Stopping Most Basic Hack Attempts (SSH,WHM,Wordpress)

Post Reply
consultant
Junior Member
Posts: 25
Joined: 24 Aug 2016, 04:49

Stopping Most Basic Hack Attempts (SSH,WHM,Wordpress)

Post by consultant »

So there's basically three hack attempt strategies on my server I'd like to just stop.

SSH login - I know IPs get blacklisted after 5 failed attempts within x minutes, but I only SSH in from a handful of IPs. There's a chance some of these IPs will lose their DHCP reservation and change, but I have at least one static IP. So I assume best solution is to remove port 22 from the allowed ports and whitelist my IPs I used to login via SSH. Sometimes I'm roaming around with my laptop though and so I guess the only solution there is to use VPN to get on a whitelisted IP (or LogMeIn to access local whitelisted machine but this isn't as clean of a solution as VPN), One interesting thing I tried was to restrict access only from US IP Addresses as this is a extranet application server, don't need to serve web pages to the general world public. But BOY, did that make CSF run SLOW!

I'm considering public key authentication but frankly this isn't a server that is hosting any critical info like payment info, social security numbers. So the hassle of setting that up may not be worth it. I suppose I could also do port knocking.

WHM login (port 2087) - Getting in here is almost as bad as if you got into via SSH on root. I assume same solution as above.

Wordpress hacks - CSF/LFD help mitigate some of those. I tested plugins and most were pretty heavy handed and overlapped with CSF/LFD. I did find iThemes Security plugin you could turn off most everything you didn't want to eliminate overlap with CSF/LFD. Anyone recommend a different Wordpress security plugin to use in conjunction with CSF/LFD?
Smjork
Junior Member
Posts: 7
Joined: 10 Feb 2014, 08:29

Re: Stopping Most Basic Hack Attempts (SSH,WHM,Wordpress)

Post by Smjork »

[...] Sometimes I roam [...]

Your best solution is to switch to SSH with key-pairs. It won't matter which IP you get at a certain location.
See this tutorial, for example: https://www.digitalocean.com/community/ ... nux-server

Yet, if you really insist on authenticating via password, then you can "strengthen" (a bit) your /etc/ssh/ssd_config configuration, with the following:a. Make sure you DO NOT allow login with "root"

PermitRootLogin no
DenyUsers root
DenyGroups root
AllowUsers your_username, some_other_username, some_other_username


As of csf/lfd, you may enable LF_TRIGGER and (at least) the SSH related options:
LF_TRIGGER="1"
LF_TRIGGER_PERM="1" <-- if you want the block to become permanent, not temporary
LF_EMAIL_ALERT="1" <-- so you receive an email each time csf/lfd blocks a specific IP which triggers
LF_SSHD="5" <-- change the value as you please
LF_SSHD_PERM="1" <-- same as all other _PERM options
honesting
Junior Member
Posts: 14
Joined: 03 Jul 2013, 20:55

Re: Stopping Most Basic Hack Attempts (SSH,WHM,Wordpress)

Post by honesting »

Did you find any solution to prevent the brute on wordpress sites? Thank you.
Tearabite
Junior Member
Posts: 26
Joined: 27 Dec 2008, 00:29
Contact:

Re: Stopping Most Basic Hack Attempts (SSH,WHM,Wordpress)

Post by Tearabite »

Here is what I do to help reduce simple brute-force attempts in Wordpress.. It's a bit convoluted but it does the job:
1) Use the "Rename wp-login.php" to rename the login page to something random (this alone stops a good amount of amateur BF attempts).
2) Add an entry in .htaccess to rewrite any attempts to hit wp-login.php to redirect to a simple (blank) html file I created with a unique, random name
3) add a rule in Mod_Security to block access to the randomly named html file
4) Set LF_MODSEC to someting low (5 or 10) so that repeated attempts to hit wp-login.php (which gets redirected to random-named .html file) gets blocked by CSF.

it's simple, but stops a lot of the simple script-kiddy brute force attacks - around 500-1,000 per day on my server.
Post Reply