at first i received an email that there was a failure so i decided to run apt-get upgrade. , then it has lots of notice like php7.3 fpm not default . i ignored and hopefully theres no problem.
but afterwards i checked that my iptables are full. i already deleted some. these hits are currently ongoing, ssh and hestia.
how is it possible that hestia can be bruteforced? i used a random port. do “they” still knew about that random port 6xxxx?
are the sites working properly? if yes, all should be good.
you don’t need to delete anything in iptables. Did you rebooted the server? I notice that fail2ban consumes a lot of load after a service restart or server reboot and it restores the bans, so probaly this happened also in your case, that’s why it could look like a bruteforce.
Give it a few minutes and let me know, if there are still new entries, even when fail2ban uses zero cpu.
oh. i deleted the //hestiacp/list/firewall/banlist/ logs. because the page momentarily freeze, and issuing iptable --list also freeze the terminal until all logs (long) are displayed. i also restarted the vps. now its kind of okay with some random ssh/hestia attempts.
sir is it possible that in a future release of hestia, you can also include an option to change the ssh port?
You can already change the ssh key, just adjust the sshd_config file, hestia detects the port automatically. If there are some firewall rules, that are related to ssh, just run v-update-firewall once to update the rule set.
I have seen a recent major uptick in blocked IPs as well. This could be related to the security hole found in 1.1.0 (Patched in 1.1.1) which may have caused an interest in attacking Hestia and Vestacp servers. I’m sure this will die down eventually.
Looks more like an unrelated coincidence.
The security issue fixed in the last version can’t be exploited by brute forceing the server and without the users actively opening links from an unsolicited password reset email.
I have installed hestia for few day’s and running as a test cp new vps on default settings, after seeing this post i checked my ip ban list an i have 1066 banned IP addresss
Thanks @Raphael , that’s the only way i’m afraid, one the side note can you advise on a way to block a ip class range as i see most of them generate from the same class
Just check the firewall tab (server -> firewall) in hestia, you should be able to do custom blocks there. But as I wrote, this isnt needed, for this case you got fail2ban.