Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google      Sign In   
  • Create Account

Subscribe to HRA Now!


Are you a Google Analytics enthusiast?

Share and download Custom Google Analytics Reports, dashboards and advanced segments--for FREE! 




From the folks who brought you High Rankings!


Hacker Activity Up

  • Please log in to reply
3 replies to this topic

#1 Randy


    Convert Me!

  • Moderator
  • 17,540 posts

Posted 14 April 2010 - 10:57 AM

Just a heads up from my little corner of the world.

The Internet Storm Center is still reporting a Green threat level this morning, but I've noticed a higher than normal level of root login attempts so far today. On my servers the attempts started earlier this morning around 7:20am EDT, and are still in process. And it's coming from previously hacked PC's and servers worldwide.

To give you an idea of the difference in scale, typically by this point in the day I've seen 1 or 2 root hack attempts. As of a couple of minutes ago when I last checked my servers have blocked the IPs of on average 20 or so failed root logon attempts.

Something's in the wind, not sure what it is yet though. So be vigilant!

#2 Scottie


    Psycho Mom

  • Admin
  • 6,294 posts
  • Location:Columbia, SC

Posted 14 April 2010 - 05:45 PM

Funny, I've seen that too although I didn't relate it to a worldwide increase since I've only been monitoring my own server for a few months. I've seen 5 today!

#3 Jill


    Recovering SEO

  • Admin
  • 33,244 posts

Posted 15 April 2010 - 07:52 AM

Is there anything special we need to do to protect against them getting in?

#4 Randy


    Convert Me!

  • Moderator
  • 17,540 posts

Posted 15 April 2010 - 11:47 AM

Anything you can do you should have already been doing. Namely make sure your SSH is fairly well locked down. And your security is up to snuff. All of the normal stuff really, so when one of these happen it's simply wise to be a bit more aware.

I think I've mentioned it around here before, but I use a combination of CSF and LFD on my servers. Part of the reason I do this is that it actively looks at the MD5 Sums on files that actually run the server, and sends me a notice (daily as it's normally configured) to let me know if a file has been changed. This indicates a possible hack if I haven't updated/upgraded myself, of course. And on the firewall side of things, it actively monitors things like SSH and even FTP connections. You can configure it to automatically create a Deny rule in the firewall if there are X number of failed login attempts in Y minutes. So your server doesn't set there continuing to get hammered by the hackers using brute force dictionary attempts. And it watches for port scans too.

In my mind this is much preferable to letting them set there for 30 minutes or hours hammering away with hundreds or thousands of login attempts. And if I do something stupid like typing in the wrong password on the wrong server a couple of times, I just take a 10 minute break after the first couple to make sure I don't end up blocking myself. lol.gif

For my servers csf/lfd os configured to be 5 failures within 5 minutes for SSH, or 10 failures in 5 minutes for FTP. Those are the default settings I believe, so nothing special on my part. Basically if someone comes by and tries to break in via either route, and they're doing it via software that just throws everything and the kitchen sink trying to find a hole, they get silently blocked in my firewall rules. Usually within seconds. And it then sends me an email to let me know what's happened. wink1.gif

Because I've got a pretty decent system already in place, the only change I made was to have the MD5Sum check happen more often. Just to get an earlier heads up in case someone did get in. Nobody has, knock on wood.

If you want to see what's been happening on the attempted logins side of things you can manually review the file at /var/log/secure. Or if your server is set up to gzip and rotate logs daily like mine is, you may have to gunzip and nano -w into secure.1.gz to see yesterday's activity. That should show you both SSH and FTP login attempts. Both successful and unsuccessful.

If you want to watch it actively to apply firewall blocks like my software does automatically, you can ssh in as root or admin and tail -f /var/log/secure to see what's happening in real time.

As for this latest one, it appears as if it may have been a one day event. I noticed it slowing down a bit yesterday evening and I haven't had a single break in attempt since around 2am this morning. Got a ton of them yesterday, especially during the morning and early afternoon. I haven't crunched the numbers yet, but it looks to be somewhere around 100 or so individual hack/login attempts for each server. Normally that's just a handful per day, to give you an idea of the change.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

We are now a read-only forum.
No new posts or registrations allowed.