Vps – Is it typical to get brute force attack attempts on a brand new server

brute-force-attacksvps

I recently migrated to a new host, a VPS solution. From day one, I started getting WHM/cPanel notifications of brute force attack attempts via root on the main account, 3-4 times per day. I know this is more and more typical in general, but…

My question is whether or not it's typical and/or something to be concerned about when it happens on a brand new server?

Note: I'm not asking how to defend against brute force attacks (e.g., using strong passwords and possibly removing ssh access by password authentication).

Best Answer

If a server's IP is accessible to the internet, it'll see attacks. Worms etc. crawl the publicly available IP space for victims, and on a VPS host there's a good chance your IP was another known server until recently.

Installing fail2ban or denyhosts to block brute force attempts is a pretty common step.

Related Solutions

Proving Password Security to Non-Mathematicians – Standard Methods

Using fail2ban with the iptables is a great way.

Here is the math for you:

Mixed upper and lower case alphabet and common symbols, 8 characters long, gives you 2.9 quadrillion conbinations and with 10,000 attempts a second will take 9,488 years. Thats the maximum of course - expect your password to be cracked in 4000 years. 1000 years if you're not feeling lucky.

As you can see you shouldn't have any issues if you do a 15 character password like:

dJ&3${bs2ujc"qX

Debian – Use iptables rate limiting to temporarily block FTP server brute-force attempts

iptables -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftpattack --set
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --name ftpattack --rcheck --seconds 60 --hitcount 4 -j LOG --log-prefix 'FTP REJECT: '
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --name ftpattack --rcheck --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset

these rules near or at the top of your ruleset will allow only three connections to port 21, from any given IP address, in a rolling 60-second window. To allow n, use --hitcount n+1; to use a bigger window than 60 seconds, increase --seconds 60.

Best Answer

Related Solutions

Proving Password Security to Non-Mathematicians – Standard Methods

Debian – Use iptables rate limiting to temporarily block FTP server brute-force attempts

Related Topic