Is it typical to get brute force attack attempts on a brand new server?

Question

I recently migrated to a new host, a VPS solution. From day one, I started getting WHM/cPanel notifications of brute force attack attempts via root on the main account, 3-4 times per day. I know this is more and more typical in general, but...

My question is whether or not it's typical and/or something to be concerned about when it happens on a brand new server?

Note: I'm not asking how to defend against brute force attacks (e.g., using strong passwords and possibly removing ssh access by password authentication).

score 2 · Answer 1 · answered Apr 29 '13 at 15:13

Yes. This sort of thing is just part of the "background noise" of having an internet-connected system.

Disable root login via ssh and turn off password authentication in your sshd_config (using key auth instead), and you should be sufficiently safe from brute force attacks.

score 1 · Accepted Answer · answered Apr 29 '13 at 15:13

1

If a server's IP is accessible to the internet, it'll see attacks. Worms etc. crawl the publicly available IP space for victims, and on a VPS host there's a good chance your IP was another known server until recently.

Installing fail2ban or denyhosts to block brute force attempts is a pretty common step.

answered Apr 29 '13 at 15:13

ceejayoz

32,469
7
81
105

Thanks. I've got cPHulk running (http://docs.cpanel.net/twiki/bin/view/11_30/WHMDocs/CPHulk), which I assume is similar to denyhosts. – technoTarek Apr 29 '13 at 15:30
Looks like it, yep. – ceejayoz Apr 29 '13 at 15:38

score 0 · Answer 3 · answered Apr 29 '13 at 15:12

0

Yes, it's typical. Basically any system in the internet is constantly under some kind of attack. Usually, it's just considered background noise unless you have a large number of attempts.

answered Apr 29 '13 at 15:12

Sven

97,248
13
177
225

score 0 · Answer 4 · answered Apr 29 '13 at 16:22

0

As your server is cpanel server and by default it provides Brute Force Protection. Have you enabled "cPHulk" on your server, it protect your server from brute force. For more details you can read this http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/CPHulk

answered Apr 29 '13 at 16:22

Bobbin Zachariah

319
1
3

He posted that he's running that in the comments. – ceejayoz Apr 29 '13 at 16:53

score -1 · Answer 5 · answered Apr 29 '13 at 16:35

-1

Lots of software calls home with the IP Address then people get their hands on the information and try and hack into the servers. This is fairly common I would contact your hosting provider and ask for assistance.

answered Apr 29 '13 at 16:35

Nathan Suchy

1
1

This has nothing to do with it. While this *may* be true for desktop/workstation software, there is **very** little server software that "phones home". As mentioned in my answer, traffic like this is just part of being on the internet. – EEAA Apr 30 '13 at 00:00

Is it typical to get brute force attack attempts on a brand new server?

5 Answers5