Being Attacked All Day, CPHulk Brute Force Fine Tuning

Running my first VPS.  My VPS is being attacked by Russia, China, sometimes Spain, the Ukraine.  So i suppose my first question would be: Is this normal?   Is it normal for U.S. web servers to be attacked all day, every day almost non-stop?  It does not seem to be taking up a lot resources.

I'd really like to be sure these are auto-blacklisted, forever if that is reasonable.  It's a point of anxiety and I really need a few real tips on tuning up cPHulk without locking down my VPS.  I'm a web dev, I don't what everything to end up blacklisted due to a few bad auth attempts.  That grey area.   Should I be blacklisting single IPs or ranges?  So many questions.  Please help.  

Every Day, All Day.  About 100 or more Max Failure notices
Delton ChildsOwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
1) yes, it is normal. On my home router I get ~100 SSH connection attempts a day

Use public key for root authentication and when it works make sure to set
PermitRootLogin no-password
(Check your sshd_config manual if option is supported)
That completely disables any chance root password can be subject to brute-force attacks.
0
btanExec ConsultantCommented:
indeed it is (too) common for web in the internet accessible to be always being scan, fingerprint, "poke" for holes, and even attack. There is much that you can stop from the atatcker side but make sure the web server harden and web app lockdown with proper secure code review. You wouldnt want to be the next zombie machine to be possessed by attacker for their botnet e.g. herd of infected machine and commanded by a C&C server that is not easily traceable to actual perpetrator.

Blacklisting works if the same src ip is the same but wouldnt it be also be behind a proxy and eventually you be blocking a wider user mass inadvertently. Some paranoid, erring on the safe site even goes into the extend of geolocation blacklisting and also sinkholing such traffic. Service with WAF and DDoS (Cloudflare, Akamai, DosArrest etc) always come into play as the first outer layer to defend together with your internal defences (with FW, WAF, harden and lockdown web server and services)....Some goes into defacement service (appfence, wapples like etc) monitoring too.

Avoid remote admin and have 2FA if needed with VPN over the channel over it. SSH with default and easy password as expert shared is too open in this threat landscape. Password is crackable esp using less than 8 and only "password" and not even using passphrase with level of complexity for greater length and deterrence. ave weak crypto hash like MD5 and crypto like RC4, SSLv3 and below removed. Look into tool to lock it down like iiscrypto (for windows though) equv in your OS build...esp if you using openssl and lots of webserver uses it for ssl ...(recent attack due to Poodle, Heartbleed, and Shellattack are low hanging that is still ongoing for easy penetration)...

Tools like suri Sitecheck and Qualys SSLtest lab are good to assess the web health robustness in hardening and surface any obvious holes (OWASP top 10 vulnerabilities) the attacker will pinge further. Do run them through to see it yourself. Also if you are using any CMS like wordpress, joomla, Drupals etc, get the latest version and have scanning done to make sure patch is really deployed some req restart hence downtime, do nto underestimate that).

Furthermore, the fear of planting webshell codes and defacement (w/o the visual changes) are also time bomb indicator that your site is already penerated and likely yours has just joined as another phished website collection.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Delton ChildsOwnerAuthor Commented:
I appreciate the thoroughness of your answer Btan.  I'm a seeker of knowledge.  The info on sinkholes was really interesting and worth understanding.  I appreciate the info in IP masking.  To me that sounds like it would likely be in play, so individual IP blacklisting is rendered impotent.  I am using Cloudflare, I like to "share the load".  Even if they only take part of the hit.  I also appreciate the Cloudflare WAF features you mentioned.  These brute attempts seem to be root so they're not going through Cloudflare.  

I only work from a single work station, glued to my desk like so many I'm sure.  I think use of a key for authentication would be best if that's what you mean as an end all.  Installing a key in my workstation and not allowing any Root PW login.  I'll look into it.  Thank you for your time!
0
gheistCommented:
You need to generate key in your workstation.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.