Centos – How to combat all of these brute force attacks

brute-force-attackscentos

I have 3 dedicated servers, all running CentOS that are physically located in Canada.

On the newest server, cPHulk started detecting (and blacklisting) failed login attempts. It started the day that the server was put online. Since then, I get 15-30 emails daily from cPHulk letting me know it that there has been a "large number of failed login attempts".

I noticed that all of the attempts were coming from China, so I installed csf and blocked China entirely. A couple of days later, the attacks were back but from different countries. So far I've blocked four countries out of desperation, but I know that it's not a legitimate fix. Now they're coming from countries that I cannot afford to block because I can expect legitimate traffic from those countries.

I am also getting attacks from IPs that don't seem to be associated with a country, like in this screenshot:

http://i.imgur.com/LN6qmfK.png

I am not worried that they'll be able to guess the password since the password I use is very strong.

So my questions are, why are they targeting my server and how did they find it so quickly? How can I mitigate these login attempts without blocking entire countries? And where is that IP from in the screenshot? My only guess is that somehow I've been assigned an IP with a terrible reputation, but my server admin experience and knowledge is a bit limited so I don't even know the plausibility of that.

Best Answer

Like Michael Hampton said, They [TM] do this to everyone. Their scripts have detected an IP address listening on a port and they're throwing usernames and passwords at it to see if anything sticks. This is a map of live attacks.

If the emails bother you, you can instead whitelist allowed login IPs and have it email you when someone logs in from a site that's not on the whitelist.

As for the IP in the screenshot, 0.42.0.0:

The address 0.0.0.0 may only be used as the address of an outgoing packet when a computer is learning which IP address it should use. It is never used as a destination address. Addresses starting with "0." are sometimes used for broadcasts to directly connected devices.

If you see addresses starting with a "0." in logs they are probably in use on your network, which might be as small as a computer connected to a home gateway.

This block was assigned by the IETF, the organization that develops Internet protocols, in the Standard document, RFC 1122, and is further documented in the Best Current Practice document RFC 6890. IANA is listed as the registrant to make it clear that this network is not assigned to any single organization.

These documents can be found at: http://datatracker.ietf.org/doc/rfc1122 http://datatracker.ietf.org/doc/rfc6890

Related Topic