Recently connected... Now being attacked?
Hi folks, I have recently connected to the PSDR from my QTH in Suquamish via the Capital Park node. My Metal 5SHPN is fed from a Puynting 31dBi Grid antenna. I have a 16.2 Mbps connection at 21.4 Kilometers! My concern is that it appears that someone is attempting to log into my router as root via SSH. There are multiple log entries every day citing "login failures". A whois on any of the IPs show up as originating from China. A few examples: 58.215.56.110 120.105.81.190 49.203.248.133 202.119.236.121 95.211.8.134 I have applied the suggested scripts to blacklist an IP after several failed attempts. I also have a hardware firewall between the router and my LAN. Are these just normal internet hacking attempts from bots, or is there something else going on? Thanks! --Jason K7JMM
Having worked as a security-focused network engineer at a wireless ISP, I can tell you that it's very likely an automated attack against the whole address block in which you reside. One way to harden yourself is to deploy two-factor authentication: password and SSL certificate. 73, Daniel K7DGL On Sun, Dec 29, 2013 at 12:21 PM, Jason Maher <jason@jmaher.org> wrote:
Hi folks,
I have recently connected to the PSDR from my QTH in Suquamish via the Capital Park node. My Metal 5SHPN is fed from a Puynting 31dBi Grid antenna. I have a 16.2 Mbps connection at 21.4 Kilometers!
My concern is that it appears that someone is attempting to log into my router as root via SSH. There are multiple log entries every day citing "login failures". A whois on any of the IPs show up as originating from China.
A few examples:
58.215.56.110 120.105.81.190 49.203.248.133 202.119.236.121 95.211.8.134
I have applied the suggested scripts to blacklist an IP after several failed attempts. I also have a hardware firewall between the router and my LAN.
Are these just normal internet hacking attempts from bots, or is there something else going on?
Thanks!
--Jason K7JMM
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
Hi Jason, Congrats on the successful link! If I'm reading it correctly, with 0 assistance? You have an excellent signal strength (-61dBm) and the 16.2Mbit you're seeing is the limit of our presently configured 5MHz channels. This narrow bandwidth was chosen to optimize coverage over speed. You're also the first node on the other side of the Puget Sound, so cheers for that. :) Can you share some pix / details of the setup? The attack you're seeing is all automatic botnet stuff. We see it 24/7 on all the routers and servers. It's just a sad fact about being on the Internet. We can do a few things to help: 1) Sounds like you already installed the firewall rules that discard packets from IPs with repeated failed login attempts. I don't recall our rules for dealing with this being published anywhere though, so which rules did you use? We can compare/share our rules, although I'm too lazy to pull them up right now. :) 2) We can push rules to our edge routers that would prevent this traffic from hitting your IP(s). It's up to you how severe you want to make these. "Kill all internet" being the extreme. "Apply your edge router dynamic blacklist to my IP's traffic" being probably the least extreme. We can also just block all TCP port 22 traffic from going to you, but that's probably also not desired. One simple option you have is to practice some security through obscurity and remap the ssh port to a non-standard number. This is done in the /ip service menu. Above all else though, be sure you don't use the default "admin" account, but instead create a k7jmm account or something. Set a very long passphrase on it (no need to remember it) and enable ssh-key authentication on the account. One of the quirks of RouterOS is when an account has an ssh-key defined for authentication, password authentication is effectively disabled. The password auth will still work for that account for other services though, like winbox. For any servers you attach for the network, I would recommend using sshguard (http://www.sshguard.net/). It's a nice light solution, and I've used it successfully for years. Anyway, congrats on the link! If you'd like to help in beta-testing some new features, please join #HamWAN on freenode. --Bart On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:
Having worked as a security-focused network engineer at a wireless ISP, I can tell you that it's very likely an automated attack against the whole address block in which you reside. One way to harden yourself is to deploy two-factor authentication: password and SSL certificate. 73, Daniel K7DGL
On Sun, Dec 29, 2013 at 12:21 PM, Jason Maher <jason@jmaher.org <mailto:jason@jmaher.org>> wrote:
Hi folks,
I have recently connected to the PSDR from my QTH in Suquamish via the Capital Park node. My Metal 5SHPN is fed from a Puynting 31dBi Grid antenna. I have a 16.2 Mbps connection at 21.4 Kilometers!
My concern is that it appears that someone is attempting to log into my router as root via SSH. There are multiple log entries every day citing "login failures". A whois on any of the IPs show up as originating from China.
A few examples:
58.215.56.110 120.105.81.190 49.203.248.133 202.119.236.121 95.211.8.134
I have applied the suggested scripts to blacklist an IP after several failed attempts. I also have a hardware firewall between the router and my LAN.
Are these just normal internet hacking attempts from bots, or is there something else going on?
Thanks!
--Jason K7JMM
_______________________________________________ PSDR mailing list PSDR@hamwan.org <mailto:PSDR@hamwan.org> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
Thanks for the suggestions guys, I changed the ssh port from the default and installed a SSL certificate. Bart: I discovered the firewall rules on Mikrotik's wiki after a little Googling. Here is the URL: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention No need to block anything on your edge routers. "Kill all internet", I like that! :-) --Jason K7JMM On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:
Having worked as a security-focused network engineer at a wireless ISP, I can tell you that it's very likely an automated attack against the whole address block in which you reside. One way to harden yourself is to deploy two-factor authentication: password and SSL certificate. 73, Daniel K7DGL
Hello Jason, I'm actually going to have to contradict Bart on one aspect here, and strongly suggest moving ssh back to the original port. The way hamwan is designed for the "shared admin" model where myself and a couple other individuals who are the admins for the network, doesn't agree well with devices having non-standard configs. Not that changing a port in and of itself is a bad idea, I've done it a number of times, but it makes the job of the admins a nightmare when trying to manage the network and figure out what port ssh is running on for User A's modem. Can I suggest instead that you create a firewall rule that limits SSH to the hamwan address space when coming in over the wireless interface? Something like ip firewall filter add action=accept dst-port=22 src-address=44.24.240.0/20 protocol=tcp chain=input in-interface=w0 is probably along the lines of what you'd be looking at. This still limits the attempts at your modem, but still allows for the admins to update or configure your modem as needed. P.S. Welcome to the network! Thanks! Nigel K7NVH On Mon, Dec 30, 2013 at 12:39 PM, Jason Maher <jason@jmaher.org> wrote:
Thanks for the suggestions guys,
I changed the ssh port from the default and installed a SSL certificate.
Bart: I discovered the firewall rules on Mikrotik's wiki after a little Googling. Here is the URL: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
No need to block anything on your edge routers. "Kill all internet", I like that! :-)
--Jason K7JMM
On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:
Having worked as a security-focused network engineer at a wireless ISP, I can tell you that it's very likely an automated attack against the whole address block in which you reside. One way to harden yourself is to deploy two-factor authentication: password and SSL certificate. 73, Daniel K7DGL
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
-- Nigel Vander Houwen
Yeah, I didn't think this through enough when I suggested an alternate port. I believe Nigel has at least one ssh-based network health scanner implemented so far, and that will only grow. One more thing I can think of is to only have accounts which feature ssh-keys. That way all the failed logins are not a problem since password auth is impossible with ssh-keys configured. Only if the attacker has the corresponding private key would they be able to login. --Bart On 1/1/2014 10:12 AM, Nigel Vander Houwen wrote:
Hello Jason,
I'm actually going to have to contradict Bart on one aspect here, and strongly suggest moving ssh back to the original port. The way hamwan is designed for the "shared admin" model where myself and a couple other individuals who are the admins for the network, doesn't agree well with devices having non-standard configs.
Not that changing a port in and of itself is a bad idea, I've done it a number of times, but it makes the job of the admins a nightmare when trying to manage the network and figure out what port ssh is running on for User A's modem.
Can I suggest instead that you create a firewall rule that limits SSH to the hamwan address space when coming in over the wireless interface? Something like
ipfirewallfilteraddaction=accept dst-port=22 src-address=44.24.240.0/20 <http://44.24.240.0/20> protocol=tcp chain=input in-interface=w0
is probably along the lines of what you'd be looking at. This still limits the attempts at your modem, but still allows for the admins to update or configure your modem as needed.
P.S. Welcome to the network!
Thanks!
Nigel
K7NVH
On Mon, Dec 30, 2013 at 12:39 PM, Jason Maher <jason@jmaher.org <mailto:jason@jmaher.org>> wrote:
Thanks for the suggestions guys,
I changed the ssh port from the default and installed a SSL certificate.
Bart: I discovered the firewall rules on Mikrotik's wiki after a little Googling. Here is the URL: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
No need to block anything on your edge routers. "Kill all internet", I like that! :-)
--Jason K7JMM
On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:
Having worked as a security-focused network engineer at a wireless ISP, I can tell you that it's very likely an automated attack against the whole address block in which you reside. One way to harden yourself is to deploy two-factor authentication: password and SSL certificate. 73, Daniel K7DGL
_______________________________________________ PSDR mailing list PSDR@hamwan.org <mailto:PSDR@hamwan.org> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
-- Nigel Vander Houwen
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
OK guys, We're back on the default port. I applied Bart's suggested firewall rule. I also now require a SSL key for all all accounts. You guys should be able to login once again. Feeling pretty safe now. :-) Thanks, --Jason K7JMM
participants (4)
-
Bart Kus -
Daniel Luechtefeld -
Jason Maher -
Nigel Vander Houwen