Search

Language:  
Search for:

Available article translations:

How to prevent your Plesk Panel from the brute-force attacks

APPLIES TO:
  • Parallels Plesk 10.x for Linux
  • Parallels Plesk 9.x for Linux/Unix

Symptoms

Sometimes it is possible to find a lot of  "ssl handshake failure" records in the Parallels Panel sw-cp-server log file (/var/log/sw-cp-server/error_log):

2009-06-03 22:37:08: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:46:56: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:58:49: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:19:52: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:31:44: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:41:18: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:52:36: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-04 00:02:38: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure


Additionally, the following records may be located in the system security log:

Jan 13 02:54:48 plesk9 sshd[9890]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2
Jan 13 07:32:43 plesk9 sshd[11756]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2

Cause

A possible reason for such log entries is a brute-force attack on the sw-cp-server via port 8880. The brute-force attack may eventually block normal performance of the service.

Resolution

You can resolve the issue by one of the options below.

1. Block the host using firewall rules.

Example 1 (Linux):

It is necessary to configure firewall (iptables) rules by the commands below:

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j LOG --log-prefix "SSH_brute_force "

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j DROP


Example 2 (FreeBSD):

a. Create a script ssh-fwscan.sh:

#!/bin/sh

if ipfw show | awk '{print $1}' | grep -q 20000 ; then
            ipfw delete 20000
fi
# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.

awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}

END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
ipfw -q add 20000 deny tcp from $ip to any in
done


b. Add the script into cronjob:

*/10 * * * * root /operator/sshd-fwscan.sh


Example 3 (FreeBSD):

Add a rule into the pf filter:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state


Note! It is necessary to change the IP addresses (192.168.1.0/24 and 202.54.1.5/29) with necessary ones.

2. Block the host using tcp wrappers.

Example:

Add the following rule into the /etc/hosts.allow file:

sshd: <admin IP address>/<netmask> : allow
sshd: ALL : deny

Additional information

Some other methods may help to increase OS security against external attacks, including brute-force:

- Change sshd daemon port from 22 to another
- Use key-based authentication only
- Close ssh access for the "root" user
- Configuring of sshd daemon listening to using of exclusive IPs only

Of course, there is a lot of third-party solutions for the same purpose:

DenyHosts - it scans log files and configures tcp wrapper rules
Cryptknock - it opens the ssh port if required
BlockSshd - it analyzes logs and configures firewall rules
SshGuard - it monitors logs and configures firewalls



12c6f6bd6775cb701defb57d79fe96f6 c81e59b61af9dca603ba03b14aabe968 9f8baf78266b4e54525d1c6bf06305a5 1d151d16e47c6f92bbf62d50eb32c4a2 56797cefb1efc9130f7c48a7d1db0f0c

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification