0

Recently logged into our server after we had the site crash, to restart it, and noticed over 50,000 failed logins to the server since the last successful one only a couple days prior. So I ran "last" command first, and didn't find any suspicious successful logins, and then ran "lastb" and got a whooping list mostly coming from china and similar IPs.

My main guy that handles this stuff is on vacation now so I'm sort of slowly teaching myself; I am just wondering if this could of been what caused the server to crash and slow down beforehand, if this is an attack, or an attempt to hack, and recommendations to fix it.

lastb server command screenshot

techraf
  • 4,163
  • 8
  • 27
  • 44
Citles
  • 11
  • 2

3 Answers3

4

fail2ban is a wonderful package available in most linux distros. It watches for failed login attempts, and after too many blocks that IP address for awhile. You may want to look into installing that.

People constantly trying to login can cause high load, if there are enough of them trying quickly enough.

Grant
  • 17,671
  • 14
  • 69
  • 101
  • Another program similar to fail2ban but with more features is [CSF](http://configserver.com/cp/csf.html). – Moshe Katz Aug 09 '16 at 14:00
  • Rate limiting should be implemented for all logins. Fail2ban works out of the box. Attacks like this happen all the time, if your PW is secure I wouldn't worry about it. – mzhaase Aug 09 '16 at 14:55
2

People are knocking on your door from all over the internet all of the time in an attempt to find a way to get in and abuse your system. It seems unlikely that this was the cause of your system crash (but can't be entirely ruled out).

You should look in your system logs to see if there are any relevant/interesting messages that occur at or around the time that the system was experiencing problems in an attempt to figure out what the problem was. I find Scientific Method a useful tool in cases like this.

Community
  • 1
user9517
  • 114,104
  • 20
  • 206
  • 289
-1

You can block the IP range from where you are getting the unwanted login attempts.

I am writing a demonstration with public Ip 1.2.3.4

Replace 1.2.3.4 with the Ip address from where you are getting login attempts.

To block 1.2.3.* addresses range:

iptables -A INPUT -s 1.2.3.0/24 -j DROP

To block 1.2.. addresses range:

iptables -A INPUT -s 1.2.0.0/16 -j DROP

To block 1...* addresses range:

iptables -A INPUT -s 1.0.0.0/8 -j DROP

After deciding the range you want to block save the changes made to iptables.

 iptables-save

But be careful what you block using this method. This will block all the traffic from that Ip range.

Sven
  • 97,248
  • 13
  • 177
  • 225
imvikasmunjal
  • 695
  • 7
  • 14