Massive hit on vps?

hi @ScIT,

just updated my hestia.

at first i received an email that there was a failure so i decided to run apt-get upgrade. , then it has lots of notice like php7.3 fpm not default . i ignored and hopefully theres no problem.

but afterwards i checked that my iptables are full. i already deleted some. these hits are currently ongoing, ssh and hestia.

how is it possible that hestia can be bruteforced? i used a random port. do “they” still knew about that random port 6xxxx?

are the sites working properly? if yes, all should be good.

you don’t need to delete anything in iptables. Did you rebooted the server? I notice that fail2ban consumes a lot of load after a service restart or server reboot and it restores the bans, so probaly this happened also in your case, that’s why it could look like a bruteforce.

Give it a few minutes and let me know, if there are still new entries, even when fail2ban uses zero cpu.

oh. i deleted the //hestiacp/list/firewall/banlist/ logs. because the page momentarily freeze, and issuing iptable --list also freeze the terminal until all logs (long) are displayed. i also restarted the vps. now its kind of okay with some random ssh/hestia attempts.

sir is it possible that in a future release of hestia, you can also include an option to change the ssh port?


You can already change the ssh key, just adjust the sshd_config file, hestia detects the port automatically. If there are some firewall rules, that are related to ssh, just run v-update-firewall once to update the rule set.

I have seen a recent major uptick in blocked IPs as well. This could be related to the security hole found in 1.1.0 (Patched in 1.1.1) which may have caused an interest in attacking Hestia and Vestacp servers. I’m sure this will die down eventually.

Looks more like an unrelated coincidence.
The security issue fixed in the last version can’t be exploited by brute forceing the server and without the users actively opening links from an unsolicited password reset email.

1 Like

I have installed hestia for few day’s and running as a test cp new vps on default settings, after seeing this post i checked my ip ban list an i have 1066 banned IP addresss

Changed the ssh fallowed (Change SSH Hestia)

Changed the cp port with the command below


I will monitor to see if it gets anymore hits :slight_smile:


This is something real.

I tend to belive that my vps got defeated trough bruteforce as the banns stopped before i done anything and my new domain end up on spamhouse.

I created another droplet on DO with new ip, fresh instal 5min later 10 ip’s blocked already.

Not sure how this works they attack a class of ip’s or how.

I have deleted the second vps as well.

Can you advise how should i protect this to stop the attacks, i see that the SSH and the Hestia is getting attacked.

Would changing the port for Hestia and SSH work (or suspend ssh)

Appreciate any input and help on this

You are already protected, that’s why Fail2Ban and iptables is here.

You could change the ssh and hestia port (v-change-sys-port), so they can’t attack you directly.

1 Like

Thanks @ScIT , that’s the only way i’m afraid, one the side note can you advise on a way to block a ip class range as i see most of them generate from the same class

Just check the firewall tab (server -> firewall) in hestia, you should be able to do custom blocks there. But as I wrote, this isnt needed, for this case you got fail2ban.

1 Like

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)