Wow, not even a month into this and I had my first brute force attack. Someone trying various logins to access the server. The IP was blocked by the software after so many attempts - Whew!

Now I know why I went with PowerVPS and their Instant Setup option to take care of that stuff for me!! :D

Question is, what, if anything, do I do now? Do I report it to the IP host or just let it die?

Thanks so much!!

Chris,

Thank god for BFD and SPI. Anyhow, you can report it to the ISP/provider that owns that space, but honestly I'm not sure they'll do anything about it.

We've found that 95% of the providers we report stuff like that to just ignore it, unless it's spam or phishing/cc scams, etc. Sad but true. :(

Wow, had a second one today . . . but this was a customer who apparently forgot their login because I can see them trying different methods/names within the log.

Question . . . how do I take their IP off the banned list?

ssh to root /etc/apf/apf -a [IP Address]

Is that correct?

Thanks

Hi there!

Edit the file /etc/apf/deny_hosts.rules and find the IP address. Remove it from there and restart APF. :)

If you really trust the customer, you can add the IP to the safe list by adding the IP to /etc/apf/allow_hosts.rules.

Hope that helps!

and restart APF. :)


Uhhhh, let me show my ignorance . . . and you do that by . . . :o

service apf restart

Thank You!!

Help educate me if you don't mind . . .

Not a day goes by when I don't get notification of a brute force attack. Someone trying to ssh into the server . . . is that normal? Or are they just pickin' on me?

thanks

Help educate me if you don't mind . . .

Not a day goes by when I don't get notification of a brute force attack. Someone trying to ssh into the server . . . is that normal? Or are they just pickin' on me?

thanks

Chris, it is very normal! There are a lot of scripts and such running out there just scanning everything.

You should see some of our logs, sometimes dozens of attempts per SECOND or more to a single server.

Review and monitoring of your logs is a good thing, keep it up!

Chris, it is very normal! There are a lot of scripts and such running out there just scanning everything.

You should see some of our logs, sometimes dozens of attempts per SECOND or more to a single server.

Review and monitoring of your logs is a good thing, keep it up!


Could anyone tell me where to check the logs for brute force attacks/login attempts??

How do i monitor such things?

SSH as root and look at /var/log/

or check your email setup. I get emails for every banned host indicating what IP is banned and what they were trying to do. This helps, because I've had a couple customers forget logins and got banned.

I hope that helps

Hi Chris !

I am in /var/log , which file is for SSH logs?

Also i have given SSH to one of my clients , can i monitor when and how he uses his SSH ?? I would prefer a email of his SSH session.

Regards

Within that directory bfd_log will show you those who have been banned and why.

I know the secure file within that directory will show you ssh along with other access', not sure if that's the best way to track one particular client though.