ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

root login failures continue for hours despite detection

https://mail.forum.configserver.com/viewtopic.php?t=6343

Page 1 of 1

root login failures continue for hours despite detection

Posted: 08 Mar 2013, 02:46
by marty_crouch
I think that csf/lfd should have stopped this brute force attempt at root access ... but it did not.

Today at 10:04:19, perpetrator at 59.108.92.24 started attempting ssh root logins. Log lines from /var/log/secure read:
Mar 7 10:04:19 osprey sshd[11556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.108.92.25 user=root
Mar 7 10:04:21 osprey sshd[11556]: Failed password for root from 59.108.92.25 port 60821 ssh2
...repeating every second or so from the same IP and differing port numbers
At 10:04:48 lfd noticed this situation and attempted to block the perpetrator in the firewall; /var/log/lfd.log says:
Mar 7 10:04:28 osprey lfd[11628]: (sshd) Failed SSH login from 59.108.92.25 (CN/China/-): 5 in the last 300 secs - *Blocked in csf* [LF_SSHD]
Unfortunately, the perpetrator continued his login attempts from the same IP until 12:33:52. From /var/log/secure the last attempt was:

thousands of similar lines followed by:
Mar 7 12:33:52 osprey sshd[29118]: Failed password for root from 59.108.92.25 port 44552 ssh2
Mar 7 12:33:53 osprey sshd[29120]: Received disconnect from 59.108.92.25: 11: Bye Bye
A search for 59.108.92.25 in the firewall rules shows only:
Chain num pkts bytes target prot opt in out source destination
DENYIN 170 0 0 DROP all -- !lo * 59.108.92.25 0.0.0.0/0
DENYOUT 170 0 0 DROP all -- * !lo 0.0.0.0/0 59.108.92.25
It seems that these two rules should have stopped the repeated login attempts.

We noticed this problem around noon because other login attempts to WHM and root were failing with user name or password is incorrect. After the brute force attack ended access to

My questions:
What am I overlooking and what might I do to help csf/lfd to be able to effectively stop this perpetrator in the future?

I'm running the csf 5.75 on CENTOS 6.3 x86_64 standard WHM 11.34.1 (build 12)

Re: root login failures continue for hours despite detection

Posted: 08 Mar 2013, 19:14
by marty_crouch
As a sanity test, I rechecked that root logins normally are blocked on this system. From another host, I attempted repeated ssh logins to root with incorrect passwords. It only took about 12 logins before my IP was blocked. In this case, csf and lfd are definitely functioning as intended.

I also verified that 59.108.92.25 isn't listed elsewhere in the accept ips.

I'm baffled as to how a hacker seemingly manages to get around the firewall deny.

What else should I be checking?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited