wepper Posted April 25, 2014 Posted April 25, 2014 Hi, My heliohost account keeps on locking me out due to "brute force protection". I know for a fact that this is not due to incorrect password entries on my part (I've only entered the password manually once, then subsequently it sometimes works, sometimes not). On the other hand, the problem seems to arise while I'm doing ftp or webdisk activities, so I suspect that the problem is somehow triggered by my activities (rather than by some hacker's). Can you figure out what's going on? -wepper
wolstech Posted April 25, 2014 Posted April 25, 2014 Perhaps the webdisk or FTP client are using an old password saved somewhere? Those types of applications will often try over and over to connect when they fail. The brute-force should clear on its own with time. If it doesn't, an admin can reset it for you.
Byron Posted April 25, 2014 Posted April 25, 2014 It's coming from your ip: 30 failed login attempts to account pew (system) -- Large number of attempts from this IP: 217.157.206.10
wepper Posted April 25, 2014 Author Posted April 25, 2014 It's coming from your ip: 30 failed login attempts to account pew (system) -- Large number of attempts from this IP: 217.157.206.10 That's what I suspected. The question is why? It's the right password. The first time it happened I was transferring files with FileZilla in small bunches at a time - with FileZilla sometimes logging off and on between transfers (don't know exactly why). The first transfers were successful, then suddenly FileZilla failed to log on, and of course continued to retry. Obviously the password did not change between the successful and unsuccessful attempts, so I'm thinking that something else caused the connection to be rejected, and then the multiple attempts caused the lock-out even though the password was correct every time. Is it possible to check the server log to see what caused the initial failure?
Byron Posted April 25, 2014 Posted April 25, 2014 This support request is being escalated to our root admin.
wepper Posted April 26, 2014 Author Posted April 26, 2014 I've been using SFTP as recommended - for both the successful and unsuccessful attempts. Now it seems that I'm permanently locked out. Even after almost a day of waiting I still get the brute force message when I try to log into cpanel or webmail.
wepper Posted April 27, 2014 Author Posted April 27, 2014 Well, I'm still getting the brute force message when I try to log into cpanel or webmail, even though I haven't made any new attempts to use ftp or webdisk. Meanwhile, I've found another hosting service that seems to work for me, so I don't think I should waste any more of your time or mine on this weird problem. But thanks anyway for whatever effort you have put in so far. If you would be kind enough to delete my account and my uploaded data, I'd appreciate it. Sorry I can't clean up after myself, but it's difficult to do much when I'm locked out. Thanks.
Krydos Posted April 28, 2014 Posted April 28, 2014 Here is a log of the SFTP login attempts that got your blocked for brute force attempt: Apr 25 03:00:30 stevie sshd[7724]: Accepted keyboard-interactive/pam for pew from 217.157.206.10 port 1376 ssh2 Apr 25 03:01:03 stevie sshd[9016]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:01:03 stevie sshd[9015]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:01:13 stevie sshd[10129]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:01:13 stevie sshd[10126]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:01:23 stevie sshd[10531]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:01:23 stevie sshd[10530]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:01:41 stevie sshd[10911]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:02:34 stevie sshd[12700]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:02:38 stevie sshd[13128]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:02:51 stevie sshd[13684]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:07 stevie sshd[14176]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:07 stevie sshd[14177]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:25 stevie sshd[15119]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:25 stevie sshd[15117]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:35 stevie sshd[15417]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:35 stevie sshd[15418]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:45 stevie sshd[15769]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:45 stevie sshd[15780]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:56 stevie sshd[16164]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:03:56 stevie sshd[16165]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:04:06 stevie sshd[18492]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:04:07 stevie sshd[18495]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:04:18 stevie sshd[18941]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:04:18 stevie sshd[18940]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:04:28 stevie sshd[19332]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:04:28 stevie sshd[19333]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:04:37 stevie sshd[19632]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:04:37 stevie sshd[19630]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:04:47 stevie sshd[19979]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 03:31:10 stevie sshd[18692]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 25 04:04:52 stevie sshd[9552]: Accepted keyboard-interactive/pam for pew from 217.157.206.10 port 4604 ssh2 Apr 26 02:32:42 stevie sshd[6612]: error: PAM: Authentication failure for pew from 217.157.206.10 Apr 26 02:42:32 stevie sshd[11531]: error: PAM: Authentication failure for pew from 217.157.206.10 As you can see they all originate from your IP, and there are successful password authentications as well as failures. Are you sure you don't have an incorrect password saved in your ftp client? Another option is that there is some malware on your computer. Does a virus scan find anything on any of the systems located at that IP?
wepper Posted April 28, 2014 Author Posted April 28, 2014 Well, I don't use malware - never have. It also seems unlikely that FileZilla would change credentials mid-session, even if it does have settings for other sites as well. My best bet would be that there's a bug or a misconfiguration somewhere. I had hoped the server log would have more details about the authentication failure (e.g. did the credentials actually change, or did some other part of the authentication procedure fail?). Anyway, I'm afraid I gave up and removed my account yesterday, so I guess that's the end of the story - at least until the problem reappears for either you or me. If there's malware on my system, I guess I should soon be getting more clues to that effect.
Krydos Posted May 1, 2014 Posted May 1, 2014 It's really not that big of a deal for an admin to reset the brute force protection on your account. If it happens again just post here on the forums and the first admin that sees it can get you back to being able to log it. The reason we try to help users figure out what the reason for the brute force is because it's a better, more long term solution to fix the underlying problem than it is to just fix the symptoms over and over. We have literally thousands of user accounts hosted on our servers, and while this brute force protection issue does come up frequently it's highly unlikely there is anything wrong with the servers because if there was we would see hundreds if not thousands of people like you not being able to log in. There is something on your end causing this, and we'll do everything we can to help you figure it out so it doesn't continue happening, or if you can't figure it out we'll just reset it for you each time you need to log in. Let us know how we can help.
Recommended Posts