amuck-landowner

Huge increase in brute force attacks?

HDPIXEL

New Member
Yep, 60% from China and 35% from the Netherlands, 146.0.0.0/16.

I have csf and mod_sec doing to heavy lifting. :)

Also, I'm working with customers to remove the user admin from all WP dbs.
 

datarealm

New Member
Verified Provider
We haven't seen much change in ssh, but wordpress has been through the roof.  The biggest increase has been probes for wordpress's xmlrpc...
 

drmike

100% Tier-1 Gogent
China can die in a fire this week for me.


What are guys using at node level police and detect bruteforces on SSH?  Nice container running fail2ban saw 10k attempts in under 24 hours.  Oh the overhead.
 

DomainBop

Dormant VPSB Pathogen
China can die in a fire this week for me.


What are guys using at node level police and detect bruteforces on SSH?  Nice container running fail2ban saw 10k attempts in under 24 hours.  Oh the overhead.

Depending on the server, any or all of these:


1. change SSH ports


2. private key authentication only, disable password authentication


3. fail2ban


4. allowed list of users that can access SSH


5. restrict IPs that can access SSH (setup a VPN and only allow access to the SSH port through the VPN IPs)


6. hashlimit rules


7. dirty networks full of brute forcers, comment spammers, and other attackers are blocked in firewalls


AS36352 ColoCrossing
AS55286 B2Net Solutions (ServerMania)
AS46573 Global Frag
AS8100, AS62639, AS29761 Quadranet
AS46844 Sharktech
AS29073 Ecatel/Quasi Networks/ Novogara LTD


8. other firewall blocks of IPs used by brute forcers, attackers, and spammers:


http://www.spamhaus.org/drop/drop.lasso
http://www.spamhaus.org/drop/edrop.lasso
http://www.dshield.org/block.txt
http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
http://www.cymru.com/Documents/bogon-bn-agg.txt
http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1
http://danger.rulez.sk/projects/bruteforceblocker/blist.php
https://www.openbl.org/lists/base_30days.txt
http://www.autoshun.org/files/shunlist.csv
https://www.maxmind.com/en/anonymous_proxies
http://www.stopforumspam.com/downloads/listed_ip_1.zip


9. You could also setup port knocking but it makes logins a pain in the ass so not recommended unless you're a sadist
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
Issue @DomainBop is all of the above is really suited to single end user, but on baremetal in provider environment probably all of those approaches = suicide.


With flows of these attacks / attempts the overhead on say iptables / ipset would really run up quickly.  I saw something like 900MB of SSH attempts in under a minute.
 
Last edited by a moderator:
Top
amuck-landowner