My panel has been attacked for days

whazza1983 · 14 October 2024 16:14

OS Name/Version:
Debian 12 64bit

Product Name/Version: (Always use the full version number - not ‘Latest’)
Amp 2.5.1.8 - 20240917.2

Problem Description:
Hello, I have had someone attacking my panel for a week

17:19:16
SFTP connection request from xxx.xxx.xx.xxx (OpenSSH)
SFTP authentication denied for odoo@xxx.xxx.xx.xxx : Failure

17:19:36
SFTP connection request from xxx.xxx.xx.xxx (OpenSSH)
SFTP authentication denied for hwhiaiuser@xxx.xxx.xx.xxx : Failure

17:20:20
188.190.10.144 has been banned from SFTP, ignoring connection attempt…

17:20:45
SFTP connection request from xxx.xxx.xx.xxx (OpenSSH)
SFTP authentication denied for chia@xxx.xxx.xx.xxx : Failure

I actually banned him with iptables -A INPUT -s xxx.xxx.xx.xxx -j DROP but he continues. And why are all users locked out by the server manager? I have to disable rate-limit logins every time so that I can log in again via SFTP. Shouldn’t this only apply to the IP that is attacking and not to all users?

ThePotatoKing · 14 October 2024 17:58

Known issue, there’s a slight bug in AMP’s rate limiter that was brought to light by the botnet (accidentally rate limits things due to how the internal auth server validates SFTP logins).
You have some firewall setup preventing you from blocking the IPs properly, not an AMP-related issue. I’ve been able to block things fine, but there’s some other users with a similar firewall issue. No clue what’s different tbh.

whazza1983 · 14 October 2024 18:57

Is there a way to permanently block the IPs for AMP?

Greelan · 14 October 2024 19:40

Use iptables -I rather than iptables -A

whazza1983 · 14 October 2024 20:08

Thank you very much.
I’ve tried it now and haven’t seen any login attempts in the log for 10 minutes.

system · 13 November 2024 20:09

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.