Constant SSH Login Tries From Numerous IP Addresses (bots)
Apr 26, 2008
I have a dedicated RHEL server with cPanel and my server loads spikes about +0.4 (out of 2.0) for about 30 mins every 4-6 hours or so. My regular server load is 0.01, because there is barely any traffic on the server yet, but by looking at my top processes in WHM, I can see that the processes that are spiking the Server Load when it is high, is something like:
sshd: [priv] root
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]
sshd: [priv] games
sshd: [priv] news
sshd: [priv] root
sshd: [priv] root
sshd: [accepted]
...something along these lines. And a lot of times there are 10-20 of these sshd processes at one time.
My server is managed and my dedicated server engineer said it was probably a bot trying passwords. He took one of the IP's, said it was from Taiwan, and blocked that IP in iptables.
However, this is still happening constantly with different IP's. Is there a way to prevent this from happening? I'm the only person (and my host) who should be able to login to my server using SSH... however, I don't have a static IP and I work from multiple locations, so only allowing certain IP's won't work for me.
First off, is this normal? Or am I being attacked or what? What can I do to remedy this? It seems the bots haven't successfully logged in, but they are spiking my server load which is NOT what I want.
View 8 Replies
ADVERTISEMENT
Nov 26, 2008
I keep seeing sa login failure on Event viewer Application log for MS SQL 2005. I'm tired of blocking off the failed attempt ip. A huge portion of them seem to come from China and Estern Euro. Should i just block off those region? Is there a better way for securing SQL2005?
View 1 Replies
View Related
Apr 19, 2007
I took the 1st one this morning and the 2nd one few hours later. It was filling up my vpss numtcpsock, which slowed down my vps dramtically. Any tips or suggestions? Is there a way to lower the number of numtcpsocks
early morning
Quote:
CLOSE_WAIT
tcp 886 0 74.208.69.213:80 124.43.222.202:2701 CLOSE_WAIT
tcp 886 0 74.208.69.213:80 124.43.222.202:2702 CLOSE_WAIT
tcp 893 0 74.208.69.213:80 124.43.222.202:2703 ESTABLISHED
tcp 0 11950 74.208.69.213:80 58.62.96.22:11072 CLOSE_WAIT
tcp 886 0 74.208.69.213:80 124.43.222.202:2696 CLOSE_WAIT
tcp 0 11950 74.208.69.213:80 58.62.96.22:11073 CLOSE_WAIT
tcp 886 0 74.208.69.213:80 124.43.222.202:2697 CLOSE_WAIT
tcp 292 0 74.208.69.213:80 74.6.72.244:47500 ESTABLISHED
tcp 894 0 74.208.69.213:80 124.43.222.202:2698 CLOSE_WAIT
tcp 892 0 74.208.69.213:80 124.43.222.202:2699 CLOSE_WAIT
tcp 853 0 74.208.69.213:80 87.52.47.152:4663 ESTABLISHED
tcp 393 0 74.208.69.213:80 58.62.96.22:11084 CLOSE_WAIT
tcp 0 0 74.208.69.213:80 85.160.18.247:1598 FIN_WAIT2
tcp 0 11950 74.208.69.213:80 58.62.96.22:11020 LAST_ACK
tcp 0 11855 74.208.69.213:80 222.170.151.73:32432 FIN_WAIT1
tcp 394 0 74.208.69.213:80 58.62.96.22:11085 CLOSE_WAIT
tcp 953 0 74.208.69.213:80 84.144.97.34:61014 ESTABLISHED
tcp 0 52 74.208.69.213:22 74.103.175.48:63101 ESTABLISHED
tcp 951 0 74.208.69.213:80 84.144.97.34:61013 ESTABLISHED
tcp 0 0 74.208.69.213:80 213.6.220.1:46493 TIME_WAIT
tcp 0 11951 74.208.69.213:80 58.62.96.22:11022 LAST_ACK
tcp 0 11978 74.208.69.213:80 124.43.222.202:2694 CLOSE_WAIT
tcp 0 11951 74.208.69.213:80 58.62.96.22:11023 LAST_ACK
tcp 0 11980 74.208.69.213:80 124.43.222.202:2695 CLOSE_WAIT
tcp 394 0 74.208.69.213:80 58.62.96.22:11080 CLOSE_WAIT
tcp 244 0 74.208.69.213:80 86.27.108.29:1643 ESTABLISHED
tcp 394 0 74.208.69.213:80 58.62.96.22:11082 CLOSE_WAIT
tcp 0 11855 74.208.69.213:80 222.170.151.73:18295 FIN_WAIT1
tcp 0 11855 74.208.69.213:80 222.170.151.73:33719 FIN_WAIT1
tcp 1179 0 74.208.69.213:80 85.160.18.247:1606 ESTABLISHED
tcp 0 11854 74.208.69.213:80 222.170.151.73:31560 ESTABLISHED
tcp 0 11950 74.208.69.213:80 58.62.96.22:10996 LAST_ACK
tcp 0 11855 74.208.69.213:80 222.170.151.73:32073 FIN_WAIT1
tcp 0 11855 74.208.69.213:80 222.170.151.73:32075
few hors later:
Quote:
tcp 0 0 74.208.69.213:80 124.43.212.78:3676 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3696 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3737 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3731 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3735 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3723 SYN_RECV
tcp 0 0 74.208.69.213:80 217.77.17.186:1959 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3691 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3671 SYN_RECV
tcp 0 0 74.208.69.213:80 88.102.18.14:3628 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3747 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3757 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3754 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3761 SYN_RECV
tcp 0 0 74.208.69.213:80 201.27.210.29:2540 SYN_RECV
tcp 0 0 74.208.69.213:80 213.216.199.14:37692 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3753 SYN_RECV
tcp 0 0 74.208.69.213:80 72.14.199.72:40365 SYN_RECV
tcp 0 0 74.208.69.213:80 88.146.161.248:19475 SYN_RECV
tcp 0 0 74.208.69.213:80 81.193.196.132:2482 SYN_RECV
tcp 0 0 74.208.69.213:80 82.229.95.240:3246 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3743 SYN_RECV
tcp 0 0 74.208.69.213:80 124.43.212.78:3695 SYN_RECV
tcp 0 23232 74.208.69.213:80 124.43.212.78:3501 ESTABLISHED
tcp 887 0 74.208.69.213:80 124.43.212.78:3693 ESTABLISHED
tcp 897 0 74.208.69.213:80 124.43.212.78:3629 CLOSE_WAIT
tcp 0 11616 74.208.69.213:80 124.43.212.78:3500 ESTABLISHED
tcp 792 0 74.208.69.213:80 124.43.212.78:3628 CLOSE_WAIT
tcp 891 0 74.208.69.213:80 124.43.212.78:3631 CLOSE_WAIT
tcp 890 0 74.208.69.213:80 124.43.212.78:3694 ESTABLISHED
tcp 886 0 74.208.69.213:80 124.43.212.78:3630 CLOSE_WAIT
tcp 800 0 74.208.69.213:80 124.43.212.78:3625 CLOSE_WAIT
tcp 891 0 74.208.69.213:80 124.43.212.78:3624 CLOSE_WAIT
tcp 0 39204 74.208.69.213:80 124.43.212.78:3499 ESTABLISHED
tcp 895 0 74.208.69.213:80 124.43.212.78:3627 CLOSE_WAIT
tcp 0 49173 74.208.69.213:80 124.43.212.78:3562 ESTABLISHED
View 7 Replies
View Related
Nov 14, 2008
I would like to ask about the best system or software code used to stop bots and offline down loaders from entering website.
View 2 Replies
View Related
Mar 18, 2008
Simple web site:
www.oldWithoutMoney.com
Implemented WordPress a little while ago via cPanel's Fantastico widget -- vanilla implementation.
Just about every day, I get spam comments in the blog's Inbox for moderation.
Was wondering if folks had general tips on how to prevent or minimize this sort of nuisance and make the blog less bot-accessible, and/or where I might read up on ways to do so.
View 5 Replies
View Related
Mar 16, 2008
Most of them are from Google and Yahoo...
Server is being heavily loaded beause of this.
I guess blocking crawlers is not the most brilliant
View 6 Replies
View Related
Feb 19, 2008
I just received two complaints that my server (71.6.197.244) is trying to run exploits on other people's servers.
I have tried checking my access logs, but am not sure what to look for.
Is this a process, or is it an exploit through a url or a php form?
I have attached the e-mail complaints as txt.
View 6 Replies
View Related
Nov 25, 2007
Is there any way to control the pesky Yahoo bots?
Bots with an IP of 74.6.*.* are endlessly crawling my forums, never seeming to be able to finish their task and using up huge amounts of bandwidth. Ideally I would like to be able to turn them away at the gate but allow others to view the site.
If I block the IP via the control panel they still visit presumably just getting error pages but still using up lots of bandwidth.
View 7 Replies
View Related
Apr 22, 2009
Looking trough my logs I found something that bothers me, there are bots who keep doing requests on my website with pages like /admin or /secure to find vulnerabilities.
It's making about 5-6 requests for unexisting pages every second until it comes to the end of it's dictionary (the pages are even sorted in alphabetical order,
Is there some way to let my Apache server block access to these bots when they make X attemps to see a page who does not exists in a short amount of time? A bit like iptables reject connection if someone tries to log in but fails to do so too many times.
View 6 Replies
View Related
Apr 23, 2015
I am having a problem with blocking bots using .htaccess. I think I tried all possible syntax variants, yet all the bots that I am blocking get HTTP 200 response instead of 403 (I can verify it using access log).
I am using Apache 2.4 running on Ubuntu 14.04.2 with Plesk 12.0.18.
My AllowOverride is set to allow the use of .htaccess files, so .htaccess file gets loaded: when I make an error in .htaccess sysntax I can see the error in the error log and the webpages don't load. Besides, I have some "Deny from [IP address]" directives in the .htaccess and I see that these IPs get HTTP 403 response when access my site.
I spent hours trying different variants of .htaccess syntax (see below) and neither seems to work...
variant 0:
SetEnvIfNoCase User-Agent LivelapBot bad_bot
SetEnvIfNoCase User-Agent TurnitinBot bad_bot
Order allow,deny
Allow from all
Deny from env=bad_bot
[Code] ....
View 7 Replies
View Related
Apr 10, 2015
If I know the IP range that I want to block the best option is to block it with IPTABLES. This works well when you want to block entire countries. But what happens when you want to block specific IPs rather than ranges? Is iptables still more effective than "deny from [IP]" in .htaccess? I read that you don't want iptables to grow too big as it slows performance, but I guess it is still more effective than having big .htaccess..?
When it comes to blocking spam bots or referrers, robots.txt is just a suggestion for bots, when I looked at my traffic logs I noticed that most bots don't even look at robots.txt file. As far as I understand the only option here is to use .htaccess
1. I am currently using this in my .htaccess:
SetEnvIfNoCase User-Agent *ahrefsbot* bad_bot=yes
SetEnvIfNoCase Referer fbdownloader.com spammer=yes
...
SetEnvIfNoCase Referer social-buttons.com spammer=yes
Order allow,deny
Allow from all
Deny from env=spammer
Deny from env=bad_bot
2. Apparently, there is another approach as per below:
# Deny domain access to spammers
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} queryseeker [OR]
RewriteCond %{HTTP_REFERER} ^(www.)?.*(-|.)?adult(-|.).*$ [OR]
...
RewriteCond %{HTTP_REFERER} ^(www.)?.*(-|.)?sex(-|.).*$
RewriteRule .* - [F,L]
Which approach is better #1 or #2? Any better alternative?
Finally, somebody suggested that you need to have both (as per example below). Is it true?
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^rogerbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^exabot [OR]
RewriteCond %{HTTP_USER_AGENT} ^MJ12bot [OR]
[Code] ....
View 7 Replies
View Related
Jan 3, 2009
I have in my possession a new server which is running cPanel. For some unknown reason it keeps crashing about every 4-6 hours where I must get a remote reboot done.
Its starting to annoy me that I'm unable connect to anything. What I suspect is high disk red/write. As what I'm finding is over 10k blocks being written per second with only 300 being read per second. I also am not seeing any bandwidth out/in usage being high.
View 14 Replies
View Related
Jul 17, 2009
I am wanting to get access to 'top -c' for a period of 48/72 hours.
Now I have found the following
Code:
top -c -b -d 15 > top.txt
What this does is every 15 seconds add reply 'top -c' to top.txt
Now I can make this into a shell script then put it into the background and exit SSH while leaving it running.
Now the question is will this use much usage/server load over the 48/72hrs, it will be checking 4 times every minute.
View 3 Replies
View Related
May 5, 2008
I thought i'd just post a quick message on here to see what you guys make of this situation. It's only happened with what, the past hour or so, but when i check the visitor logs on our website it seems that a "YouMonitor.us" is constantly spamming connections to the website over 1 second intervals (even less than that in some cases).
Furthermore, its coming in from different IP address's all the time and therefore its inappropriate to block everyone as they seem to just constantly change.
View 6 Replies
View Related
Oct 24, 2013
Today i was informed that some of Apache instances are vulnerable for serving content while client is constantly pressing F5 button in browsers - once is pressed CPU load is increasing, page became slow etc. (it's dynamic content served by back-end Tomcats). In the same time i see errors with connection between Apache and Tomcats' instances.
Is there any good way to protect Apache against it ?
View 8 Replies
View Related
Apr 21, 2007
My server is constantly crashing (halting to dead) and needing reboot literally every few hours. I cannot trace the cause of this whatsoever. Please help out.
CPU/Memory/MySQL Usage shows no accounts in red or yellow zone ....
View 6 Replies
View Related
Jun 15, 2007
I was having issues with what I would like to think as power.
Now, I was wondering if there are any SQL database benchmarks, or something else I can run on the system for a given period of time, that will let me see if I'm still having those power issues.
View 2 Replies
View Related
Aug 12, 2008
We first noticed the issue on July 19th, Backups were taking a while to transfer from our own servers, and we were getting tickets from clients asking why this was happening. At the same time, it took about 4-5 minutes to log into the backup console. Issue seemed to correct itself so that backups were possible, and we assumed that scott would be aware of it and would work to resolve it.
Again on the 29th it slowed completely again. We immediately dispatched an email to their support email asking whats up, gave them detailed information such as access to the script and the output so he could monitor it.
The same day a few hours later we got a response that he would run the script and monitor it.
On the 31st, after not getting an update I asked what was going on. He said he ran the script, it seemed to stall for long periods of time and he would know more in the afternoon.
After not getting an update for ~5 days I asked what was going on and I expressed that i was not happy with the lack of communication/updates ont he situation. He updated me later that day saying that we weren't the only ones being affected. Fair enough, he is working on it. Thats all I wanted to hear.
Now ever since that email I received on the 5th (AUG) it has been up and down and all over the place.
After seeing him post on the forums I sent him a PM (10th August), summed up it was basically saying I had an issue, and I need it fixed. I figured since the PM system is usually pretty good at not losing them that he would see it and respond accordingly, that way there was no chance of it being lost from point A to point B as an email.
Well to this day, no response nor resolution.
I really have exhausted all points of communication, and I want to make it clear that I am not bashing them, when it works it's great. But maybe someone else affected can provide more insight..
View 12 Replies
View Related
Jul 20, 2015
Not sure why, but for some reason lately our Plesk installation randomly sends us notification emails about alarm level changes which go from Green to yellow, yellow to red, then goes back to normal over time. No changes were made on the server for these constant changes and emails to occur. We have a customer who also has the same issue.. Both focus primarily on nginx with little to no usage of apache.
View 2 Replies
View Related
Jul 21, 2012
This problem has been reported before Plesk Panel 11. What's the current solution for this problem? I've got this problem since I upgraded to Plesk Panel 11.09.
I'm getting spammed with emails like:
Server health parameter "Services > Apache memory usage" changed its status from "green" to "yellow". Click to expand...
View 19 Replies
View Related
Aug 11, 2014
I had Plesk 10 installed on my openSUSE system (was a low version, maybe 11 or less) and then decided to upgrade to 11.5. So I did distribution upgrades to openSUSE 12.3 and everything went smoothly, except for some services like mysql and php. So I used Plesk autoinstaller to fix the php error and edited an outdated line in mysql configuration and both services ran smoothly!
Then I downloaded Plesk autoinstaller and ran the autoinstaller, but was surprised by this error message:
===> Checking for previous installation ... found.
ERR (3) [panel]: Error during product key mode determination, details: Unable to connect to database: ; trace: #0 /usr/local/psa/admin/plib/functions.php(2821): isPpaKeyRequired()
#1 /usr/local/psa/admin/plib/common_func.php3(11): require_once('/usr/local/psa/...')
#2 /usr/local/psa/admin/plib/api-common/cu.php(5): require_once('/usr/local/psa/...')
#3 /usr/local/psa/admin/sbin/httpdmng(8): include_once('/usr/local/psa/...')
#4 (main)
Unable to connect to database:
- My MySQL version is: 5.5.33 openSUSE package
- I did run mysql_upgrade with my admin username and password (password from: /etc/psa/.psa.shadow) and it worked successfully and fixed all of the errors, I did so after running the auto installer first, but then ran the installer again and the problem was still there
- I can access my web page, but it still doesn't connect to MySQL either.
I believe this is a problem with MySQL, but how can I make sure or detect what exactly the problem is
View 3 Replies
View Related
Jan 31, 2008
Just got a new additional VPS with WHM/cPanel.
Browse to www.mydomain.com/webmail and get login box > login accepted and taken to Horde/Squirrelmail choice screen > choose Squirrelmail and get login box ... login not accepted! > Retry and choose Horde ... login not accepted!
The login is correct and the results are the same when logging in as root, or through /cPanel or /Webmail.
View 3 Replies
View Related
Apr 9, 2007
i had access in some servers via SSH and when i try to connect i get:
Welcome to The HOST!
login as: nickname
--------------------------
We monitor/log everything on that server! IP Logged!
--------------------------
nickname@host's password:
.............
I know that there is the motd file in /etc that i can put a message but i see it when i full be recognized by the server.. (after putting the password).. How can i put the other 2 messages?
View 4 Replies
View Related
Jan 3, 2014
when I find the subscription from the admin side of PPA, if I select "Login as user" I've noticed that it is different from actually logging in as the user - for example - "add domain alias" is missing when I login as a customer - but not as an admin... I need my customers to add their own aliases and manage them - how do I add that feature to the client login side?
View 9 Replies
View Related
Jan 25, 2008
Basically, considering my host is in Europe/Malaysia, it uses APNIC for their RR, and for more IPs its $5.00 per ip/month. Which is a bit expensive for me, so I was wondering if there are people on here that sell IPs for cheap? It doesn't matter what country it comes up in with a whois lookup, or what RIR it uses, I just need more IPs for my dedicated server.
So does anyone sell? Or know where I can buy?
View 6 Replies
View Related
May 2, 2008
Our business has grown and we would like to know if it is possible to buy IPs (/18 or /19)
Anyone have any experience with this?
View 14 Replies
View Related
May 8, 2008
There's a gadget showing how quickly we are running out of IP4 addresses.
View 11 Replies
View Related
