SFTP (port 22 - ssh) Failing for one domain

Suddenly SFTP is failing for one domain on our server. (CentoOS 6.2)

My FTP client (Vicom) FTP transcript log is blank… if I log into the server and tail /var/log/secure or var/log/messages and try to log in … In don’t see anything (continuous attack from chinese bots underway though!)

No new failed access lines or messages are added to indicate my attempts… if i try from the terminal

$ sftp user@www.mydomain.com
ssh: connect to host www.mydomain.com port 22: Operation timed out

Strange… I’m running from Mac OS X in Mavericks…

That fact that the transcript log is blank makes me suspicious… there not even an initial handshake…

Any clues on how to debug this?

Howdy,

Hmm, if you’re receiving a DoS attack, it’s possible that attack is making SSH unavailable.

Are you able to block the IP addresses that are attacking your server? Blocking the IP’s in question might resolve the issue.

You may want to take a peek at /var/log/secure and /var/log/messages to see what IP addresses are causing the attacks.

-Eric

But i can log in to the server via SSH… and SFTP to all other domains.

But, yes, /var/log/secure is showing:

Oct 29 12:16:59 sat sshd[12235]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.102 user=root
Oct 29 12:16:59 sat sshd[12235]: PAM service(sshd) ignoring max retries; 6 > 3
Oct 29 12:16:59 sat sshd[12238]: Failed password for root from 122.225.97.102 port 21642 ssh2
Oct 29 12:16:59 sat sshd[12243]: Failed password for root from 122.225.97.102 port 21963 ssh2
Oct 29 12:17:00 sat sshd[12275]: reverse mapping checking getaddrinfo for mx5.fund123.cn [122.225.97.102] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 29 12:17:00 sat sshd[12252]: Failed password for root from 122.225.97.102 port 22438 ssh2
Oct 29 12:17:00 sat sshd[12275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.102 user=root
Oct 29 12:17:01 sat sshd[12246]: Failed password for root from 122.225.97.102 port 21464 ssh2
Oct 29 12:17:01 sat sshd[12243]: Failed password for root from 122.225.97.102 port 21963 ssh2
Oct 29 12:17:01 sat sshd[12238]: Failed password for root from 122.225.97.102 port 21642 ssh2
Oct 29 12:17:02 sat sshd[12275]: Failed password for root from 122.225.97.102 port 23134 ssh2

And this guy (someone in China) has been at it all night.

I thought DoS would cause everything to lock up… but we still have all web sites being delivery outgoing on port 80… I can also SFTP in on port 22 to all the other domains on the same box… all of which are in the same /home/domains-here/ folder.

It’s just this one site that is blocked on port 22…I don’t recall setting any thing special for this site in VirtualMin, it’s set up is virtually the same as all the others.

But, right…I’ll try blocking that IP and see if it helps. But would it not mean that I could not ssh into the server at all ? Why only one domain?

Although

  1. I was using the password as reported in VirtualMin–>Edit Virtual Server --> Configurable Settings -->Administration Password AND
  2. that password did work in the XOOPS main config file for accessing mySQL

it did not work for SFTP… on a hunch I just changed the password in VirtualMin… now the new password works.

All I can think is that the SFTP password file was corrupt or something… for that one domain… hard to know.

I did block that Chinese bot from

But he just switched to another known Chinese bot: 61.147.103.160 and 122.225.97.117

For a firewall rule like this:

Reject 	If protocol is TCP and source is 122.225.97.64 and source and destination ports are 22

how do you specify a range for source?

I tried: source equals 122.225.97.64/127 but got an error when trying to apply the configuration.