Stopping Outgoing BruteForce Attacks

Post Reply
piyushmahes
Junior Member
Posts: 3
Joined: 29 Apr 2020, 06:32

Stopping Outgoing BruteForce Attacks

Post by piyushmahes »

Hello, i have an dedicated bare metal server with Hetzner but everyday I'm getting emails for outgoing bruteforce and portscan attacks.
My server is a shared hosting server, we're selling shared and reseller hosting through the server and server have almost 900+ cPanel Accounts.
So how can i find out which account is sending outgoing bruteforce attack and how can i stop it ?
I am mentioning some logs which hetzner sent me :

Code: Select all

> ------------------------------------------
> MYSERVERIP - - [14/Jun/2021:06:04:17 +0200] "POST /wp-login.php HTTP/1.0" 200 1494 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> MYSERVERIP - - [14/Jun/2021:06:04:20 +0200] "POST /xmlrpc.php HTTP/1.0" 403 212 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> MYSERVERIP - - [14/Jun/2021:06:25:26 +0200] "GET /wp-login.php HTTP/1.0" 200 2388 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> MYSERVERIP - - [14/Jun/2021:06:25:27 +0200] "POST /wp-login.php HTTP/1.0" 200 2527 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> MYSERVERIP - - [14/Jun/2021:06:25:28 +0200] "POST /xmlrpc.php HTTP/1.0" 403 212 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
> MYSERVERIP - - [14/Jun/2021:06:32:23 +0200] "GET /wp-login.php HTTP/1.0" 200 2388 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Is there anyway to stop it via CSF ?
xthekrakenx
Junior Member
Posts: 2
Joined: 03 Aug 2021, 12:02

Re: Stopping Outgoing BruteForce Attacks

Post by xthekrakenx »

Hi I do not think you can necessarily stop it via CSF as you can block traffic incoming or outgoing by port, ip, etc. but it would block it for your entire server not just a single account (in my experience at least). I would try to take a closer look at your logs - maybe tail your syslog & watch your processes to see if you can identify which account may have a few more running processes than what a normal account may have, if they are brute forcing - I would think they would have multiple threads/processes going. Maybe some recursive grep searches on your home directories looking for "wp-login.php". If you are hosting a lot of wordpress sites, you will get a lot of false positives - BUT - you would be looking for wp-login.php referenced in non-standard wordpress files. On a personal note - I had CSF logs very similar to the above but it was someone trying to brute force me - which I have since combatted by leveraging a few wordpress security plugins across all of my WP sites.
Post Reply