Search

Language:  
Search for:

Available article translations:

How to prevent your Parallels Plesk from the brute-force attacks

Article ID: 8119, created on Feb 26, 2010, last review on Feb 21, 2015

APPLIES TO:
  • Parallels Plesk 12.0 for Linux
  • Parallels Plesk 11.5 for Linux
  • Parallels Plesk 10.4 for Linux/Unix
  • Parallels Business Automation - Standard 4.5

Symptoms

Sometimes it is possible to find a lot of "ssl handshake failure" records in the Parallels Panel sw-cp-server log file (/var/log/sw-cp-server/error_log):

2009-06-03 22:37:08: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:46:56: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:58:49: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:19:52: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:31:44: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:41:18: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:52:36: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-04 00:02:38: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure

Additionally, the following records may be located in the system security log:

Jan 13 02:54:48 plesk9 sshd[9890]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2
Jan 13 07:32:43 plesk9 sshd[11756]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2

Cause

A possible reason for such log entries is a brute-force attack on the sw-cp-server via port 8880. The brute-force attack may eventually block normal performance of the service.

Resolution

You can resolve the issue by one of the options below.

  1. Block the host using firewall rules.

Example 1 (Linux):

It is necessary to configure firewall (iptables) rules by the commands below:

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j LOG --log-prefix "SSH_brute_force "

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j DROP

Example 2 (FreeBSD):

a. Create a script ssh-fwscan.sh:

#!/bin/sh

if ipfw show | awk '{print $1}' | grep -q 20000 ; then
        ipfw delete 20000
fi
# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.

awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}

END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
ipfw -q add 20000 deny tcp from $ip to any in
done

b. Add the script into cronjob:

*/10 * * * * root /operator/sshd-fwscan.sh

Example 3 (FreeBSD):

Add a rule into the pf filter:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

Note! It is necessary to change the IP addresses (192.168.1.0/24 and 202.54.1.5/29) with necessary ones.

  1. Block the host using tcp wrappers.

Example:

Add the following rule into the /etc/hosts.allow file:

sshd: <admin IP address>/<netmask> : allow
sshd: ALL : deny

Additional information

Some other methods may help to increase OS security against external attacks, including brute-force:

  • Change sshd daemon port from 22 to another
  • Use key-based authentication only
  • Close ssh access for the "root" user
  • Configuring of sshd daemon listening to using of exclusive IPs only

Of course, there is a lot of third-party solutions for the same purpose:

DenyHosts - it scans log files and configures tcp wrapper rules

Cryptknock - it opens the ssh port if required

BlockSshd - it analyzes logs and configures firewall rules

SshGuard - it monitors logs and configures firewalls

Search words:

dns

ssl handshake failure

brute-force attack

500 Internal Server Error upon login.

System Brute Force to protect HTTPS




c81e59b61af9dca603ba03b14aabe968 9f8baf78266b4e54525d1c6bf06305a5 1d151d16e47c6f92bbf62d50eb32c4a2 56797cefb1efc9130f7c48a7d1db0f0c b44a1557287d8f5170deff96e25c511a 16524e1e2541cde3c382708b52ad207f 276b42158818c83055d6dfa6371d4e4b 4f06e569887915c59ae1fa4680142e7f caea8340e2d186a540518d08602aa065 ee8c87179b9ec23e5283dd9b81f6d276 5bd3f4f2334d8bf7c60583795fa0e860 1bb40a2897c5fbbe5c9bd20451105ddc 824237ce663843af86f93897fbd8e2f8

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification