Large Number of Failed Login Attempts

Skyview

Member
I normally get 3 to 4 of these emails a day. The last couple of days however, I have seen a huge uptick in my server being bombarded with these. Anyone else dealing with this or is it just me? They say they are from all over the globe, but my guess is they are originating from the same place and are going through proxy servers, etc. as I imagine most of these types of attacks do.

I wish there was a reasonable way to just block all IP's outside of the US. I know that in and of itself wouldn't prevent it, but rarely do I see US IP's in these. Is blocking like this feasible or would it create a deny file that is incredibly huge? It would be good if it worked like my router, where I could just specify an allow range and deny all others.
 
I can't say that I've seen an increase in tickets about this or anything. It's quite possible a few bots have just discovered you and are targeting you. I'd imagine they'll figure out they can't get in and move on - that's usually how it goes.

As long as you keep secure passwords just disregard the emails. The fact that you see the emails will make you worry about it but this isn't necessary. The server will continue doing it's job, blocking these IPs as they come, and if your passwords are strong they'll never get in.

Unfortunately there's not a good way to block all non-US IPs in a way that doesn't create tons of iptables rules with tons of overhead (and on VPSs will exceed the maximum number of allowed rules thus preventing CSF from starting up).
 
Jonathan,

Thanks for the explanation. No, I wasn't particularly alarmed or worried, as I am used to getting these as I said 3 or 4 a day every day. It's just this one seems particularly focused on one FTP account for one site and is still going on as of the last email I got at 1:55pm today. The ironic thing is there is no FTP account for the user name in question, so it is impossible for there to be a successful attempt using that name.

I was afraid that would be the case with the IP blocking. Why can't they make it easier. So easy with my router, just block all except what's in my allow list :)
 
It is hard to block everything but US however it is much easier to do this with registry service area. If blocking everything but ARIN region is acceptable for you then this could be done with just 110 deny rules - one deny rule for very /8 that is not allocated to ARIN and is not reserved. Here is a link to the document which shows how IPs are allocated to different registries: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml and here is a link to the list of countries within ARIN region: https://www.arin.net/knowledge/rirs/ARINcountries.html . There is, of course, always a chance that some organization might obtain IP space from one region's registry and use it in another region so you might end up blocking more than anticipated.
 
Paul,

Thanks for the info. Blocking all but within ARIN would be fine. If 110 deny rules would work OK with my VPS, would KH be able to assist with setting something like that up. I'm a little out of my element with this. I know nothing is full proof but this looks like a viable alternative. Thanks.
 
This won't be that hard to complete - just go to WHM -> Plugins -> ConfigServer Security & Firewall, click on the "Firewall Deny IPs" button and copy&paste content of the attached .txt file right after these lines:

# See readme.txt for more information regarding advanced port filtering
#


then click "Change" at the bottom of the screen and click on the "Restart csf+lfd" button on the next screen. That's it :) Please feel free to open a support ticket and link to this thread if you need any help with this.
 

Attachments

  • non-arin-IP-blocks.txt
    6.6 KB · Views: 895
Skyview, you're not alone. I have noticed a significant number of failed attempts lately, particularly within the last week or so. Their intent is nasty, but they're interesting to analyze. I've set incredibly low thresholds for brute force attempts, so they don't stand much of a chance to begin with. In numbers, they've been numerous, though.

Many of the attempts seem to hit all of my servers simultaneously. I can only assume they're auto-targeting random IP ranges and hoping for the best. Or perhaps the increase is partially related to current geopolitical events. You never know - as long as they're being stopped in their tracks and handled properly, all is well. (And the usernames used are amusing. "apple," "jack," and "ohno!" haven't had much luck logging into smtp lately.)

Paul, thanks for the handy advice.
 
Me too...

But mine are not the "Large number of Attempts", it's the "blocked with too many connections", always receive 3-5 every day, but today i have received at less 30, only temporary blocks, so maybe the keep trying, until they get the permanent block.

But well, my root password (according to whm) it's 100/100 so, should be safe... i hope :p
 
This won't be that hard to complete - just go to WHM -> Plugins -> ConfigServer Security & Firewall, click on the "Firewall Deny IPs" button and copy&paste content of the attached .txt file right after these lines:

# See readme.txt for more information regarding advanced port filtering
#


then click "Change" at the bottom of the screen and click on the "Restart csf+lfd" button on the next screen. That's it :) Please feel free to open a support ticket and link to this thread if you need any help with this.

Thanks Paul. That actually sounds really simple so I'm pretty sure I can handle that with your list of IP's. I really need to spend some time with CSF and Cpanel in general familiarizing myself with their full functionality. Hopefully this will eliminate at least the majority of attacks on my sites.

Chris/Jose, good to know I'm not the only one. It's hard to tell sometimes what are random bot type attacks vs. others but I'm hoping Paul's info. will help eliminate at least some of them.
 
Paul or Jonathan,

I followed the direction above and restarted CSF and LFD. This is the result I got so I'm not sure if it took properly or not. I already have quite a few (a hundred or more) entries that lfd had added, so I just added the entries from the text file at the top just below the line Paul mentioned.

Restarting csf...

iptables v1.4.7: host/network `039.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `039.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `049.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `049.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `058.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `058.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `059.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `059.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `078.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `078.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `079.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `079.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `080.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `080.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `081.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `081.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `082.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `082.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `083.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `083.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `084.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `084.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `085.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `085.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `086.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `086.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `087.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `087.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `088.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `088.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `089.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `089.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `090.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `090.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `091.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `091.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `092.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `092.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `093.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `093.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `094.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `094.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `095.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: host/network `095.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.

...Done.

Restarting lfd...

Stopping lfd:[ OK ]
[ OK ]
Starting lfd:[ OK ]

...Done.
 
@Skyview it looks like the leading zero's just need to be removed. Try this:

Code:
1.0.0.0/8  # do not delete - block outside of ARIN region
2.0.0.0/8  # do not delete - block outside of ARIN region
5.0.0.0/8  # do not delete - block outside of ARIN region
14.0.0.0/8  # do not delete - block outside of ARIN region
25.0.0.0/8  # do not delete - block outside of ARIN region
27.0.0.0/8  # do not delete - block outside of ARIN region
31.0.0.0/8  # do not delete - block outside of ARIN region
36.0.0.0/8  # do not delete - block outside of ARIN region
37.0.0.0/8  # do not delete - block outside of ARIN region
39.0.0.0/8  # do not delete - block outside of ARIN region
41.0.0.0/8  # do not delete - block outside of ARIN region
42.0.0.0/8  # do not delete - block outside of ARIN region
43.0.0.0/8  # do not delete - block outside of ARIN region
46.0.0.0/8  # do not delete - block outside of ARIN region
49.0.0.0/8  # do not delete - block outside of ARIN region
51.0.0.0/8  # do not delete - block outside of ARIN region
53.0.0.0/8  # do not delete - block outside of ARIN region
57.0.0.0/8  # do not delete - block outside of ARIN region
58.0.0.0/8  # do not delete - block outside of ARIN region
59.0.0.0/8  # do not delete - block outside of ARIN region
60.0.0.0/8  # do not delete - block outside of ARIN region
61.0.0.0/8  # do not delete - block outside of ARIN region
62.0.0.0/8  # do not delete - block outside of ARIN region
77.0.0.0/8  # do not delete - block outside of ARIN region
78.0.0.0/8  # do not delete - block outside of ARIN region
79.0.0.0/8  # do not delete - block outside of ARIN region
80.0.0.0/8  # do not delete - block outside of ARIN region
81.0.0.0/8  # do not delete - block outside of ARIN region
82.0.0.0/8  # do not delete - block outside of ARIN region
83.0.0.0/8  # do not delete - block outside of ARIN region
84.0.0.0/8  # do not delete - block outside of ARIN region
85.0.0.0/8  # do not delete - block outside of ARIN region
86.0.0.0/8  # do not delete - block outside of ARIN region
87.0.0.0/8  # do not delete - block outside of ARIN region
88.0.0.0/8  # do not delete - block outside of ARIN region
89.0.0.0/8  # do not delete - block outside of ARIN region
90.0.0.0/8  # do not delete - block outside of ARIN region
91.0.0.0/8  # do not delete - block outside of ARIN region
92.0.0.0/8  # do not delete - block outside of ARIN region
93.0.0.0/8  # do not delete - block outside of ARIN region
94.0.0.0/8  # do not delete - block outside of ARIN region
95.0.0.0/8  # do not delete - block outside of ARIN region
101.0.0.0/8  # do not delete - block outside of ARIN region
102.0.0.0/8  # do not delete - block outside of ARIN region
103.0.0.0/8  # do not delete - block outside of ARIN region
105.0.0.0/8  # do not delete - block outside of ARIN region
106.0.0.0/8  # do not delete - block outside of ARIN region
109.0.0.0/8  # do not delete - block outside of ARIN region
110.0.0.0/8  # do not delete - block outside of ARIN region
111.0.0.0/8  # do not delete - block outside of ARIN region
112.0.0.0/8  # do not delete - block outside of ARIN region
113.0.0.0/8  # do not delete - block outside of ARIN region
114.0.0.0/8  # do not delete - block outside of ARIN region
115.0.0.0/8  # do not delete - block outside of ARIN region
116.0.0.0/8  # do not delete - block outside of ARIN region
117.0.0.0/8  # do not delete - block outside of ARIN region
118.0.0.0/8  # do not delete - block outside of ARIN region
119.0.0.0/8  # do not delete - block outside of ARIN region
120.0.0.0/8  # do not delete - block outside of ARIN region
121.0.0.0/8  # do not delete - block outside of ARIN region
122.0.0.0/8  # do not delete - block outside of ARIN region
123.0.0.0/8  # do not delete - block outside of ARIN region
124.0.0.0/8  # do not delete - block outside of ARIN region
125.0.0.0/8  # do not delete - block outside of ARIN region
126.0.0.0/8  # do not delete - block outside of ARIN region
133.0.0.0/8  # do not delete - block outside of ARIN region
141.0.0.0/8  # do not delete - block outside of ARIN region
145.0.0.0/8  # do not delete - block outside of ARIN region
150.0.0.0/8  # do not delete - block outside of ARIN region
151.0.0.0/8  # do not delete - block outside of ARIN region
153.0.0.0/8  # do not delete - block outside of ARIN region
154.0.0.0/8  # do not delete - block outside of ARIN region
163.0.0.0/8  # do not delete - block outside of ARIN region
171.0.0.0/8  # do not delete - block outside of ARIN region
175.0.0.0/8  # do not delete - block outside of ARIN region
176.0.0.0/8  # do not delete - block outside of ARIN region
177.0.0.0/8  # do not delete - block outside of ARIN region
178.0.0.0/8  # do not delete - block outside of ARIN region
179.0.0.0/8  # do not delete - block outside of ARIN region
180.0.0.0/8  # do not delete - block outside of ARIN region
181.0.0.0/8  # do not delete - block outside of ARIN region
182.0.0.0/8  # do not delete - block outside of ARIN region
183.0.0.0/8  # do not delete - block outside of ARIN region
185.0.0.0/8  # do not delete - block outside of ARIN region
186.0.0.0/8  # do not delete - block outside of ARIN region
187.0.0.0/8  # do not delete - block outside of ARIN region
188.0.0.0/8  # do not delete - block outside of ARIN region
189.0.0.0/8  # do not delete - block outside of ARIN region
190.0.0.0/8  # do not delete - block outside of ARIN region
191.0.0.0/8  # do not delete - block outside of ARIN region
193.0.0.0/8  # do not delete - block outside of ARIN region
194.0.0.0/8  # do not delete - block outside of ARIN region
195.0.0.0/8  # do not delete - block outside of ARIN region
196.0.0.0/8  # do not delete - block outside of ARIN region
197.0.0.0/8  # do not delete - block outside of ARIN region
200.0.0.0/8  # do not delete - block outside of ARIN region
201.0.0.0/8  # do not delete - block outside of ARIN region
202.0.0.0/8  # do not delete - block outside of ARIN region
203.0.0.0/8  # do not delete - block outside of ARIN region
210.0.0.0/8  # do not delete - block outside of ARIN region
211.0.0.0/8  # do not delete - block outside of ARIN region
212.0.0.0/8  # do not delete - block outside of ARIN region
213.0.0.0/8  # do not delete - block outside of ARIN region
217.0.0.0/8  # do not delete - block outside of ARIN region
218.0.0.0/8  # do not delete - block outside of ARIN region
219.0.0.0/8  # do not delete - block outside of ARIN region
220.0.0.0/8  # do not delete - block outside of ARIN region
221.0.0.0/8  # do not delete - block outside of ARIN region
222.0.0.0/8  # do not delete - block outside of ARIN region
223.0.0.0/8  # do not delete - block outside of ARIN region
 
Thanks Jonathan. I think that was it as I reapplied the changes and did not receive any errors upon restarting csf+lfd this time.
 
Hey there everyone,

If I'm not mistaken the csf.deny will only limit up to 100 IP numbers/lines unless you change the limit "DENY_IP_LIMIT". This list is 110 lines long so I'd guess you're actually losing the top 10. Yeah, comparing @Skyview's list @KH-Jonathan's that is the case as @Skyview's starts with 39.0.0.0.
 
The "do not remove" part of the comment field bypasses the DENY_IP_LIMIT and also stops auto-cleanup of these entries.
 
Well that's handy!

However doesn't this mean that no new addresses can be added though? Skyview may not notice them but I had 4 US IP addresses blocked yesterday alone.

Don't CIDR addresses get 'exploded' into the full list when being entered into iptables? Pretty sure I ran across that at one point too in which case you may see a lot of load with a list like this.
 
Entries marked with the "do not delete" comment are ignored in the ipcount, here is a copy & paste of the csf.pl's code that counts number of deny file entries:

Code:
  my $ipcount;
  my @denyips;
  foreach my $line (@deny) {
  $line =~ s/$cleanreg//g;
  if ($line =~ /^(\#|\n)/) {next}
  if ($line =~ /do not delete/i) {next}
  if ($line =~ /^Include/i) {next}
  my ($ipd,$commentd) = split (/\s/,$line,2);
  $ipcount++;
  push @denyips,$line;
  }
 
Personal opinion here, but if you're having problems with FTP login attempts, perhaps you should change the FTP port from 21 to something else. It's easy to do if you're using Pure-FTPD and cPanel/WHM...change the bind port in /var/cpanel/conf/pureftpd/main, delete the /var/cpanel/conf/pureftpd/main.cache file, go to WHM FTP Server Configuration and click Save, then make a couple simple changes in CSF to allow the new port and to remove port 21.

Note that this will force all users with FTP access to your site to change the port in their FTP client program (FileZilla, etc) to the new port you selected.
 
Skyview, I'd be very interested in knowing how those blocks are working out for you. Have you noticed a significant decrease in the the brute force attempts you were experiencing?
 
Skyview, I'd be very interested in knowing how those blocks are working out for you. Have you noticed a significant decrease in the the brute force attempts you were experiencing?

After fixing the leading zero's issue noted above they have stopped. I initially that day got two more brief attacks from US based IP's and then it's been completely silent since then. However, I'm wondering if an issue reported by some of my forum users could be related to this change.

Jonathan or Paul,

Do you know if implementing this change would affect access to a site via mobile devices (not using wi fi but via cellular)? It's very odd, and I thought originally it was due to a bug in a very recent update to the Tapatalk client app, but it also is exhibiting the behavior just going in via a browser on the phone. When trying to access the forum, users (and I have replicated this behavior) can't connect via their cell/4G connection, but if they are at home or within range of a wi-fi and connect via that network, they can get in just fine. I replicated this at home myself. On my home wi-fi it works fine on the phone, switch it off so I am on Verizon's 4G and it does not work. I have no idea how cell/mobile devices on cellular networks get assigned IP's, but I would think it wouldn't be something outside of ARIN control. Any thoughts?
 
Top