Constant hacking of our EUKHost Linux VSL
Hello.
I am looking for any help or advice that my be offered.
For the past three months ago our VSL has suffered from almost continuous hacking attacks resulting in denial of service and in the worst cases intrusions. The attacks appear to take the form or penetration scanning. We think there are multiple scripts being run against numbers of our accounts, attempting to find vulnerabilities. The result of this is that our VSL stuffs up. The hacking attempts take up all resources, such that our sites become unobtainable and we are unable to get to the WHM to reboot the server and so have to call in EUKHost. EUKHost operatives are always very helpful but the chat facility is slow and time consuming (I suspect the staff are supporting too many issues at the same time). Recently many of my evenings have been taken up conversing with Spencer, Magritte, Nikita et al.
Sometimes the hackers get in. Then we can find that a site will be advertising Canadian pharmacy or sometimes an account will be used to send out spam.
We have spent so long dealing with this that we have got to the end of our tethers. EUKHost operatives have been very helpful but it gets to the point when each EUKHost operative tells us to do the same things, blithely unaware that the last one told us to do exactly the same things and that we have done them multiple times already! And still our server goes down at least twice a day and sometimes we get hacked. So I am writing here in the hope that the EUKhost community may be able to add something new.
Almost all out sites are Wordpress. We have secured SSH and WHM to known IP addresses as detailed above. We run ModSecurity, CSF and cPHULK. On each Wordpress site we use all best security practices, inc, keeping everything up to date, only using well known plugins and themes, database table and login page renaming, login capchas, strong passwords and also, we have reinstalled each site multiple times and changed passwords. On each site we run the Wordpress plugins All In One Security and Wordfence, both set to very high security.
With all this going on we are at a loss to see how scanning and penetration attacks can take our server down for up to 20 minutes twice a day. Surely one of the firewalls should recognise the attacks and block the originating IPs? Why don't they? And of course, we cannot understand how any of these scripts actually gain access.
Any considered help or suggestions would be very much appreciated. Thanks. BTW. We are not Linux experts (although since taking up a EUKHost VSL I have learnt more than I ever wanted too!)
I am looking for any help or advice that my be offered.
For the past three months ago our VSL has suffered from almost continuous hacking attacks resulting in denial of service and in the worst cases intrusions. The attacks appear to take the form or penetration scanning. We think there are multiple scripts being run against numbers of our accounts, attempting to find vulnerabilities. The result of this is that our VSL stuffs up. The hacking attempts take up all resources, such that our sites become unobtainable and we are unable to get to the WHM to reboot the server and so have to call in EUKHost. EUKHost operatives are always very helpful but the chat facility is slow and time consuming (I suspect the staff are supporting too many issues at the same time). Recently many of my evenings have been taken up conversing with Spencer, Magritte, Nikita et al.
Sometimes the hackers get in. Then we can find that a site will be advertising Canadian pharmacy or sometimes an account will be used to send out spam.
We have spent so long dealing with this that we have got to the end of our tethers. EUKHost operatives have been very helpful but it gets to the point when each EUKHost operative tells us to do the same things, blithely unaware that the last one told us to do exactly the same things and that we have done them multiple times already! And still our server goes down at least twice a day and sometimes we get hacked. So I am writing here in the hope that the EUKhost community may be able to add something new.
Almost all out sites are Wordpress. We have secured SSH and WHM to known IP addresses as detailed above. We run ModSecurity, CSF and cPHULK. On each Wordpress site we use all best security practices, inc, keeping everything up to date, only using well known plugins and themes, database table and login page renaming, login capchas, strong passwords and also, we have reinstalled each site multiple times and changed passwords. On each site we run the Wordpress plugins All In One Security and Wordfence, both set to very high security.
With all this going on we are at a loss to see how scanning and penetration attacks can take our server down for up to 20 minutes twice a day. Surely one of the firewalls should recognise the attacks and block the originating IPs? Why don't they? And of course, we cannot understand how any of these scripts actually gain access.
Any considered help or suggestions would be very much appreciated. Thanks. BTW. We are not Linux experts (although since taking up a EUKHost VSL I have learnt more than I ever wanted too!)
Comment