Large Number of Failed Login Attempts

Dion

Member
With IPv4 addresses in such short supply, ISPs have been buying them on the open market. Many of these are outside their home area. This has become a big business in Central/South America, where LACNIC ran out of IPv4 addresses a while ago. In the US, I believe T-Mobile (via its parent, Deutsche Telekom) is using a large block of IPv4 addresses that is assigned to RIPE.

I suspect this is the issue you are experiencing. It's also why I suggested changing the FTP port instead of using IP blocks.
 

Skyview

Member
With IPv4 addresses in such short supply, ISPs have been buying them on the open market. Many of these are outside their home area. This has become a big business in Central/South America, where LACNIC ran out of IPv4 addresses a while ago. In the US, I believe T-Mobile (via its parent, Deutsche Telekom) is using a large block of IPv4 addresses that is assigned to RIPE.

I suspect this is the issue you are experiencing. It's also why I suggested changing the FTP port instead of using IP blocks.
Interesting, but that approach would only solve a certain fraction or percentage of the issues, while the blocks take care of all of them. I know this thread was primarily about FTP attempts, but that is only partially the issue.
 

Dan

Moderator
The Configserver.com server is in Great Britain and these rules block it so you won't be able to get updates. I've never seen any IPs from GB blocked anyways so I just removed it from the list.
 

KH-Jonathan

Director of Managed Services
Staff member
The Configserver.com server is in Great Britain and these rules block it so you won't be able to get updates. I've never seen any IPs from GB blocked anyways so I just removed it from the list.
I've not seen all that much malicious traffic from GB either.
 

Skyview

Member
So I forgot about this as my attacks issue has been ~98% resolved with the blocks in place. To deal with CSF updates, I tried this:

1. Added 109.70.137.78 (configserver.com) to the allow and ignore files - it didn't work.
2. Added 109.70.137.73 (waytotheweb.com) to the allow and ignore files - it didn't work.
3. Added 194.245.148.200 (joker.com) to the allow and ignore files - it didn't work.

I restarted CSF/LFD each time but I still get this in the upgrade section:
Unable to connect to https://download.configserver.com, retry in 41 seconds. An Upgrade button will appear here if new version is detected

Any ideas why the above wouldn't allow CSF to update itself?
 

Skyview

Member
Sky

Try adding this:
Code:
81.174.246.139 # csf SSH installation/upgrade IP address
Thanks for trying to help. I added both the allow and ignore and restarted CSF/LFD and I still get the unable to connect message for some reason.
 

action

New Member
I also got failed login attempt about 5-9 times a day
Since I'm using very strong password, Personally I just think that my website getting more popular (think positive) and trust the whm + confiq server will do their Job
 

phpAddict

Active Member
Just curious. Since the OP wanted to block access to all countries except the US, why not use the CC_ALLOW_FILTER under the Country Code Lists?
 

KH-RileyA

Technical Support Operator
Staff member
Just curious. Since the OP wanted to block access to all countries except the US, why not use the CC_ALLOW_FILTER under the Country Code Lists?
This is usually a bad idea for all but the smallest CC codes on a VPS. Per Jon's reply:

"Unfortunately there's not a good way to block all non-US IPs in a way that doesn't create tons of iptables rules with tons of overhead (and on VPSs will exceed the maximum number of allowed rules thus preventing CSF from starting up)."
 

Fred

Member
Someone once said "Don't worry about the failed login reports you get from your firewall. You need to worry when they stop!"
 

KH-RileyA

Technical Support Operator
Staff member
Nice. Yeah, I'd usually only alert for

'Subject: lfd on host.derfy.net: SSH login alert for user root from' emails
 
Top