Numerous hacking attempts with OVH.ca?

Portal Home > Knowledgebase > Articles Database > Numerous hacking attempts with OVH.ca?

Posted by LittleApps-Nick, 11-17-2013, 06:45 PM
I got a dedicated server from OVH.ca a couple weeks ago now and installed CSF. Since getting the server, I am receiving notifications every few hours or so that XYZ IP address was trying to login via SSH, portscanning, etc. The IP addresses are from all over the place (including USA, China, Canada, India, Korea, and Phillipines) and seem to be from either compromised servers or cheap VPS providers. I have the root login disabled and I am considering changing the SSH port to something other then 22. I was wondering if this is normal for OVH.ca servers or is my IP address just being targeted for whatever reason?
Posted by Julien@Hostabulous, 11-17-2013, 06:54 PM
It has nothing to do with ovh, it's random port scanning, and such. Also you should change ssh port, this will remove lots of alerts in csf. We have servers in differents DCs and this happens in all of them.
Posted by Hosting4Real, 11-17-2013, 07:02 PM
I've never seen a server not being port scanned, so it's pretty normal - run ssh on another port, or use port knocking, and have port 22 closed by default.
Posted by Kailash12, 11-18-2013, 02:00 AM
This is normal behavior. In addition to changing SSH port, I also recommend to SSH access to your home/office IPs only.
Posted by LittleApps-Nick, 11-18-2013, 02:06 AM
Problem with that is my IP address is dynamic so if I restrict it to this IP address, then tomorrow it can all of a sudden change and I'm stuck having to wipe the server cause there's no KVM access.
Posted by wndml, 11-18-2013, 06:57 AM
And of course the most important fix which is moving from password to key based authentication, in addition to moving from port 22.
Posted by Lev, 11-18-2013, 07:26 AM
Simply changing the SSH port stops most SSH login attempts dead, they all try on the default port. Cannot even remember the last time CSF alerted me about SSH. Of course this will not work if a person and not a bot is targeting your server, but hopefully this is obvious (and not the intended purpose of changing the port anyway).
Posted by my247webhosting, 11-18-2013, 07:59 AM
Changing the SSH port number will resolve the issue. You can Allow specific user to login via SSH: You should not permit root logins via SSH, because this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says: PermitRootLogin yes Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.