Large Number of Failed Login Attempts

Discussion in 'Security' started by Skyview, Sep 14, 2014.

  1. Skyview

    Skyview Member

    I normally get 3 to 4 of these emails a day. The last couple of days however, I have seen a huge uptick in my server being bombarded with these. Anyone else dealing with this or is it just me? They say they are from all over the globe, but my guess is they are originating from the same place and are going through proxy servers, etc. as I imagine most of these types of attacks do.

    I wish there was a reasonable way to just block all IP's outside of the US. I know that in and of itself wouldn't prevent it, but rarely do I see US IP's in these. Is blocking like this feasible or would it create a deny file that is incredibly huge? It would be good if it worked like my router, where I could just specify an allow range and deny all others.
     
  2. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    I can't say that I've seen an increase in tickets about this or anything. It's quite possible a few bots have just discovered you and are targeting you. I'd imagine they'll figure out they can't get in and move on - that's usually how it goes.

    As long as you keep secure passwords just disregard the emails. The fact that you see the emails will make you worry about it but this isn't necessary. The server will continue doing it's job, blocking these IPs as they come, and if your passwords are strong they'll never get in.

    Unfortunately there's not a good way to block all non-US IPs in a way that doesn't create tons of iptables rules with tons of overhead (and on VPSs will exceed the maximum number of allowed rules thus preventing CSF from starting up).
     
    action likes this.
  3. Skyview

    Skyview Member

    Jonathan,

    Thanks for the explanation. No, I wasn't particularly alarmed or worried, as I am used to getting these as I said 3 or 4 a day every day. It's just this one seems particularly focused on one FTP account for one site and is still going on as of the last email I got at 1:55pm today. The ironic thing is there is no FTP account for the user name in question, so it is impossible for there to be a successful attempt using that name.

    I was afraid that would be the case with the IP blocking. Why can't they make it easier. So easy with my router, just block all except what's in my allow list :)
     
  4. KH-Paul

    KH-Paul CTO Staff Member

    It is hard to block everything but US however it is much easier to do this with registry service area. If blocking everything but ARIN region is acceptable for you then this could be done with just 110 deny rules - one deny rule for very /8 that is not allocated to ARIN and is not reserved. Here is a link to the document which shows how IPs are allocated to different registries: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml and here is a link to the list of countries within ARIN region: https://www.arin.net/knowledge/rirs/ARINcountries.html . There is, of course, always a chance that some organization might obtain IP space from one region's registry and use it in another region so you might end up blocking more than anticipated.
     
  5. Skyview

    Skyview Member

    Paul,

    Thanks for the info. Blocking all but within ARIN would be fine. If 110 deny rules would work OK with my VPS, would KH be able to assist with setting something like that up. I'm a little out of my element with this. I know nothing is full proof but this looks like a viable alternative. Thanks.
     
  6. KH-Paul

    KH-Paul CTO Staff Member

    This won't be that hard to complete - just go to WHM -> Plugins -> ConfigServer Security & Firewall, click on the "Firewall Deny IPs" button and copy&paste content of the attached .txt file right after these lines:

    # See readme.txt for more information regarding advanced port filtering
    #


    then click "Change" at the bottom of the screen and click on the "Restart csf+lfd" button on the next screen. That's it :) Please feel free to open a support ticket and link to this thread if you need any help with this.
     

    Attached Files:

    Skyview likes this.
  7. Chris.M

    Chris.M Member

    Skyview, you're not alone. I have noticed a significant number of failed attempts lately, particularly within the last week or so. Their intent is nasty, but they're interesting to analyze. I've set incredibly low thresholds for brute force attempts, so they don't stand much of a chance to begin with. In numbers, they've been numerous, though.

    Many of the attempts seem to hit all of my servers simultaneously. I can only assume they're auto-targeting random IP ranges and hoping for the best. Or perhaps the increase is partially related to current geopolitical events. You never know - as long as they're being stopped in their tracks and handled properly, all is well. (And the usernames used are amusing. "apple," "jack," and "ohno!" haven't had much luck logging into smtp lately.)

    Paul, thanks for the handy advice.
     
  8. JoseDieguez

    JoseDieguez Member

    Me too...

    But mine are not the "Large number of Attempts", it's the "blocked with too many connections", always receive 3-5 every day, but today i have received at less 30, only temporary blocks, so maybe the keep trying, until they get the permanent block.

    But well, my root password (according to whm) it's 100/100 so, should be safe... i hope :p
     
  9. Skyview

    Skyview Member

    Thanks Paul. That actually sounds really simple so I'm pretty sure I can handle that with your list of IP's. I really need to spend some time with CSF and Cpanel in general familiarizing myself with their full functionality. Hopefully this will eliminate at least the majority of attacks on my sites.

    Chris/Jose, good to know I'm not the only one. It's hard to tell sometimes what are random bot type attacks vs. others but I'm hoping Paul's info. will help eliminate at least some of them.
     
  10. Skyview

    Skyview Member

    Paul or Jonathan,

    I followed the direction above and restarted CSF and LFD. This is the result I got so I'm not sure if it took properly or not. I already have quite a few (a hundred or more) entries that lfd had added, so I just added the entries from the text file at the top just below the line Paul mentioned.

    Restarting csf...

    iptables v1.4.7: host/network `039.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `039.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `049.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `049.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `058.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `058.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `059.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `059.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `078.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `078.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `079.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `079.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `080.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `080.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `081.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `081.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `082.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `082.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `083.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `083.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `084.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `084.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `085.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `085.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `086.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `086.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `087.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `087.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `088.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `088.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `089.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `089.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `090.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `090.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `091.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `091.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `092.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `092.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `093.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `093.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `094.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `094.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `095.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.7: host/network `095.0.0.0' not found
    Try `iptables -h' or 'iptables --help' for more information.

    ...Done.

    Restarting lfd...

    Stopping lfd:[ OK ]
    [ OK ]
    Starting lfd:[ OK ]

    ...Done.
     
  11. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    @Skyview it looks like the leading zero's just need to be removed. Try this:

    Code:
    1.0.0.0/8  # do not delete - block outside of ARIN region
    2.0.0.0/8  # do not delete - block outside of ARIN region
    5.0.0.0/8  # do not delete - block outside of ARIN region
    14.0.0.0/8  # do not delete - block outside of ARIN region
    25.0.0.0/8  # do not delete - block outside of ARIN region
    27.0.0.0/8  # do not delete - block outside of ARIN region
    31.0.0.0/8  # do not delete - block outside of ARIN region
    36.0.0.0/8  # do not delete - block outside of ARIN region
    37.0.0.0/8  # do not delete - block outside of ARIN region
    39.0.0.0/8  # do not delete - block outside of ARIN region
    41.0.0.0/8  # do not delete - block outside of ARIN region
    42.0.0.0/8  # do not delete - block outside of ARIN region
    43.0.0.0/8  # do not delete - block outside of ARIN region
    46.0.0.0/8  # do not delete - block outside of ARIN region
    49.0.0.0/8  # do not delete - block outside of ARIN region
    51.0.0.0/8  # do not delete - block outside of ARIN region
    53.0.0.0/8  # do not delete - block outside of ARIN region
    57.0.0.0/8  # do not delete - block outside of ARIN region
    58.0.0.0/8  # do not delete - block outside of ARIN region
    59.0.0.0/8  # do not delete - block outside of ARIN region
    60.0.0.0/8  # do not delete - block outside of ARIN region
    61.0.0.0/8  # do not delete - block outside of ARIN region
    62.0.0.0/8  # do not delete - block outside of ARIN region
    77.0.0.0/8  # do not delete - block outside of ARIN region
    78.0.0.0/8  # do not delete - block outside of ARIN region
    79.0.0.0/8  # do not delete - block outside of ARIN region
    80.0.0.0/8  # do not delete - block outside of ARIN region
    81.0.0.0/8  # do not delete - block outside of ARIN region
    82.0.0.0/8  # do not delete - block outside of ARIN region
    83.0.0.0/8  # do not delete - block outside of ARIN region
    84.0.0.0/8  # do not delete - block outside of ARIN region
    85.0.0.0/8  # do not delete - block outside of ARIN region
    86.0.0.0/8  # do not delete - block outside of ARIN region
    87.0.0.0/8  # do not delete - block outside of ARIN region
    88.0.0.0/8  # do not delete - block outside of ARIN region
    89.0.0.0/8  # do not delete - block outside of ARIN region
    90.0.0.0/8  # do not delete - block outside of ARIN region
    91.0.0.0/8  # do not delete - block outside of ARIN region
    92.0.0.0/8  # do not delete - block outside of ARIN region
    93.0.0.0/8  # do not delete - block outside of ARIN region
    94.0.0.0/8  # do not delete - block outside of ARIN region
    95.0.0.0/8  # do not delete - block outside of ARIN region
    101.0.0.0/8  # do not delete - block outside of ARIN region
    102.0.0.0/8  # do not delete - block outside of ARIN region
    103.0.0.0/8  # do not delete - block outside of ARIN region
    105.0.0.0/8  # do not delete - block outside of ARIN region
    106.0.0.0/8  # do not delete - block outside of ARIN region
    109.0.0.0/8  # do not delete - block outside of ARIN region
    110.0.0.0/8  # do not delete - block outside of ARIN region
    111.0.0.0/8  # do not delete - block outside of ARIN region
    112.0.0.0/8  # do not delete - block outside of ARIN region
    113.0.0.0/8  # do not delete - block outside of ARIN region
    114.0.0.0/8  # do not delete - block outside of ARIN region
    115.0.0.0/8  # do not delete - block outside of ARIN region
    116.0.0.0/8  # do not delete - block outside of ARIN region
    117.0.0.0/8  # do not delete - block outside of ARIN region
    118.0.0.0/8  # do not delete - block outside of ARIN region
    119.0.0.0/8  # do not delete - block outside of ARIN region
    120.0.0.0/8  # do not delete - block outside of ARIN region
    121.0.0.0/8  # do not delete - block outside of ARIN region
    122.0.0.0/8  # do not delete - block outside of ARIN region
    123.0.0.0/8  # do not delete - block outside of ARIN region
    124.0.0.0/8  # do not delete - block outside of ARIN region
    125.0.0.0/8  # do not delete - block outside of ARIN region
    126.0.0.0/8  # do not delete - block outside of ARIN region
    133.0.0.0/8  # do not delete - block outside of ARIN region
    141.0.0.0/8  # do not delete - block outside of ARIN region
    145.0.0.0/8  # do not delete - block outside of ARIN region
    150.0.0.0/8  # do not delete - block outside of ARIN region
    151.0.0.0/8  # do not delete - block outside of ARIN region
    153.0.0.0/8  # do not delete - block outside of ARIN region
    154.0.0.0/8  # do not delete - block outside of ARIN region
    163.0.0.0/8  # do not delete - block outside of ARIN region
    171.0.0.0/8  # do not delete - block outside of ARIN region
    175.0.0.0/8  # do not delete - block outside of ARIN region
    176.0.0.0/8  # do not delete - block outside of ARIN region
    177.0.0.0/8  # do not delete - block outside of ARIN region
    178.0.0.0/8  # do not delete - block outside of ARIN region
    179.0.0.0/8  # do not delete - block outside of ARIN region
    180.0.0.0/8  # do not delete - block outside of ARIN region
    181.0.0.0/8  # do not delete - block outside of ARIN region
    182.0.0.0/8  # do not delete - block outside of ARIN region
    183.0.0.0/8  # do not delete - block outside of ARIN region
    185.0.0.0/8  # do not delete - block outside of ARIN region
    186.0.0.0/8  # do not delete - block outside of ARIN region
    187.0.0.0/8  # do not delete - block outside of ARIN region
    188.0.0.0/8  # do not delete - block outside of ARIN region
    189.0.0.0/8  # do not delete - block outside of ARIN region
    190.0.0.0/8  # do not delete - block outside of ARIN region
    191.0.0.0/8  # do not delete - block outside of ARIN region
    193.0.0.0/8  # do not delete - block outside of ARIN region
    194.0.0.0/8  # do not delete - block outside of ARIN region
    195.0.0.0/8  # do not delete - block outside of ARIN region
    196.0.0.0/8  # do not delete - block outside of ARIN region
    197.0.0.0/8  # do not delete - block outside of ARIN region
    200.0.0.0/8  # do not delete - block outside of ARIN region
    201.0.0.0/8  # do not delete - block outside of ARIN region
    202.0.0.0/8  # do not delete - block outside of ARIN region
    203.0.0.0/8  # do not delete - block outside of ARIN region
    210.0.0.0/8  # do not delete - block outside of ARIN region
    211.0.0.0/8  # do not delete - block outside of ARIN region
    212.0.0.0/8  # do not delete - block outside of ARIN region
    213.0.0.0/8  # do not delete - block outside of ARIN region
    217.0.0.0/8  # do not delete - block outside of ARIN region
    218.0.0.0/8  # do not delete - block outside of ARIN region
    219.0.0.0/8  # do not delete - block outside of ARIN region
    220.0.0.0/8  # do not delete - block outside of ARIN region
    221.0.0.0/8  # do not delete - block outside of ARIN region
    222.0.0.0/8  # do not delete - block outside of ARIN region
    223.0.0.0/8  # do not delete - block outside of ARIN region
     
  12. Skyview

    Skyview Member

    Thanks Jonathan. I think that was it as I reapplied the changes and did not receive any errors upon restarting csf+lfd this time.
     
  13. Dan

    Dan Moderator

    Hey there everyone,

    If I'm not mistaken the csf.deny will only limit up to 100 IP numbers/lines unless you change the limit "DENY_IP_LIMIT". This list is 110 lines long so I'd guess you're actually losing the top 10. Yeah, comparing @Skyview's list @KH-Jonathan's that is the case as @Skyview's starts with 39.0.0.0.
     
  14. KH-Paul

    KH-Paul CTO Staff Member

    The "do not remove" part of the comment field bypasses the DENY_IP_LIMIT and also stops auto-cleanup of these entries.
     
    Skyview likes this.
  15. Dan

    Dan Moderator

    Well that's handy!

    However doesn't this mean that no new addresses can be added though? Skyview may not notice them but I had 4 US IP addresses blocked yesterday alone.

    Don't CIDR addresses get 'exploded' into the full list when being entered into iptables? Pretty sure I ran across that at one point too in which case you may see a lot of load with a list like this.
     
  16. KH-Paul

    KH-Paul CTO Staff Member

    Entries marked with the "do not delete" comment are ignored in the ipcount, here is a copy & paste of the csf.pl's code that counts number of deny file entries:

    Code:
      my $ipcount;
      my @denyips;
      foreach my $line (@deny) {
      $line =~ s/$cleanreg//g;
      if ($line =~ /^(\#|\n)/) {next}
      if ($line =~ /do not delete/i) {next}
      if ($line =~ /^Include/i) {next}
      my ($ipd,$commentd) = split (/\s/,$line,2);
      $ipcount++;
      push @denyips,$line;
      }
    
     
    action and Skyview like this.
  17. Skyview

    Skyview Member

    Good to know on both counts. Thanks!
     
  18. Dion

    Dion Member

    Personal opinion here, but if you're having problems with FTP login attempts, perhaps you should change the FTP port from 21 to something else. It's easy to do if you're using Pure-FTPD and cPanel/WHM...change the bind port in /var/cpanel/conf/pureftpd/main, delete the /var/cpanel/conf/pureftpd/main.cache file, go to WHM FTP Server Configuration and click Save, then make a couple simple changes in CSF to allow the new port and to remove port 21.

    Note that this will force all users with FTP access to your site to change the port in their FTP client program (FileZilla, etc) to the new port you selected.
     
  19. Chris.M

    Chris.M Member

    Skyview, I'd be very interested in knowing how those blocks are working out for you. Have you noticed a significant decrease in the the brute force attempts you were experiencing?
     
  20. Skyview

    Skyview Member

    After fixing the leading zero's issue noted above they have stopped. I initially that day got two more brief attacks from US based IP's and then it's been completely silent since then. However, I'm wondering if an issue reported by some of my forum users could be related to this change.

    Jonathan or Paul,

    Do you know if implementing this change would affect access to a site via mobile devices (not using wi fi but via cellular)? It's very odd, and I thought originally it was due to a bug in a very recent update to the Tapatalk client app, but it also is exhibiting the behavior just going in via a browser on the phone. When trying to access the forum, users (and I have replicated this behavior) can't connect via their cell/4G connection, but if they are at home or within range of a wi-fi and connect via that network, they can get in just fine. I replicated this at home myself. On my home wi-fi it works fine on the phone, switch it off so I am on Verizon's 4G and it does not work. I have no idea how cell/mobile devices on cellular networks get assigned IP's, but I would think it wouldn't be something outside of ARIN control. Any thoughts?
     

Share This Page