45.140.31
Posted by GORF, 11-07-2011, 07:54 PM
If no authentication was attempted, maybe it was just a port scan. Are you still using port 22 for SSH? If so, change it.
Posted by Etian, 11-07-2011, 08:05 PM
Seems like that would be the best security, and to put reactive blocking to immediately block IP's trying to connect to port 22. But I'm terrified of locking myself out. That's what I haven't changed it.
Posted by GORF, 11-07-2011, 08:13 PM
Just by picking a random port number (and allowing it in and out with your firewall), you GREATLY reduce all of this nonsense scanning and worries.
Posted by Etian, 11-07-2011, 09:23 PM
I changed it to my birth year. Now I have to remember everything that it affects. rsync, scp, NX-nomachine, who knows what else.
Posted by Srv24x7, 11-08-2011, 02:47 AM
Changing the port is no good solution. I will suggest you to scan the entire server with chkrootkits for any backdoors, If its Cpanel install CSF firewall and harden the server more.
Posted by GORF, 11-08-2011, 07:14 PM
Solution to what? It seems to be only probing. So changing the port number will reduce this nonsense scanning. Those are obviously good sugestions. The OP was only talking about connections being made to 22. If a server is already hardened, there is no harm in leaving SSH on 22. Changing the port number for SSH will not stop these probes, they will only get no response and move on. And thank you for "plugging" your service .
Posted by Etian, 11-08-2011, 09:25 PM
That was a lot more than probing--It was overwhelming the sshd with too many processes. The ssh port is changed, and I'm not going back. After I'm sure all my apps that communicate through ssh are changed to the new port, I will set it to immediately block for 15 minutes any IP's who probe port 22. It's not Cpanel, or even running apache. I have apf and bfd (on CentOS 4), which block most port-scanners and brute-force login attempts. What other hardening measures do you suggest?
Posted by RONIS, 11-09-2011, 04:23 PM
i would suggest "fail2ban" For example, if user or attacker enter wrong password while connecting to ssh, he will be banned for hours or days, depending on config


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
SimpleDNS - Basic fast dns query tools. (Views: 779)
Deadly DNS Entry (Views: 689)
Huge load on apache + NULL request (Views: 733)
PHP performing on XML response (Views: 714)
Reseller Hosting in Russia (Views: 672)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.