Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > A lot of blocked ip's in firewall in short period of time, same region? Safe?


A lot of blocked ip's in firewall in short period of time, same region? Safe?




Posted by Blurple, 11-26-2010, 07:31 PM
Ok so I was just looking at my firewall while I was doing some work and I noticed something I haven't seen before, I had several ip's blocked within 1 hour, all from columbia and Chile. There were about 30-50ip's Is someone trying to bruteforce my server? Should I be worried about this? I have csf with my whm/cpanel
Posted by Erawan Arif Nugroho, 11-26-2010, 08:07 PM
Yes. Seems like someone is bruteforcing your ssh. I have this kind of thread about 300 times /day. Another way to secure this, is moving your default ssh port to another port. And as for me, I'm lowering the following values : - Maximum Failures Per IP: 2 - Maximum Failures Per IP before IP is blocked for two week period: 3
Posted by Blurple, 11-26-2010, 09:30 PM
What about disabling password authencation and just using keys, I don't need SSH very often?
Posted by Erawan Arif Nugroho, 11-26-2010, 09:39 PM
Sure you can also do that If you are running the latest version of WHM/CPanel, then you can also check this : Limit logins to verified IP Addresses [checked] And add your IP Address that will be allowed to login from the :
Posted by Blurple, 11-26-2010, 09:48 PM
Thanks, but I have several other users on this server from multiple locations so limiting the logins from verified IP addresses may be too much. I appreciate the help though.
Posted by brianoz, 11-26-2010, 09:49 PM
This is caused by running your ssh on port 22. Two options - firewall it so it only responds to particular IPs - maybe your home and office and datacentre ranges; or, Move it away from port 22. Or do both. Don't just disable password authentication, you're leaving yourself open for future hacking attempts if/when an ssh bug comes out.
Posted by Blurple, 11-26-2010, 09:56 PM
My previous response was in regards to blocking all ips except mine for the cpanel, whm, and all. Is there a way I can block ips just for the ssh with the firewall i have now, csf i believe it is?
Posted by Erawan Arif Nugroho, 11-26-2010, 10:00 PM
For CSF, maybe you can add the Allowed/Iqnored Ip's. And modify the csf configuration to only allow the ips
Posted by Blurple, 11-26-2010, 10:24 PM
Ok, so I think I changed the port? I changed etc/ssh/sshd_config and edited Port 22 to the port I wanted to use, its not a port that was in use before Then restarted SSH Now my program (RBrowser) on my macbook was able to find the port when connecting through ssh, is this normal? I didn't define the port When defining the port as 22 nothing happends, so I guess im good? I was able to login with port 22 before
Posted by Erawan Arif Nugroho, 11-26-2010, 10:43 PM
This is my sample for ssh config : At some case when we are restarted the ssh, it will display that ssh failed. And for that, we have to reboot the server.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Mail server ip comes up as spam (Views: 716)
Multiple passwords for root user in Linux (Views: 727)
squid how to restrict user to the specfic ip i give (Views: 689)
Atomicorp or Config Server? (Views: 718)
HostGator- Can you hear me!! (Views: 699)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.