Page 1 of 1
SSH Distributed Attack Floods
Posted: 16 Apr 2020, 20:03
by UWH-David
The latest version of configserver firewall.
This one is driving me a little bonkers. We are all aware of the increase in SSH attacks lately. We run SSH on a non-standard port pretty high up but we are still seeing a MASSIVE influx of distributed SSH blocks on ports not related to our SSH port which is defined in the csf.conf
Ex: invalid user firefart from 67.205.153.16 port 34980 ssh2
This is not our SSH port. I see it is ephemeral but why is this occurring?
Thank you for any assistance.
Re: SSH Distributed Attack Floods
Posted: 21 Apr 2020, 14:28
by Sergio
It is because the hacker is using an script to brute-force your server and CSF is doing its job on blocking the attempts and report them, this is normal.
In the mean time you will receive tons of emails telling that the IP have tried to access your server and was blocked.
If you don't want to receive those emails, create an email filter to delete the failed attempts, any way you will receive the list of the attacks on the log scanner report every hour.
Re: SSH Distributed Attack Floods
Posted: 27 Apr 2020, 02:11
by UWH-David
This does not answer my question and seems to be missing several underlying key points. Why is this showing up in an ephemeral port range in the first place? SSH is not on a standard port as indicated and can only be hit there. It appears to be more of a case of false positives.
Sergio wrote: ↑21 Apr 2020, 14:28
It is because the hacker is using an script to brute-force your server and CSF is doing its job on blocking the attempts and report them, this is normal.
In the mean time you will receive tons of emails telling that the IP have tried to access your server and was blocked.
If you don't want to receive those emails, create an email filter to delete the failed attempts, any way you will receive the list of the attacks on the log scanner report every hour.
Re: SSH Distributed Attack Floods
Posted: 27 Apr 2020, 15:03
by Sergio
Hope this clarifies what I tried to wrote.
The only one who knows the SSH port is you, so, hackers have to guess what port to attack. They use exploit scripts that tries to guess the SSH port and will try different ports until they got caught by CSF.
Depending on your CSF configuration, the IP of the hacker will be blocked after the number of attempts you have set
As CSF only controls how many times an error occurs not what ports are being attacked, CSF will send you a notification with the attack info.
That is why you receive a lot of emails with the port that the hacker tried.
With a massive attack on your server, your will receive a lot of informative emails telling that an IP has tried to SSH your server on port XXXX.
In my case, I don't want to receive all those failed SSH port emails and I created an email filter to delete them, any way I know they will be listed on my next "Log Scanner Report".
Sergio
Re: SSH Distributed Attack Floods
Posted: 27 Apr 2020, 22:08
by UWH-David
As clearly indicated, these ports in the emails are ephemeral, and not the port SSH is on. Why is that?
Sergio wrote: ↑27 Apr 2020, 15:03
Hope this clarifies what I tried to wrote.
The only one who knows the SSH port is you, so, hackers have to guess what port to attack. They use exploit scripts that tries to guess the SSH port and will try different ports until they got caught by CSF.
Depending on your CSF configuration, the IP of the hacker will be blocked after the number of attempts you have set
As CSF only controls how many times an error occurs not what ports are being attacked, CSF will send you a notification with the attack info.
That is why you receive a lot of emails with the port that the hacker tried.
With a massive attack on your server, your will receive a lot of informative emails telling that an IP has tried to SSH your server on port XXXX.
In my case, I don't want to receive all those failed SSH port emails and I created an email filter to delete them, any way I know they will be listed on my next "Log Scanner Report".
Sergio
Re: SSH Distributed Attack Floods
Posted: 28 Apr 2020, 06:36
by Sergio
The hackers don't know the real port and that is why they have to try with any port number they can, CSF is just reporting of what happened.
Re: SSH Distributed Attack Floods
Posted: 28 Apr 2020, 17:58
by UWH-David
If these are all blocked ports, why would it matter?
Re: SSH Distributed Attack Floods
Posted: 04 May 2020, 05:18
by Sergio
Actually it doesn't matter, but CSF just reports about what happened.