[SOLVED] Brute Force attack?
#1
So i just noticed today that i got the vps and just logged in usual to change my root password and set it up but when i putted in my password for root it says this:

login as: root
root@s password:
Last failed login: Wed Dec 21 17:03Happywide8 EST 2016 from  on ssh:notty
There were 19522 failed login attempts since the last successful login.

Is there a bruteforce attack on the server? Is the vps is in risk?
#2
it surely looks like one. so many failed attempts,
first thing i can suggest you to secure your vps now is to disable root login,
then you change your ssh port , a quick guide will be as follows :
vi /etc/ssh/sshd_config
then you search for the line #Port 22
uncomment the following line so that it looks like : Port 22
then at last change the port from any range 30-65535,
that would secure your vps for now, if you want to secure it more, there's some tutorial on the forum about it.
#3
Every day there are millions over millions automated brute force attempts on many common protocol ports including port 22 for SSH by bots. It is a common thing but of course it is scary for new beginners. The attack volume is growing day by day.

Read this discussion: https://freevps.us/thread-19477.html and you will know what you can / have to do.

Check our Security & Privacy forum as it has some VPS and SSH hardening guides in the sticky area.
#4
Meh,

I had ~ 500 thousand failed logins (weekly) on my VPS,

Then I implemented fail2ban and denyhost

IP's are blacklisted within' 3 failed logins and the abusers IP are mailed to their ISP for interrogation
Quite effective I say, now around 10 failed logins per day since the majority of the abusers is blacklisted.
#5
Yes my friend, your vps on high risk. Someone is for sure trying to get into your vps. You should consider security. As Optimus said, you should disable the root login. Here is one of the freevps.us threads that can probably help you get going with basic security required for almost every VPS: https://www.freevps.us/thread-4125.html I hope that helps..

But if you are still confused if its an attack or your friend trying to login? Believe me, he/she cant do that 19k times under 24hrs. ( which I guess is more time )
Thank you   http://hostdare.com/  and https://freevps.us for FREE VPS! 

[ CodingProperly ]
#6
(2016-12-22, 7:24:56 pm)MichaelW Wrote:  Meh,

I had ~ 500 thousand failed logins (weekly) on my VPS,

Then I implemented fail2ban and denyhost

IP's are blacklisted within' 3 failed logins and the abusers IP are mailed to their ISP for interrogation
Quite effective I say, now around 10 failed logins per day since the majority of the abusers is blacklisted.

VestaCP comes with fail2ban.  Glad you mentioned it positively as I was not so sure how good it was.  One has to enable it, and it's easy to add it with the bash script.  Haven't had any issues (cross fingers).

WEBUZO added ConfigServer to its panel last year. 

I guess scripts like these are no longer a luxury but a necessity.  Also access with keys and no passwords also seems to become more widely used.  I'm a bit worried I will muck up the keys and lose access, but probably should just go for it one of these days.  One of the best security precautions there is. PuttyGen makes it very easy to use and there are plenty of tutorials how to set it up.
#7
(2016-12-23, 6:52:56 am)deanhills Wrote:  VestaCP comes with fail2ban.  Glad you mentioned it positively as I was not so sure how good it was.  One has to enable it, and it's easy to add it with the bash script.  Haven't had any issues (cross fingers).

WEBUZO added ConfigServer to its panel last year. 

I guess scripts like these are no longer a luxury but a necessity.  Also access with keys and no passwords also seems to become more widely used.  I'm a bit worried I will muck up the keys and lose access, but probably should just go for it one of these days.  One of the best security precautions there is.  PuttyGen makes it very easy to use and there are plenty of tutorials how to set it up.

You can always test with keys before disabling password based login. Also if you're using OVZ, you can use the emergency terminal built into most CPs to fix it if you mess up.
Giveaway Manager, FreeVPS Directory and Discussion

Also a big fan of Anime, see my poor taste here.
#8
Someone should really include this in the FAQ and some recommendations/requirements to combat this for anyone who receive's a VPS. This has got to be the most abused thing in this industry. So much so that knowing to protect yourself against it should be more important than owning a VPS.
#9
@"S.L.C"

Already have a few basic guidelines here: https://freevps.us/faq/#q32, I'll see if I can cook up a master tutorial on basic brute-force protection sometime.
Giveaway Manager, FreeVPS Directory and Discussion

Also a big fan of Anime, see my poor taste here.
#10
(2016-12-23, 11:43:14 am)S.L.C Wrote:  Someone should really include this in the FAQ and some recommendations/requirements to combat this for anyone who receive's a VPS. This has got to be the most abused thing in this industry. So much so that knowing to protect yourself against it should be more important than owning a VPS.

That would be a good idea since this is one of the most common issues everyone face. Also do we have a Basic Server Hardening guide here ? I mean things anyone can do like,

01. Changing root user
02. Changing shh port
03. Long Char passwords
04. Limiting login attempts
05. setting up ip tables

etc etc
[Image: img.php?userid=8114&vps1]







Users browsing this thread: 1 Guest(s)