Unrecognized Login attempts

I like to think our SH Server is pretty secure…
We use MFA for admin with only authorized ip’s

Recently I have noticed a few login attempts, with the wrong username etc… So nothing to worry about right now… I just wondered if others were seeing this? or what security measures you take.

We only allow port 80,443, 222 for example, running linux and we also have a software firewall csf and a firewall with our provider, so the SSH port only allows a specific IP and all other ports are blocked.

1 Like

I do the same things. I also use GEO Blocking on our firewall to block out everywhere we dont work. China,russia, etc…

@Jayjayuk - do you mean login attempts to the actual operating system, or to SH Technician tool?

SH Technician tool.

I setup alerts for failed logins so we can block the ip on the server firewall so it wont reach the server at all.

1 Like

oh, well that’s worrisome, as that would imply that they downloaded the technician tool from your site and then started trying to access by brute-force through the program. That would imply more of a targeted attack, that’s not just a drive-by thing, so they may be guessing at usernames based on your website/staff listing. You may want to have your techs reset passwords to something really strong and make sure you are using 2-factor on all. Also if ips are from another country you may want to implement some type of geo-blocking. Another things that we do most of the time on things too is to make usernames that are less guessable as it immensely decreases possibility of brute-force paying off for the hacker (instead of jon smith having a username of “jsmith” we give him “31jsmith99”, looking at it we know who’s username it is, but now the bad guy needs to guess user and password)

It’s worrying that this would imply that bad guys are aware enough of simple-help to be poking at things, I’ve always worried about SH rolling their own webserver (or at least a static version) as opposed to using one that is os native and can be updated as security issues arise automatically with normal patch management. Also I’ve never been super happy that the most important username (SimpleHelpAdmin) for the technician console is static and known and can’t be changed.

Please excuse me if you are a really large place that this is not feasible, or if you already know these things, I don’t really know anyone on here, so just trying to help. Definitely not trying to talk down to you like you wouldn’t be aware of some of these protections.

2 Likes

Use 2fa, but also make sure your SimpleHelpAdmin password is long and uses 2fa as well.

In our environment we commonly have one person have the admin password and another person have the 2fa. That way no 1 person can get into the admin side and change things without the other knowing.

Also fyi in the config file the SimpleHelpAdmin user can be changed.
https://simple-help.com/kb---changing-the-default-technician-login-name-from-simplehelpadmin

1 Like

great find @Darrell_Swafford - will be doing that right away.

Where is the setting in SH to be notified of failed login attempts?

@simon - Alerts tab, then sub tab of “Events”, then “New Server Alert” button. Under “Technician Events” there is a “Technician Failed Login” event. Then you can setup how you want to be alerted as you wish.