No
YesSymptoms
Sometimes it is possible to find a lot of "ssl handshake failure" records in the Parallels Panel sw-cp-server log file (/var/log/sw-cp-server/error_log):2009-06-03 22:37:08: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:46:56: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 22:58:49: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:19:52: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:31:44: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:41:18: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-03 23:52:36: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2009-06-04 00:02:38: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
Additionally, the following records may be located in the system security log:
Jan 13 02:54:48 plesk9 sshd[9890]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2
Jan 13 07:32:43 plesk9 sshd[11756]: Failed password for root from ::ffff:125.208.21.3 port 8880 ssh2
Cause
A possible reason for such log entries is a brute-force attack on the sw-cp-server via port 8880. The brute-force attack may eventually block normal performance of the service.Resolution
You can resolve the issue by one of the options below.1. Block the host using firewall rules.
Example 1 (Linux):
It is necessary to configure firewall (iptables) rules by the commands below:
#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j LOG --log-prefix "SSH_brute_force "
#iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --rttl --name SSH --rsource -j DROPExample 2 (FreeBSD):
a. Create a script ssh-fwscan.sh:
#!/bin/sh
if ipfw show | awk '{print $1}' | grep -q 20000 ; then
ipfw delete 20000
fi
# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.
awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}
END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
ipfw -q add 20000 deny tcp from $ip to any in
doneb. Add the script into cronjob:
*/10 * * * * root /operator/sshd-fwscan.shExample 3 (FreeBSD):
Add a rule into the pf filter:
pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy stateNote! It is necessary to change the IP addresses (192.168.1.0/24 and 202.54.1.5/29) with necessary ones.
2. Block the host using tcp wrappers.
Example:
Add the following rule into the /etc/hosts.allow file:
sshd: <admin IP address>/<netmask> : allow
sshd: ALL : denyAdditional information
Some other methods may help to increase OS security against external attacks, including brute-force:- Change sshd daemon port from 22 to another
- Use key-based authentication only
- Close ssh access for the "root" user
- Configuring of sshd daemon listening to using of exclusive IPs only
Of course, there is a lot of third-party solutions for the same purpose:
DenyHosts - it scans log files and configures tcp wrapper rules
Cryptknock - it opens the ssh port if required
BlockSshd - it analyzes logs and configures firewall rules
SshGuard - it monitors logs and configures firewalls