When you login to CloudLinux via SSH you get a welcome message something like "There have been 9,980 failed login attempts since the last successful login." I was thinking CC_DENY should reduce this number significantly, however I still have a lot of IP's included in that number that are from countries I have blocked. For example in the welcome message it also tells you the last IP blocked, and I have started checking the IP location each time I login now of the last blocked IP, and the last 5 times have been from countries I have blocked on CC_DENY.
1. Does this blocked attempts number in the SSH welcome message include users that have been blocked by CC_DENY country code blocks?
2. I'm also wondering if CloudLinux behaves differently (or if it requires any different configuration) when running CSF then vs running under CentOS?
Some side information that may or may not be relative:
- The only port I have CC_DENY_PORTS set to block is 22
- A little over a week ago I upgraded this server (same datacenter) from CentOS/cPanel and moved to a new server with CloudLinux/cPanel. Our other server did not have as nearly as many failed login attempts, I'm just not sure if this is coincidental or not
- In 24 hours I have had over 10,000 failed SSH login attempts. I have it set to block IP's after 5 invalid login attempts, but it was filling up the 200 blocked IPs in the log every 15 minutes roughly before enabling CC_DENY. Today I have increased this to store 2000 blocked IPs now to increase the delay before the blocked IP can retry. It definitely seems to be slowing down a bit now that I have enabled CC_DENY and increased this to 2000.
- Is this too many countries to block on a cPanel dedicated server with 64gb ram? Here's the list of countries I am currently blocking with CC_DENY: AD,AE,AF,AL,AO,AT,AX,BB,BD,BE,BM,BO,BR,BZ,CH,CN,CY,DE,DK,DZ,EG,ES,FR,GB,HK,HR,HU,ID,IE,IL,IN,IQ,IR,JM,JP,KR,LR,LT,LY,MY,NP,NG,NZ,PK,PR,RO,RW,SE,SI,SK,TZ,TR,TT,TW,UA,UG,UY,VE,VN,YE,ZA,ZM,ZW
- I have LF_SSHD set to 5 - I am considering reducing that number to 2 or 3
- I have not changed the default SSH port which I'm assuming would also cut down on these attempts quite a bit ..?
Ideally I would like to just whitelist my IPs for SSH but unfortunately I am often in different locations that do not have static IPs and this is not possible.
Any comments or suggestions would be greatly appreciated!
Blocking SSH Login Attempts with CC_DENY
Re: Blocking SSH Login Attempts with CC_DENY
Hi.
After reading your post I will suggest you to do the opposite, I mean don't block all those countries, is better to allow only the countries that you want your server to be accessed and you will have lower IPs to allow thant IPs to block.
About 2,000 IPs blocked, you can set it to a much higher number of IPs blocked if you use IPSET. In my servers I have set it to 50,000 IPs and they work without any issues. But I do a clean up every 30 minutes and if I have a bunch of IPs from the same CIDR, my script creates the .0/24 and deletes all the ones that belongs to that CIDR and on doing this I have less IPs to manage.
Just rember that now with this pandemic SSH attacks are all around the world because of a lot of people with nothing to do are in their homes and that is why this type of attacks are more frequent.
Are all these attacks to random SSH ports or is directly to you SSH port?
I ask you this because if it is to random ports the best thing to do is to set CSF to not send messages if they are to other ports to the one that you have defined.
Sergio
Just another fan of CSF.
After reading your post I will suggest you to do the opposite, I mean don't block all those countries, is better to allow only the countries that you want your server to be accessed and you will have lower IPs to allow thant IPs to block.
About 2,000 IPs blocked, you can set it to a much higher number of IPs blocked if you use IPSET. In my servers I have set it to 50,000 IPs and they work without any issues. But I do a clean up every 30 minutes and if I have a bunch of IPs from the same CIDR, my script creates the .0/24 and deletes all the ones that belongs to that CIDR and on doing this I have less IPs to manage.
Just rember that now with this pandemic SSH attacks are all around the world because of a lot of people with nothing to do are in their homes and that is why this type of attacks are more frequent.
Are all these attacks to random SSH ports or is directly to you SSH port?
I ask you this because if it is to random ports the best thing to do is to set CSF to not send messages if they are to other ports to the one that you have defined.
Sergio
Just another fan of CSF.