Currently i’m using Direct Admin, with ConfigServer Security & Firewall.
From the beginning of June, i always received 2 kinds of emails from my VPS with the following format:
Brute-Force Attack detected in service log on User(s) root, admin
Brute-Force Attack detected in service log from IP xxx.xxx.xxx.xxx
The service ‚lfd’ on server <mydomain.com> is currently down
Seems like the attack not yes succeeded because i’ve already disabled the root & admin account and also changed the default port for SSH (from 22 to another value). But usually the attack caused the lfd service on my server crashed, sometimes i can just restart it by pressing the ‚Restart’ link, but in most of the other crashes i have to reboot the server since pressing ‚Restart’ did not bring any result, the service status was still ‚stopped’ – this might be the reason i kept getting those emails to inform that my lfd service is down.
As i guessed the attack may cause other system service to work differently, after and during the attack i couldn’t access any website on my server, even the Direct Admin, when i struggled just to have a successful log in, i saw the link ‚ConfigServer Firewall & Security’ vanished from my DA home page until the server is back to normal.
Everyday my VPS got 1000-1500 failed login attempts, it is running with 768MB RAM and 2.53 GHz CPU. Of course i know it’s hard to stop the source of attack but can anyone help me to prevent the system from crashing when some people out there trying to attack my server please ?
Any help will be greatly appreciated, if you want screenshot or logs for details, just let me know 🙂
thanks a lot