Blocking SSH Login Attempts with CC_DENY
Posted: 10 Jun 2020, 21:18
When you login to CloudLinux via SSH you get a welcome message something like "There have been 9,980 failed login attempts since the last successful login." I was thinking CC_DENY should reduce this number significantly, however I still have a lot of IP's included in that number that are from countries I have blocked. For example in the welcome message it also tells you the last IP blocked, and I have started checking the IP location each time I login now of the last blocked IP, and the last 5 times have been from countries I have blocked on CC_DENY.
1. Does this blocked attempts number in the SSH welcome message include users that have been blocked by CC_DENY country code blocks?
2. I'm also wondering if CloudLinux behaves differently (or if it requires any different configuration) when running CSF then vs running under CentOS?
Some side information that may or may not be relative:
- The only port I have CC_DENY_PORTS set to block is 22
- A little over a week ago I upgraded this server (same datacenter) from CentOS/cPanel and moved to a new server with CloudLinux/cPanel. Our other server did not have as nearly as many failed login attempts, I'm just not sure if this is coincidental or not
- In 24 hours I have had over 10,000 failed SSH login attempts. I have it set to block IP's after 5 invalid login attempts, but it was filling up the 200 blocked IPs in the log every 15 minutes roughly before enabling CC_DENY. Today I have increased this to store 2000 blocked IPs now to increase the delay before the blocked IP can retry. It definitely seems to be slowing down a bit now that I have enabled CC_DENY and increased this to 2000.
- Is this too many countries to block on a cPanel dedicated server with 64gb ram? Here's the list of countries I am currently blocking with CC_DENY: AD,AE,AF,AL,AO,AT,AX,BB,BD,BE,BM,BO,BR,BZ,CH,CN,CY,DE,DK,DZ,EG,ES,FR,GB,HK,HR,HU,ID,IE,IL,IN,IQ,IR,JM,JP,KR,LR,LT,LY,MY,NP,NG,NZ,PK,PR,RO,RW,SE,SI,SK,TZ,TR,TT,TW,UA,UG,UY,VE,VN,YE,ZA,ZM,ZW
- I have LF_SSHD set to 5 - I am considering reducing that number to 2 or 3
- I have not changed the default SSH port which I'm assuming would also cut down on these attempts quite a bit ..?
Ideally I would like to just whitelist my IPs for SSH but unfortunately I am often in different locations that do not have static IPs and this is not possible.
Any comments or suggestions would be greatly appreciated!
1. Does this blocked attempts number in the SSH welcome message include users that have been blocked by CC_DENY country code blocks?
2. I'm also wondering if CloudLinux behaves differently (or if it requires any different configuration) when running CSF then vs running under CentOS?
Some side information that may or may not be relative:
- The only port I have CC_DENY_PORTS set to block is 22
- A little over a week ago I upgraded this server (same datacenter) from CentOS/cPanel and moved to a new server with CloudLinux/cPanel. Our other server did not have as nearly as many failed login attempts, I'm just not sure if this is coincidental or not
- In 24 hours I have had over 10,000 failed SSH login attempts. I have it set to block IP's after 5 invalid login attempts, but it was filling up the 200 blocked IPs in the log every 15 minutes roughly before enabling CC_DENY. Today I have increased this to store 2000 blocked IPs now to increase the delay before the blocked IP can retry. It definitely seems to be slowing down a bit now that I have enabled CC_DENY and increased this to 2000.
- Is this too many countries to block on a cPanel dedicated server with 64gb ram? Here's the list of countries I am currently blocking with CC_DENY: AD,AE,AF,AL,AO,AT,AX,BB,BD,BE,BM,BO,BR,BZ,CH,CN,CY,DE,DK,DZ,EG,ES,FR,GB,HK,HR,HU,ID,IE,IL,IN,IQ,IR,JM,JP,KR,LR,LT,LY,MY,NP,NG,NZ,PK,PR,RO,RW,SE,SI,SK,TZ,TR,TT,TW,UA,UG,UY,VE,VN,YE,ZA,ZM,ZW
- I have LF_SSHD set to 5 - I am considering reducing that number to 2 or 3
- I have not changed the default SSH port which I'm assuming would also cut down on these attempts quite a bit ..?
Ideally I would like to just whitelist my IPs for SSH but unfortunately I am often in different locations that do not have static IPs and this is not possible.
Any comments or suggestions would be greatly appreciated!