Hello all,
While this may not pertain to the actual directadmin software, everyone here is very knowledgeable and this is happening on a DA based server.
Anyway I've notice din my /var/log/messages file that I'm seeing alot of various bruteforce attacks on SSH. Some of the lines look like this:
Mar 28 02:53:44 stargatesg1 sshd(pam_unix)[11749]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=manticore.eecs.harvard.edu user=root
Obviously I have my SSH set so that logging in via root is disabled and is only allowed under a secret/private account. So for the most part I'm safe, however I'd like to cut down on having this constant repeating attack eating away at bandwidth.
I figured I'd use my already in use IPtables to block a host/IP of that above person. Well considering I also use Webmin on the same server as DA, I logged into webmin, went to the Network -> Linux firewall module and setup a rule to reject all traffic from the above host.
However after I add a rule to block the TCP traffic from the host, I refresh my /var/log/messages file and see I'm still getting hammered with the attacks. Does anyone know what I should do to block this? I've seen firewalls before that are semi intelligent that will block repetatitve behavior from a host if it thinks it's a DDoS attack.
Thoughts? Opinions?
While this may not pertain to the actual directadmin software, everyone here is very knowledgeable and this is happening on a DA based server.
Anyway I've notice din my /var/log/messages file that I'm seeing alot of various bruteforce attacks on SSH. Some of the lines look like this:
Mar 28 02:53:44 stargatesg1 sshd(pam_unix)[11749]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=manticore.eecs.harvard.edu user=root
Obviously I have my SSH set so that logging in via root is disabled and is only allowed under a secret/private account. So for the most part I'm safe, however I'd like to cut down on having this constant repeating attack eating away at bandwidth.
I figured I'd use my already in use IPtables to block a host/IP of that above person. Well considering I also use Webmin on the same server as DA, I logged into webmin, went to the Network -> Linux firewall module and setup a rule to reject all traffic from the above host.
However after I add a rule to block the TCP traffic from the host, I refresh my /var/log/messages file and see I'm still getting hammered with the attacks. Does anyone know what I should do to block this? I've seen firewalls before that are semi intelligent that will block repetatitve behavior from a host if it thinks it's a DDoS attack.
Thoughts? Opinions?
