Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    2,790
    Thanks
    3
    Thanked 402 Times in 391 Posts

    Anybody else have an increase in brute force attacks?

    Between my own stuff and that of clients I currently manage 11 servers in various configurations... I'm used to reasonable amounts of ssh/ftp/smtp brute force attempts in the fail2ban logs, but the past three days it's been a roller-coaster ride of entire IP blocks from the Ukraine, Russia, and ... get this .. Seychelles. All the IP address ranges correspond not to home connections but data centers so I'm just dropping the entire 0..255 blocks with iptables, but I find it odd that multiple servers (linsux and winblows) in different data centers, with different codebases are all seeing a sudden spike from the same regions. More strange is that all the attempts seem to be going after SMTP logins as it's always postfix that F2b is logging.

    Thankfully fail2ban giving those nice timeouts drags brute-force attempts to a crawl, but not when they can throw a thousand or more IP addresses at me.

    I was almost ready to blame it on the apt-get update/upgrade I did over the weekend on my VPS until I noticed the same thing on some client's Windows hosting in RDPGuard -- including some of the same address blocks.

    "just me" or has anyone else noticed a similar upswing in failed login attempts, particularly for SMTP? I'm used to small variations but not a sudden gatling connect approach like this. My normal fail2ban log on one of my VPS is 4k a month. This was 1500k in two and a half days!
    I would rather have questions that can't be answered, than answers that can't be questioned.
    http://www.cutcodedown.com

  2. #2
    Regular Coder Strider64's Avatar
    Join Date
    Dec 2011
    Posts
    266
    Thanks
    5
    Thanked 33 Times in 33 Posts
    Brute force attacks I have found out are almost impossible for a small website developer to battle sometimes, for these hackers have a lot of computing power behind. Mainly from idiots that leave their computers open to attacks.
    "A person who never made a mistake never tried anything new." ~ Albert Einstein https://www.pepster.com

  3. #3
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    2,790
    Thanks
    3
    Thanked 402 Times in 391 Posts
    Quote Originally Posted by Strider64 View Post
    Mainly from idiots that leave their computers open to attacks.
    Yeah, it's hard to fight botnets where you end up with attacks coming from otherwise legitimate home IP addy's.}

    That's what's so weird about these, they're all from single address blocks that when I dox them, are all assigned to server-farms.

    When it's clearly coming from data centers, I have NO qualms about dropping the entire block. It's just weird that in total there were only five address blocks, but 200 or so IP's from each block for around a thousand individual IP's.

    Seems "all clear" now. Multiple days with only two or three fail2ban entires, and they're all postfix related. We'll see how long that lasts.
    I would rather have questions that can't be answered, than answers that can't be questioned.
    http://www.cutcodedown.com

  4. #4
    Master Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    5,240
    Thanks
    117
    Thanked 617 Times in 603 Posts
    You've been upsetting people again lol.

  5. #5
    Master Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    5,240
    Thanks
    117
    Thanked 617 Times in 603 Posts
    Well strangely i've noticed that just lately the number of external IP addresses making contact with my locally hosted webserver on my PC has been precisely none.

    I had assumed previously that all of the bots that kept trying was a normal daily thing but it now looks like for whatever reason, they've entered a quiet period. All that is getting logged now are 127. localhost and 192.168.1.* addresses.

    No idea about my main website i never bother looking at the logs much. There are no exposed links to login pages etc and everything else goes through a central index.php file where there are plenty of precautions in place. In the last 10 years i've only had one site breached and it turned out the server was already infected from the previous version of the website when we took it over.

  6. #6
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    2,790
    Thanks
    3
    Thanked 402 Times in 391 Posts
    Quote Originally Posted by tangoforce View Post
    No idea about my main website i never bother looking at the logs much.
    It's not a bad idea to poke your head into fail2ban's logs from time to time, just to see the failed SSH, SMTP, POP3, IMAP, and FTP attempts.... assuming you have fail2ban or something similar installed. Otherwise you have to dig into /var/log/error and that's a bit of a pig on any server with real traffic.

    Quote Originally Posted by tangoforce View Post
    There are no exposed links to login pages etc and everything else goes through a central index.php file where there are plenty of precautions in place.
    Which isn't quite what I was referring to since that's all HTTP side. The only time I've EVER had a security issue that was HTTP related was the fault of the forum software I was running at the time (SMF)... but that's a result of my being paranoid as hell on my own code about things like scope bleed, multiple entry vectors, sanitation, and not doing things (like innerHTML) that can open the door to XSS exploits.

    Quote Originally Posted by tangoforce View Post
    In the last 10 years i've only had one site breached and it turned out the server was already infected from the previous version of the website when we took it over.
    Sadly that happens far, FAR too often. It's often hard to convince people that a hacked site may be compromised to the point of needing to take the Ellen Ripley option, and if you don't nuke it from orbit you can NEVER be sure.
    I would rather have questions that can't be answered, than answers that can't be questioned.
    http://www.cutcodedown.com


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •