Join the community today
Become a Member

Security Failed Login Attempts

Discussion in 'System Administration' started by BoostN, Jul 9, 2018.

  1. BoostN

    BoostN Active Member

    123
    27
    28
    Aug 19, 2014
    Ratings:
    +39
    Local Time:
    11:48 AM
    1.13.6
    10.0.34
    Normal? It seems like a lot..

    upload_2018-7-8_20-37-28.png
     
  2. eva2000

    eva2000 Administrator Staff Member

    40,209
    8,894
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,706
    Local Time:
    2:48 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Pretty common on some web hosts. Centmin mod CSF Firewall's Login Failure Daemon (LFD) blocks them all CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS

    cminfo netstat command in Centmin Mod 123.09beta01 and newer can also provide login failure stats outlined at Upgrade - Nginx - Redis - Insight Guide - cminfo command explained and Beta Branch - update cminfo command with netstat flag option

    Code (Text):
    Top CSF Firewall Denied Distributed sshd Attacks:
    38  CN  China        -
    14  VN  Vietnam      static.vnpt.vn
    12  US  United       States          -
    12  KR  Republic     of              Korea  -
    6   ID  Indonesia    -
    5   VN  Vietnam      -
    5   IN  India        -
    4   RU  Russia       -
    3   NL  Netherlands  -
    2   SG  Singapore    -
    
    Top CSF Firewall Failed SSH Logins:
    45  CN  China        -
    15  KR  Republic     of      Korea                            -
    8   US  United       States  -
    4   VN  Vietnam      -
    4   NL  Netherlands  -
    3   RU  Russia       -
    3   IN  India        -
    2   HK  Hong         Kong    -
    2   DE  Germany      -
    1   ZA  South        Africa  169-1-195-180.ip.afrihost.co.za
    

    Code (Text):
    Last 24hrs Top CSF Firewall Denied Country Codes:
    8  CN
    6  US
    3  VN
    1  SG
    1  RU
    1  NL
    1  KR
    1  IT
    1  IN
    1  IL
    
    Last 24hrs Top CSF Firewall Denied Country Codes + Reverse Lookups:
    8  CN  China        -
    6  US  United       States                                             -
    3  VN  Vietnam      static.vnpt.vn
    1  SG  Singapore    -
    1  RU  Russia       -
    1  NL  Netherlands  -
    1  KR  Republic     of                                                 Korea  -
    1  IT  Italy        host1-109-static.3-79-b.business.telecomitalia.it
    1  IN  India        -
    1  IL  Israel       bzq-109-64-134-114.red.bezeqint.net
    
     
    • Informative Informative x 1
  3. BoostN

    BoostN Active Member

    123
    27
    28
    Aug 19, 2014
    Ratings:
    +39
    Local Time:
    11:48 AM
    1.13.6
    10.0.34
    Great stuff:

    I'll go through and take a look at that!
     
    • Like Like x 1
  4. Meirami

    Meirami Member

    128
    15
    18
    Dec 21, 2017
    Ratings:
    +41
    Local Time:
    7:48 PM
    If you have default ssh port I recommend to change it. Centmin.sh menu option 16.
     
    • Agree Agree x 1
  5. eva2000

    eva2000 Administrator Staff Member

    40,209
    8,894
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,706
    Local Time:
    2:48 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yup can do that too centmin.sh menu option 16 will prompt for default existing sshd port number which you enter 22 on default systems and then prompt for your desired new sshd port number. Then automatically adjust CSF Firewall and sshd port configurations for new changes
     
  6. deschlong

    deschlong New Member

    20
    5
    3
    Mar 1, 2018
    Ratings:
    +8
    Local Time:
    6:48 PM
    1.15
    10.1
    Would you say its also good to disable root login and only allow pubkey auth after the initial CMM install? (I remember the first/initial install needs to be done as root)

    So we could install CMM and then harden SSH a bit? Or is it enough to change the Port from menu option 16 and forget about it?
     
  7. eva2000

    eva2000 Administrator Staff Member

    40,209
    8,894
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,706
    Local Time:
    2:48 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Centmin Mod 123.09beta01 and higher supports sudo user only after initial install for centmin.sh. 123.08stable doesn't.

    Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

    If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS.

    Here's a example text you can use to ask your web host to be sure

    There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

    And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

    DigitalOcean



    Has out of band console access

    Linode



    Has out of band console access called Lish

    Vultr



    Has out of band console access

    OVH


    RamNode


    Others


     
    • Informative Informative x 1
  8. deschlong

    deschlong New Member

    20
    5
    3
    Mar 1, 2018
    Ratings:
    +8
    Local Time:
    6:48 PM
    1.15
    10.1
    Asking a simple question and eva comes with tons of information and a detailed answer, thats why I simply cant go away from CentOS with CMM, even though I was a debian guy :D

    What if eva is just an AI :confused:
     
    • Like Like x 1
  9. BoostN

    BoostN Active Member

    123
    27
    28
    Aug 19, 2014
    Ratings:
    +39
    Local Time:
    11:48 AM
    1.13.6
    10.0.34
    I'm glad you brought that up, this server is on Linode, so I think I'll actually disable pw login just for security reasons!
     
  10. eva2000

    eva2000 Administrator Staff Member

    40,209
    8,894
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,706
    Local Time:
    2:48 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Sort of habit working in tech support for over a decade - aim is to provide a solution/answer in the least amount of replies :D :LOL:

    I'd double check and test on a test linode first before doing in production/live servers just to make sure i.e. disable password login on test linode and try using lish out of band console to get back in
     
    • Like Like x 1
  11. eva2000

    eva2000 Administrator Staff Member

    40,209
    8,894
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,706
    Local Time:
    2:48 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
..