Hi there,
I have just recently set up a linode VPS with cpanel and I installed CSF.
Ever since I installed it I am getting emails once every hour or so and its really annoying me.
Here are some of the alerts I have been getting:
Time: Wed Dec 19 04:19:22 2012 +0000
IP: 68.171.218.104 (US/United States/removeduetoforumrestriction)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Permanent Block
Dec 19 04:19:07 li357-49 sshd[28620]: Failed password for root from 68.171.218.104 port 40740 ssh2 Dec 19 04:19:10 li357-49 sshd[28624]: Failed password for root from 68.171.218.104 port 41120 ssh2 Dec 19 04:19:13 li357-49 sshd[28629]: Failed password for root from 68.171.218.104 port 41476 ssh2 Dec 19 04:19:16 li357-49 sshd[28633]: Failed password for root from 68.171.218.104 port 41817 ssh2 Dec 19 04:19:19 li357-49 sshd[28638]: Failed password for root from 68.171.218.104 port 42182 ssh2
------------------------------------------------------------------------
Time: Wed Dec 19 02:49:43 2012 +0000
IP: 59.90.194.51 (IN/India/-)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
Dec 19 02:49:35 li357-49 sshd[26900]: Invalid user ftpguest from 59.90.194.51 Dec 19 02:49:35 li357-49 sshd[26900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.90.194.51 Dec 19 02:49:37 li357-49 sshd[26900]: Failed password for invalid user ftpguest from 59.90.194.51 port 59908 ssh2 Dec 19 02:49:38 li357-49 sshd[26904]: Invalid user ftpguest from 59.90.194.51 Dec 19 02:49:38 li357-49 sshd[26904]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.90.194.51
------------------------------------------------------------------------
Time: Wed Dec 19 06:14:38 2012 +0000
Account: lavadesi
Resource: Process Time
Exceeded: 1814 > 1800 (seconds)
Executable: /home/virtfs/lavadesi/usr/libexec/openssh/sftp-server
Command Line: /usr/libexec/openssh/sftp-server
PID: 30319
Killed: No
------------------------------------------------------------------------
Time: Wed Dec 19 05:44:40 2012 +0000
IP: 82.17.250.121 (GB/United Kingdom/removeduetoforumrestriction)
Account: lavadesi
Method: password authentication
------------------------------------------------------------------------
Time: Wed Dec 19 05:44:39 2012 +0000
IP: 82.17.250.121 (GB/United Kingdom/removeduetoforumrestriction)
Account: lavadesi
Method: password authentication
Can anyone tell me how I can stop this excessive emailing? Also, is it normal to get 3 malicious login attempts in 1 day on a brand new server?
Cheers,
Jonny
LFD E-mails won't stop!
Re: LFD E-mails won't stop!
Hi Jonny,
Yes, it's normal to get 3+ or many more per day.
It's also likely that someone else had the IP you are on before you did and it may have very well been a cPaenl box too.
I'm new to CSF and trying to figure out how to squelch the massive amount of emails for "Permanent Block" etc.
I'm assuming this has something to do with the csf.pignore file, however, I'm trying to figure out how best to put this entry into the file since it's not an executable. Ofcourse, I still want the person to be blocked, I just don't want to receive the email about it 20 times per day.
Thoughts? Did you already figure this out Jonny?
Yes, it's normal to get 3+ or many more per day.
It's also likely that someone else had the IP you are on before you did and it may have very well been a cPaenl box too.
I'm new to CSF and trying to figure out how to squelch the massive amount of emails for "Permanent Block" etc.
I'm assuming this has something to do with the csf.pignore file, however, I'm trying to figure out how best to put this entry into the file since it's not an executable. Ofcourse, I still want the person to be blocked, I just don't want to receive the email about it 20 times per day.
Thoughts? Did you already figure this out Jonny?
Re: LFD E-mails won't stop!
I just wanted to update this post with how I disabled them.
(Go figure, there were easy settings for this in the config)
For the Port Scanning notices that happen often:
PS_EMAIL_ALERT = 0
For the Blocks that happen often for Login Failures:
LF_EMAIL_ALERT = 0
By making these changes, you are are still allowing the previous settings to continue to "blocK" the attacks, however, you won't be sent a stream of emails notifying you about them.
(Go figure, there were easy settings for this in the config)
For the Port Scanning notices that happen often:
PS_EMAIL_ALERT = 0
For the Blocks that happen often for Login Failures:
LF_EMAIL_ALERT = 0
By making these changes, you are are still allowing the previous settings to continue to "blocK" the attacks, however, you won't be sent a stream of emails notifying you about them.