Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    2,588
    Thanks
    2
    Thanked 383 Times in 373 Posts

    Anybody else have an increase in brute force attacks?

    Between my own stuff and that of clients I currently manage 11 servers in various configurations... I'm used to reasonable amounts of ssh/ftp/smtp brute force attempts in the fail2ban logs, but the past three days it's been a roller-coaster ride of entire IP blocks from the Ukraine, Russia, and ... get this .. Seychelles. All the IP address ranges correspond not to home connections but data centers so I'm just dropping the entire 0..255 blocks with iptables, but I find it odd that multiple servers (linsux and winblows) in different data centers, with different codebases are all seeing a sudden spike from the same regions. More strange is that all the attempts seem to be going after SMTP logins as it's always postfix that F2b is logging.

    Thankfully fail2ban giving those nice timeouts drags brute-force attempts to a crawl, but not when they can throw a thousand or more IP addresses at me.

    I was almost ready to blame it on the apt-get update/upgrade I did over the weekend on my VPS until I noticed the same thing on some client's Windows hosting in RDPGuard -- including some of the same address blocks.

    "just me" or has anyone else noticed a similar upswing in failed login attempts, particularly for SMTP? I'm used to small variations but not a sudden gatling connect approach like this. My normal fail2ban log on one of my VPS is 4k a month. This was 1500k in two and a half days!
    I would rather have questions that can't be answered, than answers that can't be questioned.
    http://www.cutcodedown.com

  2. #2
    Regular Coder Strider64's Avatar
    Join Date
    Dec 2011
    Posts
    264
    Thanks
    5
    Thanked 33 Times in 33 Posts
    Brute force attacks I have found out are almost impossible for a small website developer to battle sometimes, for these hackers have a lot of computing power behind. Mainly from idiots that leave their computers open to attacks.
    "A person who never made a mistake never tried anything new." ~ Albert Einstein https://www.pepster.com

  3. #3
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    2,588
    Thanks
    2
    Thanked 383 Times in 373 Posts
    Quote Originally Posted by Strider64 View Post
    Mainly from idiots that leave their computers open to attacks.
    Yeah, it's hard to fight botnets where you end up with attacks coming from otherwise legitimate home IP addy's.}

    That's what's so weird about these, they're all from single address blocks that when I dox them, are all assigned to server-farms.

    When it's clearly coming from data centers, I have NO qualms about dropping the entire block. It's just weird that in total there were only five address blocks, but 200 or so IP's from each block for around a thousand individual IP's.

    Seems "all clear" now. Multiple days with only two or three fail2ban entires, and they're all postfix related. We'll see how long that lasts.
    I would rather have questions that can't be answered, than answers that can't be questioned.
    http://www.cutcodedown.com

  4. #4
    Master Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    5,233
    Thanks
    115
    Thanked 617 Times in 603 Posts
    You've been upsetting people again lol.


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •