Server with "infected" ip address?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • EukerVoorn
    So Fucking Banned
    • Aug 2011
    • 1423

    #1

    Server with "infected" ip address?

    Got a new dedicated server, with cPanel and cPHulk Brute Force Protection. Immediately after the server was connected to the web at the hosting provider I started getting these messages at least 10 times a day:

    Large Number of Failed Login Attempts from IP *

    Does this mean they gave the server an IP address that has been used for a long time before and apparently is on some list of easy hackable servers or proxies or does it mean that these hackers are just randomly trying to hack into servers?

    I have another server with another hosting provider and not getting any cPHulk warnings from there.

    The problem is that during these attacks I can't login on my server myself and I can't whitelist my ip in cPHulk because I don't have a static ip or even ip range.
  • drmadcat
    Confirmed User
    • Jun 2011
    • 2024

    #2
    dont use host gator
    asiamoviepass.com

    Comment

    • EddyTheDog
      Just Doing My Own Thing
      • Jan 2011
      • 25433

      #3
      I am sure you will get much better ideas, but here is my 2cents.

      Buy a cheap VPN - I had to do it the other day and hidemyass.com worked ok - That should at least give an IP range so you can whitelist it and see what the fuck is happening...

      Or, and I think this best, ask your host to sort it out or at least allocate a new IP.

      Comment

      • BIGTYMER
        Junior Achiever
        • Nov 2004
        • 17066

        #4
        Don't worry about it. They are mostly just bots searching the web for easy targets. I get these messages almost daily.

        Comment

        • BIGTYMER
          Junior Achiever
          • Nov 2004
          • 17066

          #5
          Just saw the last part of your message. I haven't been locked out so I'm not sure what you should do.

          Comment

          • TheSquealer
            Mayor of Thneedville
            • Oct 2004
            • 26181

            #6
            You're Paul Markhams new friend. You should know by now that only he has the correct answers to the difficult questions.
            .
            Yes, fewer illegal immigrants working equates to more job opportunities for American citizens.

            Rochard

            Comment

            • raymor
              Confirmed User
              • Oct 2002
              • 3745

              #7
              Servers at large provides that sell cookie cutter servers to DIY webmasters are common targets because the bad guys know that IP range has tons of servers that lack a qualified sysadmin. They know that the typical webmaster lacks the skills and motivation to do even significant hardening. New severs are particularly attractive because the default configuration is known and often includes weaknesses like default or empty passwords, php running suexec, etc.

              Cphulk monitors several different daemons. Which are you getting a lot of notices for? Turn off any archives that you aren't using. For example, turn off pop3 if you aren't using your server to receive mail.

              For services other than smtp and http, you can switch them to use a port other than the default and that will greatly reduce brute force attacks.
              Last edited by raymor; 09-24-2011, 06:48 PM.
              For historical display only. This information is not current:
              support@bettercgi.com ICQ 7208627
              Strongbox - The next generation in site security
              Throttlebox - The next generation in bandwidth control
              Clonebox - Backup and disaster recovery on steroids

              Comment

              • BIGTYMER
                Junior Achiever
                • Nov 2004
                • 17066

                #8
                Yep. When I changed my SSH port I saw a 95% reduction.

                Comment

                • AdultKing
                  Raise Your Weapon
                  • Jun 2003
                  • 15601

                  #9
                  automated break in attempts happen all the time, just turn email notifications off.

                  Comment

                  • leg4
                    Confirmed User
                    • May 2003
                    • 4429

                    #10
                    Msg me privately....My lil Nephew is a level4 Admin at GatorHoster.
                    >>> Contact me here

                    email me here

                    Comment

                    • sandman!
                      Icq: 14420613
                      • Mar 2001
                      • 15431

                      #11
                      lolololz
                      Need WebHosting ? Email me for some great deals [email protected]

                      Comment

                      • EukerVoorn
                        So Fucking Banned
                        • Aug 2011
                        • 1423

                        #12
                        Originally posted by AdultKing
                        automated break in attempts happen all the time, just turn email notifications off.
                        Like I said I also have a dedicated server at another location and not getting notifications for that one. I just checked, cPHulkd notifications is set on high priority.

                        What Raymor writes makes sense though, this is a self managed dedicated server in the biggest datacenter in Holland so it's part of a huge range of ip addresses connected to servers.

                        I already planned to have a sys admin finetune and secure my servers, he'll start this week, after that I will turn notifications off and turn notification of succesful log-ins on, just in case, and I'll change the root password from 12345 into something more difficult

                        Thanks for the help dudes, it's great to be on this site.

                        Comment

                        Working...