Search

Language:  
Search for:

Available article translations:

How to prevent your Parallels Plesk from the brute-force attacks

Article ID: 8119, created on Feb 26, 2010, last review on Feb 21, 2015

APPLIES TO:
  • Plesk 12.0 for Linux
  • Plesk 11.5 for Linux
  • Plesk 10.4 for Linux/Unix
  • Odin Business Automation Standard 4.5

Symptoms

Sometimes it is possible to find a lot of "ssl handshake failure" records in the Parallels Panel sw-cp-server log file (/var/log/sw-cp-server/error_log):

2009-06-03 22:37:08: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:46:56: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:58:49: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:19:52: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:31:44: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:41:18: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:52:36: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-04 00:02:38: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure

Additionally, the following records may be located in the system security log:

Jan 13 02:54:48 plesk9 sshd[9890]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2
Jan 13 07:32:43 plesk9 sshd[11756]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2

Cause

A possible reason for such log entries is a brute-force attack on the sw-cp-server via port 8880. The brute-force attack may eventually block normal performance of the service.

Resolution

You can resolve the issue by one of the options below.

  1. Block the host using firewall rules.

Example 1 (Linux):

It is necessary to configure firewall (iptables) rules by the commands below:

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j LOG --log-prefix "SSH_brute_force "

#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j DROP

Example 2 (FreeBSD):

a. Create a script ssh-fwscan.sh:

#!/bin/sh

if ipfw show | awk '{print $1}' | grep -q 20000 ; then
        ipfw delete 20000
fi
# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.

awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}

END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
ipfw -q add 20000 deny tcp from $ip to any in
done

b. Add the script into cronjob:

*/10 * * * * root /operator/sshd-fwscan.sh

Example 3 (FreeBSD):

Add a rule into the pf filter:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

Note! It is necessary to change the IP addresses (192.168.1.0/24 and 202.54.1.5/29) with necessary ones.

  1. Block the host using tcp wrappers.

Example:

Add the following rule into the /etc/hosts.allow file:

sshd: <admin IP address>/<netmask> : allow
sshd: ALL : deny

Additional information

Some other methods may help to increase OS security against external attacks, including brute-force:

  • Change sshd daemon port from 22 to another
  • Use key-based authentication only
  • Close ssh access for the "root" user
  • Configuring of sshd daemon listening to using of exclusive IPs only

Of course, there is a lot of third-party solutions for the same purpose:

DenyHosts - it scans log files and configures tcp wrapper rules

Cryptknock - it opens the ssh port if required

BlockSshd - it analyzes logs and configures firewall rules

SshGuard - it monitors logs and configures firewalls

Search words:

dns

ssl handshake failure

brute-force attack

500 Internal Server Error upon login.

System Brute Force to protect HTTPS




a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838 dd0611b6086474193d9bf78e2b293040 56797cefb1efc9130f7c48a7d1db0f0c 2a5151f57629129e26ff206d171fbb5f e335d9adf7edffca6a8af8039031a4c7 e8756e9388aeca36710ac39e739b2b37 400e18f6ede9f8be5575a475d2d6b0a6 caea8340e2d186a540518d08602aa065 624ca542e40215e6f1d39170d8e7ec75 70a5401e8b9354cd1d64d0346f2c4a3e 01bc4c8cf5b7f01f815a7ada004154a2 0a53c5a9ca65a74d37ef5c5eaeb55d7f

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Server Virtualization
- Odin Cloud Server
- Odin Containers for Windows 6.0
- Odin Virtuozzo Containers
Automation
- Odin Automation
- Odin Automation for Cloud Infrastructure
- Odin Business Automation Standard
- Odin Virtual Automation
- Odin Plesk Panel Suite
- Web Presence Builder
- Odin Plesk Automation
- Odin Small Business Panel
- Value-added Services for Hosters
- Odin Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification