We have had the logs through on several occasions from cPanel (logwatch) that tells us we have over 2000 'Unknown' failed logins.

Is someone attempting to hack our server? I shall post the worrying part of that email below and see if anyone here can let us know what to do about it or if we are worrying about nothing?

Regards

Matt

--------------------- SSHD Begin ------------------------


Failed logins from:
60.220.218.88: 2750 times
203.114.112.99 (203-114-112-99.totisp.net): 32 times

Illegal users from:
60.220.218.88: 6470 times


Received disconnect:
11: Bye Bye : 9252 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user subhadeep : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user danna : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dchakrabarti : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user space : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user diablo : 12 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user boris : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user paradise : 11 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cmcoperator : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user craig : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user usr : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sacvishal : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user magdalena : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user 123 : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jyotprasaddeka : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ihqmoddnom : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user hom : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user simbol : 10 time(s)


Cont.

Cont.

......................blah blah blah..

pam_succeed_if(sshd:auth): error retrieving information about user account : 150 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user invitado : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sitymoon : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ls : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user drcababu : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user pt : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user hrhatwar : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user fong : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user susanty : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user baluchandran : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user benliu : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user Terminator : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oscar : 20 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user doolph : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user xl : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user wirote : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user discovery : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user syamsankar : 20 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user lol : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user master : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gomsluft : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user office : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user abcd : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user logic : 12 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user yearaj : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user abril : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user install : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gwaliormet : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user suprin : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user kcc : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user download : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user vkdadhwal : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user spam : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user blmadhavan : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user porno : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user karmegam : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user word : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dwi : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bill : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ray : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sample : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ripals : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user pink : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user joao : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user megamax : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jvsubbarao : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user abby : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user selva : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user elaine : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sasha : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user rameshkumar : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tarendra : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user flo : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user de : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user rajasekharmeka : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sumitkumar : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user erin : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user helen : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user vkgarg : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user rksarangi : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user denis : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user radhika : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user venice : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user yakuza : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user manager01 : 20 time(s)

---------------------- SSHD End -------------------------

I left out over 2/3 of the entries!

I would still like an explaination of the above however we have taken the following action:

http://www.ace4space.com/clients/ann...wnews&newsid=1

Hope this helps anyone with the same problem when using cPanel/WHM

Looks like someone wants to get in bad. Got ne enemies?

It does seem like someone is bruteforcing to the server, if you have BFD installed, it should have tried to block the ip. In case you can get hold of the ip in this case, may be you should add the same to your firewall to block.

I have added the IP it is in china!

I have also created authentication keys for ssh and removed the password option!

Low and behold today the logwatch states a reduction in attempts with all attempts by the said IP being failed!

NICE! I wish people hacking like this would just crawl away somewhere quiet and die!

Glad to know you sorted it out, Matt.

So am I - hope this advice helps someone else!

Regards

Good thing to hear you are on top of it!

Hacking attempts are sadly becoming common and these threads are always a good reminder to keep a close eye on your servers. A server is only secure at it's weakest link.

You might want to consider using a different port for sshd by editing /etc/init.d/sshd_config Port variable.

If you're using WHM and cPanel, load up CSF rather than APF and BFD - it's a MUCH better program!

As for the logs, it looks like someone is trying to hit your site hard, however the bigger concern is the usernames in that list, are they the usernames from your server? If so, how did they get a complete list of your users on the server? Would seem like your passwd file or group file has been exposed somewhere.

No it was a form of brute force I dont have any of those users on my server - they are random names ...

Well at least that's some good out of the deal.

Glad to know this issue has been ironed out.

Is there a way of protecting POP3 from being brute forced? It seems that now SSH is locked down they are attempting to bruteforce the POP3 logins with random users@ace4space.com