Daily Brute-Force Attack using DirectAdmin Hosting Panel!

[alex456]

Hello Everyone.

I google everywhere and this was the only place where i could place my query to get it resolved so here i am with bruteforce problem.

This is a 3rd day using DA and i am getting these kind of bruteforce attack on my server.

Please see these screenshots.

and

As you can see that they are trying to login 1000+ times with their bruteforce attack method.

I want to put a limitation that their IP will get blocked after certain time of failed login attempt like after 5 or 10 failed login attempt.

I contacted my webhost support and they showed me this URL to fight for this kind of attack.

http://help.directadmin.com/item.php?id=404

and after reading it, i changed my settings like this.

But i am still seeing over 1000 failed login attempt every day.

Please Help me to get this thing resolve. This is a best panel i have ever used and i don't want my server to get hacked by some BS Bruteforce attackers.

 

[alex456]

I am using DirectAdmin 1.42.0 and CentOS 6.

 

[Petertjuh360]

Install CSF and change your SSH port.

 

[alex456]

Thank You

I followed this guide and successfully installed CSF.

Now when i logged into my DA i see an extra option called ConfigServer Security & Firewall.

And inside this. i see this.

I don't know how to change SSH port.

Please Help me. I want to get this done. I am daily receiving more than 5 messages of bruteforce attack. I want to put a limit on this.

 

[SeLLeRoNe]

You can change ssh server port in /etc/sshd/sshd_config

Be sure to open the port you select in CSF Firewall, and, disable TEST_MODE or CSF will not be active.

Regards

 

[Anton]

Also disable root login in ssh. And use su command in ssh

 

[alex456]

Hi SeLLeRoNe,

I entered putty and i changed my port and now in Edit ConfigServer Firewall Screen on DA.
Please tell me where to disable Testmode and put my own port? I am stuck here.

Thank You in advance

 

[SeLLeRoNe]

Change TCP IN and TCP OUT, remove port 22 and put there your new port.

Set TESTING to 0

Regads

 

[alex456]

Hi SeLLeRoNe,

I just did what you guided me and bingo I can't access my server via 22 anymore.

Thank You so much mate for helping me out.

One more thing i wanna know there are other ports like (20,21,22,25,53,80,110,143,443,465,587,993,995,2222) in TCP_IN and TCP_OUT field. should i leave them as it is or i can remove them and only place my SSH port there?

Now i am going ahead to disable root login what Anton had suggested.

 

[SeLLeRoNe]

So, you didnt change your ssh server, or you didnt restart sshd server once you changed the port.

Dont remove the port... there should be standard useful port for a server (web mail directadmin ftp ssh).

So, for log back on 22, re enable it.. be sure to change ssh server password and reboot ssh server before remove/change port 22.

Regards

 

[alex456]

Yes i changed the ssh port now and now i am following this guide here to give root access to a new user and disable root login access :

http://kb.mediatemple.net/questions/713/How+do+I+disable+SSH+login+for+the+root+user%3F#dv

I am stuck at step 3 where it says

3. SSH to the server with the new admin user and ensure that the login works.

I created a user and now i am unable to ssh to my new user.

When i am trying to execute this command.

[root@root ~]#ssh [email protected]

I am getting this error

ssh: connect to host myserver ip port 22: Connection refused

Please Help.

 

[Tootle]

You have to enter the port number as a parameter

[root@root ~]#ssh [email protected] -p 3623

instead 3623 put your new/changed ssh port number.

Without the -p parameter it will be trying to connect on default port number 22.

I believe you made sure you opened your new ssh port in csf/iptables in the first place and every time you made changes to sshd_config you have to restart 'sshd' service.

 

[alex456]

Hi,

Yes i tried everything you guys guided me and now my root login is disabled along with a default port 22 and now i am using SU to enter to my root with new assigned port. But after disabling root login, I am still getting bruteforce attack messages on my DA.

Is this normal? How come anyone can try to bruteforce root login when i have already disabled it and i checked it myself with root login it is showing access denied.

Please Help.

Thank You

 

[SeLLeRoNe]

Cause they dont know.. they should put root user and correct password and still have Access Denied error. That's normal.

Regards

 

[alex456]

Thank You SeLLeRoNe and everyone,

Without your support, I was so confused and stressed. Now i am all set.

Gotta loving DA now. Been with Kloxo, Webmin and Cpanel for more than 3 years and i finally found my best Hosting Panel DirectAdmin.