Am I under attack?

[cap4a]

there are a lot of strange IP addresses that have been trying to login to my directadmin account.
Do I need to block these IPs?
How much can IP block be.
Please just me thank you.

 

[Active8]

your SSH is hammered, normal behavior for default port:
1. change your default SSH port
2. give only your fixed IP access to your SSH
3. disable password auth. use SSH key

DA login attempts will be placed on blacklist automatically

 

[Richard G]

Looks like a distributed attack on your SSH port. You can block the ip's. Normally if you use csf/lfd it will block for you.
Ah Active8 just wrote the answer to your question. I always use ssh key.

 

[cap4a]

Thanks @Active8 , @Richard G .
2. give only your fixed IP access to your SSH
If by accident my IP is changed. Can I still login to the directadmin server?

 

[Active8]

If by accident my IP is changed. Can I still login to the directadmin server?

nope, therefore add multiple IP's to be sure, we are using multiple VPN (owend) servers to connect by SSH with fixed IP

 

[Richard G]

If by accident my IP is changed. Can I still login to the directadmin server?

Yes, because you must only limit your IP to the SSH port, not to the complete directadmin server.
You can always access your directadmin server via 2222 and then use the admin settings to change the sshd.conf file to temp enable passwords again.
Then you can login via SSH and change the ip.

Sorry, little mistake, You must change the iptables then, I don't know if you can change that via the DA CSF/LFD interface.

For this reason I rather use SSH keys instead of limiting to an ip. With SSH keys you can always use the above trick to enable passwords again and you don't have to worry about ip changing.

 

[Zhenyapan]

yep, ssh keys + disabled password login (if users don't need it), another ssh port (better use 4-5 digits, most parsers checking 1-999 ports).

 

[cap4a]

Emergency. @Active8 @Zhenyapan @Richard G
After I go to IP Management.
And assign 1 fixed IP.
After that I can login to directadmin again.
What should I do.
Please just me thank you.

 

[Richard G]

After I go to IP Management.
And assign 1 fixed IP.

What do you mean, are you normally using a dynamic ip then?
There should always be 1 fixed ip present in DA.

 

[cap4a]

yes DA already has a server IP.
I added to my network PC IP and got the same error as above.

 

[Zhenyapan]

you added to server interface your home IP as additional server IP? it will not work. it can drop your network on server.
if you still have access through ssh - log in an shutdown this IP and remove from interface.

 

[cap4a]

I had to reinstall DA.
As I still don't know the item to add fixed IP for DA when login. (give only your fixed IP access)
Can anyone point me out?
Thank you.

 

[zEitEr]

By default all IPs can connect to your server, including SSH port. The idea of limiting an access to SSH of the server is as the following.

- You close 22 port with a firewall for all IPs.
- You add your IP as trusted to a firewall and allow connections to 22 port from your own IP.

This can be easily done with a help of CSF/LFD which might be pre-installed. If you don't have yet installed, then you should go and install it.

Thus you don't need to add/remove IPs from DirectAdmin on IP management page. Instead of it you should work with a firewall on CSF/LFD page.

If your home/office IP changes and you don't have a fixed one, then as suggested by @Active8, you might think of starting using a VPN. This way you will have a chance to have a fixed IP for your internet connection. Or you might purchase a fixed IP from your internet provider. A fixed IP will allow you to connect to your server from a known and trusted IP, which won't change during your internet sessions and/or after breaks.

And again a fixed IP is here only about IP from which you connect to internet, this is not about DirectAdmin. Servers in internets are supposed to have a fixed IP by default.

If your connection to internet from PC, laptop, phone has already a fixed IP, then you might ignore the sections about VPN and go straight to CSF/LFD page of your Directadmin and add it as allowed/trusted, and then remove SSH port 22 from a list of opened page, it is TCP_IN in CSF settings.

 

[cacanhmini]

I have a case where the following Ips access my DA.
I don't understand why it happened after that.
Can you guys just say no thanks.
84.54.120.82
72.81.132.89
62.84.120.139
34.76.158.233
222.120.180.206
94.131.132.139

 

[Richard G]

I have a case where the following Ips access my DA.

Please start a new thread for your own issue and describe the problem better.

 

[cap4a]

Thanks @zEitEr
i disabled port 22 and monitor to see if there are any more attacks?

 

[cap4a]

I prevented the sshd5 login attack by disabling port 22.
As now the login attacks have changed to pure-ftpd1 and exim2.
What should I do please tell me thank you.

 

[Zhenyapan]

you can configure your CSF more strictly, to block not after 10 attempts or after 3. You can also block few countries or just use strong 10+ symbols passwords.

 

[johannes]

For FTP we blocked all access, but 2 countries. Most people dont use FTP for daily routines, and when they are always from the same country.
Exim is another story, there are attacks since monthes, too here.

 

[cap4a]

Really sorry for this inconvenience.
Can you show me in more detail?
Thanks very much.