Knowledgebase

SSH brute force attacks

Secure Shell (SSH) is a powerful tool for accessing and managing servers. However, it can become a target for brute force attacks, where attackers attempt to gain unauthorized access through a barrage of login attempts. In this guide, we'll explore steps to fix and prevent SSH brute force attacks on your WHM cPanel server, enhancing its security.

Understanding SSH Brute Force Attacks

SSH brute force attacks involve automated attempts to guess usernames and passwords through repetitive login attempts. If successful, these attacks can lead to unauthorized access and potential compromise of your server.

Step 1: Update and Patch Your Server

Keeping your server and its software up to date is the first line of defense against known vulnerabilities. Regular updates ensure that security patches are applied promptly.

  1. Access WHM cPanel.
  2. Navigate to 'Software' and select 'Update Preferences'.
  3. Ensure 'Automatic' updates are enabled.

Step 2: Implement a Firewall

A firewall acts as a barrier between your server and the internet, filtering out potentially harmful traffic. Configure a firewall to restrict access to your server, allowing only authorized connections.

  1. Use WHM's 'ConfigServer Security & Firewall (CSF)' or an external firewall solution.
  2. Set up rules to allow access only to specific IP addresses.

Step 3: Disable Root Login via SSH

Allowing direct root login via SSH is risky. Instead, force users to log in with their own credentials and then switch to the root account if necessary.

  1. Access your server via SSH.
  2. Edit the SSH configuration file (/etc/ssh/sshd_config) and set PermitRootLogin to no.
  3. Restart the SSH service.

Step 4: Use Key-Based Authentication

Key-based authentication is a highly secure method of logging into your server. It replaces the need for a password with a cryptographic key pair.

  1. Generate an SSH key pair on your local machine.
  2. Copy the public key to your server's ~/.ssh/authorized_keys file for each user.
  3. Disable password-based authentication in the SSH configuration file.

Step 5: Limit Failed Login Attempts

Restrict the number of failed login attempts to thwart brute force attacks. This way, after a certain number of unsuccessful login attempts, the server will temporarily block further access attempts from that IP address.

  1. Access the SSH configuration file (/etc/ssh/sshd_config).
  2. Set MaxAuthTries to a reasonable value (e.g., 3-5).

Step 6: Set Up Two-Factor Authentication (2FA)

Implementing two-factor authentication adds an extra layer of security, requiring users to provide a secondary authentication method in addition to their password.

  1. Install and configure a 2FA solution like Google Authenticator or Duo Security.
  2. Enforce 2FA for all users accessing the server via SSH.

Step 7: Monitor for Suspicious Activity

Regularly monitor server logs for any unusual patterns or activities that may indicate attempted brute force attacks.

  1. Use WHM's 'Log Manager' to access and analyze logs.
  2. Look for repeated, rapid login attempts from the same IP address.

Step 8: Use Fail2ban or Similar Tools

Fail2ban is a popular intrusion prevention tool that monitors log files and takes action against IP addresses that exhibit malicious behavior.

  1. Install Fail2ban through your server's package manager.
  2. Configure rules to detect and block IP addresses with excessive failed login attempts.

Step 9: Educate Users on Secure Practices

Ensure that all users and administrators are educated about best practices for online security, including recognizing and reporting suspicious activity.

  1. Provide training on identifying phishing attempts and suspicious links.
  2. Encourage reporting of any unusual activity.

Step 10: Conduct Regular Security Audits

Perform regular security audits to identify and address potential vulnerabilities, ensuring that your server remains protected against evolving threats.

  1. Conduct thorough security reviews of your WHM cPanel server.
  2. Address any vulnerabilities discovered promptly.

Conclusion

Protecting your WHM cPanel server against SSH brute force attacks is essential for maintaining its security and integrity. By following these steps, you can significantly reduce the risk of unauthorized access and fortify your server against potential threats. Remember, security is an ongoing process, and staying vigilant and proactive is key to maintaining a robust defense against evolving attack techniques.

 
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Account Bandwidth and Traffic Logs

Understanding and managing account bandwidth usage and traffic logs is essential for maintaining the performance and stability of a hosting environment. This knowledge base provides detailed...

Account Package and Plan Adjustments

Adjusting account packages and plans is essential for accommodating changing needs and ensuring optimal service levels. This knowledge base provides detailed information and step-by-step...

Apache ModSecurity Configuration Problems

ModSecurity is an open-source web application firewall that helps protect web applications from various attacks. However, configuring ModSecurity on an Apache server can sometimes lead to...

Apache Virtual Host Configuration

Apache Virtual Hosts allow a single web server to host multiple websites, each with its own domain or subdomain. This knowledge base provides detailed information and step-by-step...

Apache Web Server Configuration Problems

The Apache web server is a widely used platform for hosting websites. However, misconfigurations can lead to various issues. This knowledge base aims to address common Apache web server...