How Common Are Prolonged Root Attacks On VPS's?

Forum Moderators: phranque

Message Too Old, No Replies

How Common Are Prolonged Root Attacks On VPS's?

Usually I see 3-4 attempts a day but now seeing 100s per hour

Webwork

6:32 pm on Nov 28, 2010 (gmt 0)

Apparently my VPS is being targeted by a slow grinding botnet, since the login attempts are coming from IP addresses "around the world".

Lucky me. :P

Is it just . . my turn? Does every VPS get its day/turn?

What makes a server "a more likely target" for a root attack? Are there "signals of weakness"?

Is there a way to disable "root" as the login for root and, at the same time, give the "root account" a new, less obvious, name?

The attempts continue as I type. I've alread notified my hosting company's NOC. I assumed that they would/should have systems in place that would alert them to such behavior but I'm not prepared to rest on that assumption. :-/

lammert

2:35 am on Nov 29, 2010 (gmt 0)

I assume you are talking about SSH or FTP login attempts with username root? They are common. On one server I get on average 1000 login attempts per day, and that for the last three years.

The best way to handle it is by blocking all SSH and FTP login access to the VPS except from a few IP addresses. You can do this with the built-in software firewall of your VPS, or with the hosts.allow and hosts.deny files. But be careful, it is easy to lock yourself out. I once did that and had to ask the hosting company to remove the firewall rules. Quite embarrassing.

Another option is to create a normal user account with a different name which has SSH access, and block SSH access for user root in the sshd_config configuration file. That file is probably located in your /etc/ssh directory. But again be careful. In this situation you first login with your normal account, and then use the su command to become root.