Today at 10:04:19, perpetrator at 59.108.92.24 started attempting ssh root logins. Log lines from /var/log/secure read:
At 10:04:48 lfd noticed this situation and attempted to block the perpetrator in the firewall; /var/log/lfd.log says:Mar 7 10:04:19 osprey sshd[11556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.108.92.25 user=root
Mar 7 10:04:21 osprey sshd[11556]: Failed password for root from 59.108.92.25 port 60821 ssh2
...repeating every second or so from the same IP and differing port numbers
Unfortunately, the perpetrator continued his login attempts from the same IP until 12:33:52. From /var/log/secure the last attempt was:Mar 7 10:04:28 osprey lfd[11628]: (sshd) Failed SSH login from 59.108.92.25 (CN/China/-): 5 in the last 300 secs - *Blocked in csf* [LF_SSHD]
thousands of similar lines followed by:
A search for 59.108.92.25 in the firewall rules shows only:Mar 7 12:33:52 osprey sshd[29118]: Failed password for root from 59.108.92.25 port 44552 ssh2
Mar 7 12:33:53 osprey sshd[29120]: Received disconnect from 59.108.92.25: 11: Bye Bye
It seems that these two rules should have stopped the repeated login attempts.Chain num pkts bytes target prot opt in out source destination
DENYIN 170 0 0 DROP all -- !lo * 59.108.92.25 0.0.0.0/0
DENYOUT 170 0 0 DROP all -- * !lo 0.0.0.0/0 59.108.92.25
We noticed this problem around noon because other login attempts to WHM and root were failing with user name or password is incorrect. After the brute force attack ended access to
My questions:
What am I overlooking and what might I do to help csf/lfd to be able to effectively stop this perpetrator in the future?
I'm running the csf 5.75 on CENTOS 6.3 x86_64 standard WHM 11.34.1 (build 12)