[help required] Brute-force initiated from server with ERPNext

brute force attack is initiated from a server, with only ERP installed.

Please guide, how can this be traced.

Perhaps if the server environment and how the attack was detected were described , someone could help.

I have installed ERPNext on the cloud instance. after that I got an abuse report mail from the cloud provider and stating that your IP ( ERPNet server IP) attempting brute-force passwords via ssh/FTP to other IPs in the network/domain.

May we know how ERPNext was obtained and installed? What version and from where?

ERPNext obtained and installed through the easy install script.
Version: 12
From ERPNext site

its because of no firewall enabled on your VPS block all incoming ports only allow 22,80,443

Ok. can you provide me proper steps to install ERPNext on the Linux server?

ya, the Firewall already enabled , changed SSH default port, and disabled root login via SSH. but still getting the same issue

have you checked your syslog ??


there will be details of attack

I have checked Syslog, so many logs are there with source IP: some public IP, destination IP: ERP server IP and src port: some port DST port: some port with UFW block condition .but there is not any attack details

Most likely your server is hacked due to weak authentication and is running other scripts you are not aware of.

1 Like

Hi, I have the same issue. The firewall is on and cannot see any reason. Installed the same way using easy install script.

This issue is common with Contabo and i was forced to abandon them a while back. All protective measures to block the traffic failed so i suspected it must be from their OS image, a suspicion they vehemently denied. Also noticed their image came with Apache pre-installed and my questions as to why a webserver package was preinstalled in a clean VPS was not addressed. Since i moved to another provider i haven’t faced the issue.