ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Suddenly hit from lots of different places today.

    Scheduled Pinned Locked Moved IT Discussion
    securityhackbrute forceattack
    34 Posts 10 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • travisdh1T
      travisdh1 @RojoLoco
      last edited by

      @RojoLoco said in Suddenly hit from lots of different places today.:

      In Soviet Russia, IP address blocks you!

      How'd you know it's the Russians?

      travisdh1T RojoLocoR 2 Replies Last reply Reply Quote 0
      • travisdh1T
        travisdh1 @travisdh1
        last edited by

        @travisdh1 said in Suddenly hit from lots of different places today.:

        @RojoLoco said in Suddenly hit from lots of different places today.:

        In Soviet Russia, IP address blocks you!

        How'd you know it's the Russians?

        Who just happened to start at 8:21AM EST...... cluestick anybody?

        1 Reply Last reply Reply Quote 0
        • AmbarishrhA
          Ambarishrh
          last edited by Ambarishrh

          We use ConfigServer Firewall/ CSF on all our servers (CentOS7 now, previously was on CentOS6)

          Its a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. It is based on IP tables and very well block a decent level of attacks. Our CSF logs regularly blocks (first temporarily for some time and then if attack/invalid connection attempt continues then permenant block) and we get notified.

          Few details from an email i received today! 🙂

          109.111.112.178 (AD/Andorra/mx2.andorsoft.ad) blocked for port scanning
          Time: Wed Nov 9 20:56:53 2016 +0400
          IP: 109.111.112.178 (AD/Andorra/mx2.andorsoft.ad)
          Hits: 11
          Blocked: Temporary Block

          22.117.160.65 (TW/Taiwan/122-117-160-65.HINET-IP.hinet.net) blocked for port scanning
          Time: Wed Nov 9 18:53:12 2016 +0400
          IP: 122.117.160.65 (TW/Taiwan/122-117-160-65.HINET-IP.hinet.net)
          Hits: 11
          Blocked: Permanent Block

          CSF has also option to block the entire country, however they warn that using country-level filtering will negatively impact performance and you will notice slower response times on your websites. This is due to the sheer size of the CIDR range lists (the list for the U.S. is 621K in plain text and contains more than 37,000 entries) and the fact that the firewall must check each incoming IP address against the chosen list(s).

          Another feature i really like is the option to perform a basic security, stability and settings. A sample screenshot of a server check. Green ones are ok the the pink ones to be fixed.

          XyqiBmx.png

          On the latest version it even has an option to send scheduled reports on this security check as new versions could have more checks.

          travisdh1T 1 Reply Last reply Reply Quote 0
          • RojoLocoR
            RojoLoco @travisdh1
            last edited by

            @travisdh1 said in Suddenly hit from lots of different places today.:

            @RojoLoco said in Suddenly hit from lots of different places today.:

            In Soviet Russia, IP address blocks you!

            How'd you know it's the Russians?

            Because you said

            @travisdh1 said in Suddenly hit from lots of different places today.:

            8:45AM 31.8.66.206 User:demo
            8:45AM 46.33.250.164 User:demo

            Looking like Ukraine and Russia for the most part.

            Plus that joke wouldn't work if the attackers were in Alsace-Lorraine or Burkina Faso.

            1 Reply Last reply Reply Quote 1
            • travisdh1T
              travisdh1 @Ambarishrh
              last edited by

              @Ambarishrh I saw that, doesn't really give me anything beyond what cPHulk is doing already. Might have to try it on some local systems tho.

              AmbarishrhA 1 Reply Last reply Reply Quote 0
              • dafyreD
                dafyre
                last edited by

                I'd just K-Line the whole /16 subnet and be done with it and see if that slows it down.

                MattSpellerM travisdh1T 2 Replies Last reply Reply Quote 1
                • MattSpellerM
                  MattSpeller @dafyre
                  last edited by

                  @dafyre said in Suddenly hit from lots of different places today.:

                  I'd just K-Line

                  I suspect that you may be unaware of the meaning that phrase has elsewhere lol

                  dafyreD 1 Reply Last reply Reply Quote 1
                  • dafyreD
                    dafyre @MattSpeller
                    last edited by

                    @MattSpeller said in Suddenly hit from lots of different places today.:

                    @dafyre said in Suddenly hit from lots of different places today.:

                    I'd just K-Line

                    I suspect that you may be unaware of the meaning that phrase has elsewhere lol

                    Wow. That's just sad. Guess I'll be expecting a visit from the FBI or NSA in a bit.

                    K-LINE is an old school IRC terminology. Was helping my old man with his IRC server today, lol.

                    K-LINE = block it forever... (on a Linux box, just use iptables, it's far, far easier).

                    1 Reply Last reply Reply Quote 2
                    • travisdh1T
                      travisdh1 @dafyre
                      last edited by

                      @dafyre said in Suddenly hit from lots of different places today.:

                      I'd just K-Line the whole /16 subnet and be done with it and see if that slows it down.

                      That's what I've been doing with cphulk. The number of different systems being used is a little crazy. At this point I'm just wondering if I'll ever be able to prove anything, even tho I'm almost certain it's a government agency behind it.

                      Example of cPHulk email:
                      alt text

                      Block the IANA Netblock and call it done.

                      1 Reply Last reply Reply Quote 1
                      • AmbarishrhA
                        Ambarishrh @travisdh1
                        last edited by

                        @travisdh1 said in Suddenly hit from lots of different places today.:

                        @Ambarishrh I saw that, doesn't really give me anything beyond what cPHulk is doing already. Might have to try it on some local systems tho.

                        cPHulk uses a MySQL database that does not use iptables in the manner CSF is using. It is more intensive to block using cPHulk due to the fact it blocks based on logging authentications to a MySQL database and then determining actions based on it. It is actually more streamlined and easier to manage CSF / LFD due to it dealing directly with iptables via flat files.

                        travisdh1T 1 Reply Last reply Reply Quote 1
                        • travisdh1T
                          travisdh1 @Ambarishrh
                          last edited by

                          @Ambarishrh said in Suddenly hit from lots of different places today.:

                          @travisdh1 said in Suddenly hit from lots of different places today.:

                          @Ambarishrh I saw that, doesn't really give me anything beyond what cPHulk is doing already. Might have to try it on some local systems tho.

                          cPHulk uses a MySQL database that does not use iptables in the manner CSF is using. It is more intensive to block using cPHulk due to the fact it blocks based on logging authentications to a MySQL database and then determining actions based on it. It is actually more streamlined and easier to manage CSF / LFD due to it dealing directly with iptables via flat files.

                          I grep that. I have been keeping an eye on performance, and we haven't seen any detrimental effects yet (the memory cache for the mysql instance is ~2x the db size currently.)

                          1 Reply Last reply Reply Quote 0
                          • travisdh1T
                            travisdh1
                            last edited by

                            For those interested in such things

                            0_1478721557353_upload-b18683f9-ac76-4b8a-ae2b-197d3b5dc645

                            1 Reply Last reply Reply Quote 0
                            • dafyreD
                              dafyre
                              last edited by

                              Are the attacks still ongoing today?

                              1 Reply Last reply Reply Quote 1
                              • travisdh1T
                                travisdh1
                                last edited by

                                Got this knocked down to one every half hour instead of once every five minutes by 5PM yesterday, and the last notification I got was at 6:02AM this morning, hopefully we're done with these..... silly.... people.

                                Some (hopefully) final numbers for you all.
                                0_1478785140922_upload-ffd74363-5686-46cf-a8cd-5d191f664664

                                0_1478785277894_upload-54aa2098-f090-4457-bd11-729adec288ea

                                They never even tried a valid user in addition to trying this on a service that responds as being active but then rejects all login attempts. Silly, silly people.

                                PS - I hope all the mods appreciate my self-moderation here 😉

                                dafyreD 1 Reply Last reply Reply Quote 2
                                • dafyreD
                                  dafyre @travisdh1
                                  last edited by

                                  @travisdh1 I'm totally shocked... not a single hit for root as the login name!

                                  travisdh1T 1 Reply Last reply Reply Quote 2
                                  • travisdh1T
                                    travisdh1 @dafyre
                                    last edited by travisdh1

                                    @dafyre said in Suddenly hit from lots of different places today.:

                                    @travisdh1 I'm totally shocked... not a single hit for root as the login name!

                                    I know right 😕

                                    When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

                                    Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

                                    stacksofplatesS 1 Reply Last reply Reply Quote 2
                                    • stacksofplatesS
                                      stacksofplates @travisdh1
                                      last edited by

                                      @travisdh1 said in Suddenly hit from lots of different places today.:

                                      @dafyre said in Suddenly hit from lots of different places today.:

                                      @travisdh1 I'm totally shocked... not a single hit for root as the login name!

                                      I know right 😕

                                      When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

                                      Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

                                      Ha we can't log in with root at all over SSH.

                                      travisdh1T 1 Reply Last reply Reply Quote 0
                                      • travisdh1T
                                        travisdh1 @stacksofplates
                                        last edited by

                                        @stacksofplates said in Suddenly hit from lots of different places today.:

                                        @travisdh1 said in Suddenly hit from lots of different places today.:

                                        @dafyre said in Suddenly hit from lots of different places today.:

                                        @travisdh1 I'm totally shocked... not a single hit for root as the login name!

                                        I know right 😕

                                        When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

                                        Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

                                        Ha we can't log in with root at all over SSH.

                                        While it's very tempting to do just that, the only user the system started with was root. If I have to burn it all down, I need some way to access the thing.

                                        stacksofplatesS 1 Reply Last reply Reply Quote 0
                                        • stacksofplatesS
                                          stacksofplates @travisdh1
                                          last edited by

                                          @travisdh1 said in Suddenly hit from lots of different places today.:

                                          @stacksofplates said in Suddenly hit from lots of different places today.:

                                          @travisdh1 said in Suddenly hit from lots of different places today.:

                                          @dafyre said in Suddenly hit from lots of different places today.:

                                          @travisdh1 I'm totally shocked... not a single hit for root as the login name!

                                          I know right 😕

                                          When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

                                          Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

                                          Ha we can't log in with root at all over SSH.

                                          While it's very tempting to do just that, the only user the system started with was root. If I have to burn it all down, I need some way to access the thing.

                                          Ah ic. Do you not have console access?

                                          travisdh1T 1 Reply Last reply Reply Quote 0
                                          • travisdh1T
                                            travisdh1 @stacksofplates
                                            last edited by

                                            @stacksofplates said in Suddenly hit from lots of different places today.:

                                            @travisdh1 said in Suddenly hit from lots of different places today.:

                                            @stacksofplates said in Suddenly hit from lots of different places today.:

                                            @travisdh1 said in Suddenly hit from lots of different places today.:

                                            @dafyre said in Suddenly hit from lots of different places today.:

                                            @travisdh1 I'm totally shocked... not a single hit for root as the login name!

                                            I know right 😕

                                            When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

                                            Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

                                            Ha we can't log in with root at all over SSH.

                                            While it's very tempting to do just that, the only user the system started with was root. If I have to burn it all down, I need some way to access the thing.

                                            Ah ic. Do you not have console access?

                                            I do, but the only user on the system was created after the OS/cPanel was installed. So if I have to nuke it from orbit, I kinda need that access.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 2 / 2
                                            • First post
                                              Last post