SSH Distributed Attack Floods

Post Reply
UWH-David
Junior Member
Posts: 28
Joined: 04 Nov 2017, 02:26

SSH Distributed Attack Floods

Post by UWH-David »

The latest version of configserver firewall.

This one is driving me a little bonkers. We are all aware of the increase in SSH attacks lately. We run SSH on a non-standard port pretty high up but we are still seeing a MASSIVE influx of distributed SSH blocks on ports not related to our SSH port which is defined in the csf.conf

Ex: invalid user firefart from 67.205.153.16 port 34980 ssh2

This is not our SSH port. I see it is ephemeral but why is this occurring?

Thank you for any assistance.
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: SSH Distributed Attack Floods

Post by Sergio »

It is because the hacker is using an script to brute-force your server and CSF is doing its job on blocking the attempts and report them, this is normal.
In the mean time you will receive tons of emails telling that the IP have tried to access your server and was blocked.

If you don't want to receive those emails, create an email filter to delete the failed attempts, any way you will receive the list of the attacks on the log scanner report every hour.
UWH-David
Junior Member
Posts: 28
Joined: 04 Nov 2017, 02:26

Re: SSH Distributed Attack Floods

Post by UWH-David »

This does not answer my question and seems to be missing several underlying key points. Why is this showing up in an ephemeral port range in the first place? SSH is not on a standard port as indicated and can only be hit there. It appears to be more of a case of false positives.
Sergio wrote: 21 Apr 2020, 14:28 It is because the hacker is using an script to brute-force your server and CSF is doing its job on blocking the attempts and report them, this is normal.
In the mean time you will receive tons of emails telling that the IP have tried to access your server and was blocked.

If you don't want to receive those emails, create an email filter to delete the failed attempts, any way you will receive the list of the attacks on the log scanner report every hour.
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: SSH Distributed Attack Floods

Post by Sergio »

Hope this clarifies what I tried to wrote.

The only one who knows the SSH port is you, so, hackers have to guess what port to attack. They use exploit scripts that tries to guess the SSH port and will try different ports until they got caught by CSF.

Depending on your CSF configuration, the IP of the hacker will be blocked after the number of attempts you have set

As CSF only controls how many times an error occurs not what ports are being attacked, CSF will send you a notification with the attack info.
That is why you receive a lot of emails with the port that the hacker tried.

With a massive attack on your server, your will receive a lot of informative emails telling that an IP has tried to SSH your server on port XXXX.

In my case, I don't want to receive all those failed SSH port emails and I created an email filter to delete them, any way I know they will be listed on my next "Log Scanner Report".

Sergio
UWH-David
Junior Member
Posts: 28
Joined: 04 Nov 2017, 02:26

Re: SSH Distributed Attack Floods

Post by UWH-David »

As clearly indicated, these ports in the emails are ephemeral, and not the port SSH is on. Why is that?
Sergio wrote: 27 Apr 2020, 15:03 Hope this clarifies what I tried to wrote.

The only one who knows the SSH port is you, so, hackers have to guess what port to attack. They use exploit scripts that tries to guess the SSH port and will try different ports until they got caught by CSF.

Depending on your CSF configuration, the IP of the hacker will be blocked after the number of attempts you have set

As CSF only controls how many times an error occurs not what ports are being attacked, CSF will send you a notification with the attack info.
That is why you receive a lot of emails with the port that the hacker tried.

With a massive attack on your server, your will receive a lot of informative emails telling that an IP has tried to SSH your server on port XXXX.

In my case, I don't want to receive all those failed SSH port emails and I created an email filter to delete them, any way I know they will be listed on my next "Log Scanner Report".

Sergio
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: SSH Distributed Attack Floods

Post by Sergio »

The hackers don't know the real port and that is why they have to try with any port number they can, CSF is just reporting of what happened.
UWH-David
Junior Member
Posts: 28
Joined: 04 Nov 2017, 02:26

Re: SSH Distributed Attack Floods

Post by UWH-David »

If these are all blocked ports, why would it matter?
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: SSH Distributed Attack Floods

Post by Sergio »

Actually it doesn't matter, but CSF just reports about what happened.
Post Reply