Being Attacked!

MrMean · 01-06-2005, 06:47 AM

Hello, I am running a Cpanel server and get my daily reports (which orginally were ignored) so I decided to look at one which had 27 incorrect attempts of logging in via ssh. Every day is got a little higher, anyhow I got my email today which said 857 which is concerning. I was wondering what my options are to slow the attack down? I'm fairly good with linux, and know my box is relatively secure. I would just like to be able to sleep knowing it probably won't happen

fishfreek · 01-06-2005, 12:48 PM

Install a firewall that auto blocks IP's after X failed login attempts. Do a port inventory and make sure unused ports are blocked via the firewall.

Put attacking IP's in the /etc/hosts.deny file under the ALL: entry.

Join a mailing list like bugtraq so as your up to speed on the most recent exploits and patch/upgrade your software the instant a fix is available for discovered exploits.

MrMean · 01-07-2005, 08:24 AM

thanks for your quick reply

UKZJ007 · 01-13-2005, 10:23 AM

Hey Fish ... does v7inc host account cpanels block ips after a failed amount of times?

server-admin · 01-26-2005, 03:59 PM

Install this on your server

http://rfxnetworks.net/apf.php

or have them install their security package.

Make sure your /tmp directory is secure and chown wget for only the root user ... or better yet rename it to somthing like 328H65g2Edx to keep it from being used to hack your server.

Jonathan VanSchaack · 01-26-2005, 05:37 PM

do not install APF, it effects every aspect of the server

server-admin · 01-27-2005, 02:16 PM

thats kinda the point with a firewall, do you know of a better product ?

**T0d** · 01-27-2005, 04:32 PM

I suggest APF, and most everyone else does too... I don't know why he would NOT suggest it.