How to prevent your Plesk from the brute-force attacks

Created:

2016-11-16 12:55:46 UTC

Modified:

2017-06-05 06:10:58 UTC

0

Was this article helpful?


Have more questions?

Submit a request

How to prevent your Plesk from the brute-force attacks

Applicable to:

  • Plesk for Linux

Symptoms

Sometimes it is possible to find a lot of "ssl handshake failure" records in the Panel sw-cp-server log file ( /var/log/sw-cp-server/error_log ):

2009-06-03 22:37:08: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:46:56: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:58:49: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:19:52: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:31:44: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:41:18: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:52:36: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure

Additionally, the following records may be located in the system security log:

Jan 13 02:54:48 plesk9 sshd[9890]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2
Jan 13 07:32:43 plesk9 sshd[11756]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2

Cause

A possible reason for such log entries is a brute-force attack on the sw-cp-server via port 8880. The brute-force attack may eventually block normal performance of the service.

Resolution

You can resolve the issue by one of the options below.

  1. Block the host using firewall rules.

Example 1 (Linux):

It is necessary to configure firewall (iptables) rules by the commands below:

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j LOG --log-prefix "SSH_brute_force "

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j DROP

Example 2 (FreeBSD):

a. Create a script ssh-fwscan.sh :

#!/bin/sh

if ipfw show | awk '{print $1}' | grep -q 20000 ; then
ipfw delete 20000
fi
# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.

awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}

END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
ipfw -q add 20000 deny tcp from $ip to any in
done

b. Add the script into cronjob:

*/10 * * * * root /operator/sshd-fwscan.sh

Example 3 (FreeBSD):

Add a rule into the pf filter:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

Note! It is necessary to change the IP addresses (192.168.1.0/24 and 202.54.1.5/29) with necessary ones.

  1. Block the host using tcp wrappers.

Example :

Add the following rule into the /etc/hosts.allow file:

sshd: <admin IP address>/<netmask> : allow
sshd: ALL : deny

Additional information

Some other methods may help to increase OS security against external attacks, including brute-force:

  • Change sshd daemon port from 22 to another
  • Use key-based authentication only
  • Close ssh access for the "root" user
  • Configuring of sshd daemon listening to using of exclusive IPs only

Of course, there is a lot of third-party solutions for the same purpose:

DenyHosts - it scans log files and configures tcp wrapper rules

Cryptknock - it opens the ssh port if required

BlockSshd - it analyzes logs and configures firewall rules

SshGuard - it monitors logs and configures firewalls

Have more questions? Submit a request
Please sign in to leave a comment.