Yeah, I didn't think this through enough when I suggested an alternate port.  I believe Nigel has at least one ssh-based network health scanner implemented so far, and that will only grow.

One more thing I can think of is to only have accounts which feature ssh-keys.  That way all the failed logins are not a problem since password auth is impossible with ssh-keys configured.  Only if the attacker has the corresponding private key would they be able to login.

--Bart

On 1/1/2014 10:12 AM, Nigel Vander Houwen wrote:
Hello Jason,

I'm actually going to have to contradict Bart on one aspect here, and strongly suggest moving ssh back to the original port. The way hamwan is designed for the "shared admin" model where myself and a couple other individuals who are the admins for the network, doesn't agree well with devices having non-standard configs.

Not that changing a port in and of itself is a bad idea, I've done it a number of times, but it makes the job of the admins a nightmare when trying to manage the network and figure out what port ssh is running on for User A's modem.

Can I suggest instead that you create a firewall rule that limits SSH to the hamwan address space when coming in over the wireless interface? Something like

ip firewall filter add action=accept dst-port=22 src-address=44.24.240.0/20 protocol=tcp chain=input in-interface=w0

is probably along the lines of what you'd be looking at. This still limits the attempts at your modem, but still allows for the admins to update or configure your modem as needed.

P.S. Welcome to the network!

Thanks!

Nigel

K7NVH



On Mon, Dec 30, 2013 at 12:39 PM, Jason Maher <jason@jmaher.org> wrote:
Thanks for the suggestions guys,

I changed the ssh port from the default and installed a SSL certificate.

Bart:
I discovered the firewall rules on Mikrotik's wiki after a little Googling.
Here is the URL: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

No need to block anything on your edge routers. "Kill all internet", I like that! :-)

--Jason
K7JMM


On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:
Having worked as a security-focused network engineer at a wireless ISP, I can tell you that it's very likely an automated attack against the whole address block in which you reside.
One way to harden yourself is to deploy two-factor authentication: password and SSL certificate.
73, Daniel K7DGL




_______________________________________________
PSDR mailing list
PSDR@hamwan.org
http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org



--
Nigel Vander Houwen 


_______________________________________________
PSDR mailing list
PSDR@hamwan.org
http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org