Suddenly hit from lots of different places today.

RojoLoco

@travisdh1 said in Suddenly hit from lots of different places today.:

@RojoLoco said in Suddenly hit from lots of different places today.:

In Soviet Russia, IP address blocks you!

How'd you know it's the Russians?

Because you said

@travisdh1 said in Suddenly hit from lots of different places today.:

8:45AM 31.8.66.206 User:demo
8:45AM 46.33.250.164 User:demo

Looking like Ukraine and Russia for the most part.

Plus that joke wouldn't work if the attackers were in Alsace-Lorraine or Burkina Faso.

travisdh1

@Ambarishrh I saw that, doesn't really give me anything beyond what cPHulk is doing already. Might have to try it on some local systems tho.

dafyre

I'd just K-Line the whole /16 subnet and be done with it and see if that slows it down.

MattSpeller

@dafyre said in Suddenly hit from lots of different places today.:

I'd just K-Line

I suspect that you may be unaware of the meaning that phrase has elsewhere lol

dafyre

@MattSpeller said in Suddenly hit from lots of different places today.:

@dafyre said in Suddenly hit from lots of different places today.:

I'd just K-Line

I suspect that you may be unaware of the meaning that phrase has elsewhere lol

Wow. That's just sad. Guess I'll be expecting a visit from the FBI or NSA in a bit.

K-LINE is an old school IRC terminology. Was helping my old man with his IRC server today, lol.

K-LINE = block it forever... (on a Linux box, just use iptables, it's far, far easier).

travisdh1

@dafyre said in Suddenly hit from lots of different places today.:

I'd just K-Line the whole /16 subnet and be done with it and see if that slows it down.

That's what I've been doing with cphulk. The number of different systems being used is a little crazy. At this point I'm just wondering if I'll ever be able to prove anything, even tho I'm almost certain it's a government agency behind it.

Example of cPHulk email:
alt text

Block the IANA Netblock and call it done.

Ambarishrh

@travisdh1 said in Suddenly hit from lots of different places today.:

@Ambarishrh I saw that, doesn't really give me anything beyond what cPHulk is doing already. Might have to try it on some local systems tho.

cPHulk uses a MySQL database that does not use iptables in the manner CSF is using. It is more intensive to block using cPHulk due to the fact it blocks based on logging authentications to a MySQL database and then determining actions based on it. It is actually more streamlined and easier to manage CSF / LFD due to it dealing directly with iptables via flat files.

travisdh1

@Ambarishrh said in Suddenly hit from lots of different places today.:

@travisdh1 said in Suddenly hit from lots of different places today.:

@Ambarishrh I saw that, doesn't really give me anything beyond what cPHulk is doing already. Might have to try it on some local systems tho.

cPHulk uses a MySQL database that does not use iptables in the manner CSF is using. It is more intensive to block using cPHulk due to the fact it blocks based on logging authentications to a MySQL database and then determining actions based on it. It is actually more streamlined and easier to manage CSF / LFD due to it dealing directly with iptables via flat files.

I grep that. I have been keeping an eye on performance, and we haven't seen any detrimental effects yet (the memory cache for the mysql instance is ~2x the db size currently.)

travisdh1

For those interested in such things

0_1478721557353_upload-b18683f9-ac76-4b8a-ae2b-197d3b5dc645

dafyre

Are the attacks still ongoing today?

travisdh1

Got this knocked down to one every half hour instead of once every five minutes by 5PM yesterday, and the last notification I got was at 6:02AM this morning, hopefully we're done with these..... silly.... people.

Some (hopefully) final numbers for you all.
0_1478785140922_upload-ffd74363-5686-46cf-a8cd-5d191f664664

0_1478785277894_upload-54aa2098-f090-4457-bd11-729adec288ea

They never even tried a valid user in addition to trying this on a service that responds as being active but then rejects all login attempts. Silly, silly people.

PS - I hope all the mods appreciate my self-moderation here

dafyre

@travisdh1 I'm totally shocked... not a single hit for root as the login name!

travisdh1

@dafyre said in Suddenly hit from lots of different places today.:

@travisdh1 I'm totally shocked... not a single hit for root as the login name!

I know right

When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

stacksofplates

@travisdh1 said in Suddenly hit from lots of different places today.:

@dafyre said in Suddenly hit from lots of different places today.:

@travisdh1 I'm totally shocked... not a single hit for root as the login name!

I know right

When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

Ha we can't log in with root at all over SSH.

travisdh1

@stacksofplates said in Suddenly hit from lots of different places today.:

@travisdh1 said in Suddenly hit from lots of different places today.:

@dafyre said in Suddenly hit from lots of different places today.:

@travisdh1 I'm totally shocked... not a single hit for root as the login name!

I know right

When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

Ha we can't log in with root at all over SSH.

While it's very tempting to do just that, the only user the system started with was root. If I have to burn it all down, I need some way to access the thing.

stacksofplates

@travisdh1 said in Suddenly hit from lots of different places today.:

@stacksofplates said in Suddenly hit from lots of different places today.:

@travisdh1 said in Suddenly hit from lots of different places today.:

@dafyre said in Suddenly hit from lots of different places today.:

@travisdh1 I'm totally shocked... not a single hit for root as the login name!

I know right

When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

Ha we can't log in with root at all over SSH.

While it's very tempting to do just that, the only user the system started with was root. If I have to burn it all down, I need some way to access the thing.

Ah ic. Do you not have console access?

travisdh1

@stacksofplates said in Suddenly hit from lots of different places today.:

@travisdh1 said in Suddenly hit from lots of different places today.:

@stacksofplates said in Suddenly hit from lots of different places today.:

@travisdh1 said in Suddenly hit from lots of different places today.:

@dafyre said in Suddenly hit from lots of different places today.:

@travisdh1 I'm totally shocked... not a single hit for root as the login name!

I know right

When I first started here, the website was hosted on a Windows Server VPS, so the administrator at least makes a little sense.

Also, remote root login (the only one available because it's a VPS) is key based. So go ahead and try logging in as root with a password.

Ha we can't log in with root at all over SSH.

While it's very tempting to do just that, the only user the system started with was root. If I have to burn it all down, I need some way to access the thing.

Ah ic. Do you not have console access?

I do, but the only user on the system was created after the OS/cPanel was installed. So if I have to nuke it from orbit, I kinda need that access.