On some level, we need to find out why these servers are being attacked like this. I have one that I fired up today's ago, not shut down my OVH because of the non-stop attacks.
So what are the footprints that are being targeted? Why are they going so hard after this panel. I had Virtualmin on this before this, no problem for years. Now with aapanel, in two days it gets shut down by my provider. I can't even get to it to move the websites. :-(
https://www.screencast.com/t/RJKx0s31
I want to point out as well, people talk about Block at cloudflare etc, that only works against a domain, not an IP address. So if it's the IP and not the domain they are attacking, you are screwed.
It's a shame, these sites and IPs have been up and working fine for years, now completely reached, can't even keep an IP up. Attacks from China, Hong Kong, and Africa. To the ip, so no way to stop them at cloud flare.
gacott
Do you mean that you have suffered a lot of attacks after using aaPanel?
gacott is ovh vps has no ddos protection? layer 7 ddos attack?
aaPanel_Jose we have about 3800 attacks and 122 Ips in a week from which the attacks are carried out. it definitely has something to do with bt.cn. Before that, we also used Openscoure Panels and it was just about 20 or 30 attacks. Since we removed aaPanel and only ran it for the test, the whole thing has normalized again to about 30 attacks.
This only from yesterday until today 9:00 pm and today 8:40 am
Total banned26
Total failed18459
Currently banned25
Currently failed6
Attacks take place on Dovecot, Ostfix, FTP, and web server (NGINX). Although Fail2ban, SYS Firewall and some security measures are still active. Just like CDN etc. These are not normal scans, but definitive attacks on the panel. As already said, only on aaPanel. The modules are hosted at bt.cn and conclusions can be drawn about the IPS of the installed panels. We even took the IPs from other data centers so that these IPs could not be attacked explicitly. Even in other countries not Germany or Europe and yet only aaPanel web servers are attacked. I had the same thing in 2017 at http://centos-webpanel.com/ since the attacks came from Croatia, Russia, China and Serbia. We quickly deleted it and it calmed down again. Since then we have avoided this panel. In my opinion, the modules should be reloaded via a proxy server, as should the installation. We are currently testing this and are already seeing some serious differences. So you have to consider where the modules are stored, on which servers, should you switch your own proxy server between? !!! Here would be the solution to install a local proxy first and then load and install aaPanel.
CQT that’s normal many will bruteforce our server.. To lessen these attacks increase ban time and ports..
aaPanel_Jose Yeah man. As I said, this IP has had Virtualmin on it forever. I decided to move it over, two days later, getting blasted like crazy. So much so that they shut me down. I then went to Cloudflare and created rules on the domains there, then unblocked the block they had placed on the IP. It was shut down again within 30 seconds.
kaz050457 Certainly getting bruteforced is normal, we run 300+ VPSs ourselves. I have been doing this for years, and in years only the mail servers have been hit like this in the past. This is the first time ever for me to have my IP shutdown on a webserver. And no, I don't have the mailserver installed on this.
kaz050457 No it is by no means normal !!
Attacks would normally be 40-100 but not 1000 over a period of several hours.
When we switched the proxy upstream with new IPS, it was just zero attacks. This shows that the IP is tracked and then attacked !!!!!!!!! Since it was then no longer possible to stretch the IPs via the installation
CQT are guys using the default port? Do your server still support TLS 1.0 and TLS 1.1?
So, I did a little test. I just moved that exact same box to another IP. I removed all websites from it, and just let it sit there with the new IP. Less than 24 hours later, it's being attacked.
God, I hate to say it, as I have had a guy working on something SUPER cool for this for over a week now, but until this is figured out, this panel is unusable for us. We can't have IPs keep getting shut down because they are under constant attack.
gacott Something tells them where these installations are located! And I'm talking about that all the time. As long as that is, I cannot expect this panel from my customers and servers. We had so much to do with it. Well then don't stop. Letting all installations run only via the proxy server, this will soon be down and I don't want that either.
Okay, OVH was looking over logs, my box was also being used to carry out attacks. LITERALLY the panel was the only thing installed. Nobody else had access, passwords were good.
I think it may be that the SESSION ID of the panel is set to a special value, which is easy to be scanned to the feature. We will deal with this in the next update.
In addition, the data we have collected will no longer be synchronized to bt.cn, I think it should not be caused by this problem
gacott
In addition, on your server where only the panel is installed, whether the default port of the panel has been changed and whether the ssh port has been changed. Is the sshroot password strong enough?
