Just an FYI - we’ve been simple-help users for over 10 years. Never had people banging on the actual technician login, but today it started with some common user names and such:
If you’ve been meaning to change the default admin login (you don’t still use SimpleHelpAdmin do you?), or been meaning to cleanup old users or set the ip blocking rules or other things - this is your reminder to do so now.
I’m not really worried about it, but for those with lax security in the form of old/outdated versions, or common users/passwords you should be worried as it looks like someone may be targeting SH servers, and the logins are coming fast enough that it’s definitely automated, and it’s coming from a slew of IPs both in the USA and outside the USA.
Our server has been running for 4 years and today we are experiencing syn flood errors which is probably a DoS attack and the server goes down after a couple of hours.
Thanks for the heads up!
I am wondering if that log that your looking at can be accessed from the SimpleHelp Technician application or is this some type of reverse proxy log?
I’d like to review my setup for these.
From the logs I can confirm there is a brute force password attack directed at our IP. I throttled the login attempts and increased the IP ban time from SH settings… continuing to monitor to see if that helps prevent SH from consuming all of the available memory and crashing.
If you are talking about my screenshot that is an “event” that I setup that emails me anytime someone unsuccessfully logs into technician. You can find it by clicking on the “Alerts” tab, then the sub tab on the left of “Events”, and then clicking the “New Server Alert” button - there are many types of things in there that you may choose to be alerted about.
Remote Support
Remote Access
Monitoring and Management
Presentation
Remote Work
Standard
Business
Enterprise