Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[dtkerns]

I have port 22 open for incoming ssh, of course that means the hackers at 222.87.204.11 bombard me with dictionary attacks 2-3 a second.

So I added a rule on my DGL-4500 -> Advanced -> Inbound Filter to deny 222.0.0.0-222.255.255.255
and then after looking at older logs, I updated the existing rule to also deny 221.0.0.0-221.255.255.255

I came back a few hours later and I no longer see attempts from 222.87.204.11 but I do see two attempts from 221.238.245.151 (on the sshd virtual server's log).

How did they get through the router?? do I need two completely separate rules?

[FurryNutz]

There probably not getting thru however they could be just sending packets an the router is reporting them as such. The router is still blocking.
Where are you located?
What are you Firewall settings set for?

[dtkerns]

I'm blocking in bound IP address ranges at the router.

on a local server (the sshd server) the ssh logs show the login attempts, these two showed up after I added the  221.0.0.0-221.255.255.255 rule to the existing entry:

Nov  5 23:23:47 sshd[2324]: Invalid user oracle from 221.238.245.151
Nov  5 23:23:48 sshd[2326]: Invalid user test from 221.238.245.151

funny, now 12 hours later I see this:


Nov  6 11:09:20  sshd[6463]: Invalid user a from 213.150.176.166
Nov  6 11:09:22  sshd[6466]: Invalid user abc123 from 213.150.176.166
Nov  6 11:09:23  sshd[6468]: Invalid user abc from 213.150.176.166
Nov  6 11:09:25  sshd[6470]: Invalid user abcd from 213.150.176.166
Nov  6 11:09:27  sshd[6474]: Invalid user abcde from 213.150.176.166
Nov  6 11:09:29  sshd[6476]: Invalid user abcdef from 213.150.176.166
Nov  6 11:09:31  sshd[6478]: Invalid user account from 213.150.176.166
Nov  6 11:09:33  sshd[6480]: Invalid user account from 213.150.176.166
Nov  6 11:09:35  sshd[6482]: Invalid user accounting from 213.150.176.166
Nov  6 11:09:37  sshd[6484]: Invalid user accounts from 213.150.176.166
Nov  6 11:09:39  sshd[6486]: Invalid user accounts from 213.150.176.166
Nov  6 11:09:41  sshd[6488]: Invalid user add from 213.150.176.166
Nov  6 11:09:43  sshd[6490]: Invalid user address from 213.150.176.166
Nov  6 11:09:45  sshd[6492]: Invalid user adduser from 213.150.176.166
Nov  6 11:09:47  sshd[6494]: Invalid user adduser from 213.150.176.166
Nov  6 11:09:49  sshd[6496]: Invalid user adm from 213.150.176.166
Nov  6 11:09:51  sshd[6498]: Invalid user adm from 213.150.176.166

so time to add a 213.x.x.x rule ...

is there a way to just add the handful IP's that I want to allow and deny all others?

I suppose these addresses are really just random Windows users that are under Botnet control.. poor saps.

[FurryNutz]

Should be able to add them in a range from and to and if they fall with in that range, it should block it.

What FW version are you using?
What HW version is this router?

[FurryNutz]

You can post your HW and FW version here, it's not a secret about it. You'll find HW version on the sticky under the router.
What ISP do you have?
What ISP modem do you have? Make and model?

[Hard Harry]

I would suggest changing the default port away from 8080 and check "Enable Graphical Authentication". Or if your really worried, turn off remote management all together until you have them blocked.

[dtkerns]

turning remote management on is not something I could ever justify, EVER.

[dtkerns]

so I looked around the pages... seems you have to define the rule, then use it in a virtual server. I made a whitelist allow rule for the 3 IP address I remote from, then assigned it to the sshd VS... that means I've locked myself out from any random free public wi-fi I happen along.

[Hard Harry]

turning remote management on is not something I could ever justify, EVER.

I said turning it off, not turning it on. But now I see you said sshd, not remote management, my mistake. I read the log fast. But still, I would suggest changing the default port of 22 and then change your IP. They probably found you by port scanning popular ports, so moving away from 22 would add another layer or protection. Glad you got the firewall rule sorted out though.

Also, as a thought, if you have more then one site, you could add one of those IP to the list and then set up a VPN from there. A backdoor if you may.

[fraggboy]

As a precaution, I would change the default ssh port (What HH mentioned) to something else, and change:
PermitRootLogin to no
Make sure you have a username other than root that gives you admin rights.

Stopping them at the D-Link is a good idea, but they will use multiple zombies (Which you are figuring out).  That's why I suggest you change your ssh settings.

You can also allow sshd access to certain IP's in the hosts.allow file.

[cyke1]

If you are running a linux server you should change port SSHd runs on cause its common for attacks on default ssh port. Also a good idea to prevent root login in ssh conf, so you need to know an account login and user name to get in, only way to get root would be via su command.

[KKWL]

Does your router have Respond to Wan Pings Enabled?  I would disable that for sure but I also recall that if you turn that off you can't connect to SSH.  Or at least thats how it worked for me when I tunneled under my post secondary institute.