Attack from a Chineese friend ?

[huotg01]

I have thousands of these in my partner's syslog.

Dec  4 09:43:54 dropbear[23304]: Login attempt for nonexistent user from 218.2.0.133:14389
Dec  4 09:43:55 dropbear[23304]: Login attempt for nonexistent user from 218.2.0.133:14389
Dec  4 09:43:55 dropbear[23304]: Exit before auth: Max auth tries reached - user 'is invalid' from 218.2.0.133:14389
Dec  4 09:43:58 dropbear[23306]: Login attempt for nonexistent user from 218.2.0.133:15961

After googling around, it seems that it is a too well known address from China, and it would be a brute force attack.

Enable Web Access from WAN is already disable but
Allow SSH password login is allowed. Now that I can use Public/Private keys to login, I will just disable it, but is there anything else to do ? (by the way, what is Enable SSH Brute Force Protection?)

Thanks

 

[RMerlin]

I have thousands of these in my partner's syslog.

Dec  4 09:43:54 dropbear[23304]: Login attempt for nonexistent user from 218.2.0.133:14389
Dec  4 09:43:55 dropbear[23304]: Login attempt for nonexistent user from 218.2.0.133:14389
Dec  4 09:43:55 dropbear[23304]: Exit before auth: Max auth tries reached - user 'is invalid' from 218.2.0.133:14389
Dec  4 09:43:58 dropbear[23306]: Login attempt for nonexistent user from 218.2.0.133:15961

After googling around, it seems that it is a too well known address from China, and it would be a brute force attack.

Enable Web Access from WAN is already disable but
Allow SSH password login is allowed. Now that I can use Public/Private keys to login, I will just disable it, but is there anything else to do ? (by the way, what is Enable SSH Brute Force Protection?)

Thanks

SSH Brute Force Protection limits the number of connection per minute a given IP can make to the SSH daemon. This prevents brute force attacks, when someone would repeatedly connect to ssh, and try random passwords in hope of finding one that works.

In your case disabling password authentication might be a good idea indeed. You will still get notifications of connection attempts, but at least you'll know that it will be nearly impossible for any of them to succeed.

Otherwise, the only option is to move ssh to a non-standard port (like 1222 - use something higher than 1024 to avoid potential conflicts), and adjust your whole backup mechanism accordingly.

 

[huotg01]

[...]In your case disabling password authentication might be a good idea indeed. You will still get notifications of connection attempts, but at least you'll know that it will be nearly impossible for any of them to succeed.[...]

As soon as I disable Allow SSH password login , I'm unable to even ssh connect from the other machine (either with or without password).
When I re-enable it, after rebooting the partner, then I can again connect and login without password. Strange, isn't ? Could it be a bug, or 2 bad observations ?

GH

 

[RMerlin]

As soon as I disable Allow SSH password login , I'm unable to even ssh connect to the other machine (either with or without password).
When I re-enable it, after rebooting the partner, then I can again connect and login without password. Strange, isn't ? Could it be a bug, or 2 bad observations ?

GH

I'd have to re-test it, I'm not at home right now to do so. But normally you should still be able to connect using your keys.

 

[huotg01]

I'd have to re-test it, I'm not at home right now to do so. But normally you should still be able to connect using your keys.

It ends on a:

Admin@1080-Router:/jffs/scripts# ssh -i /jffs/dropbear/dropbear_rsa_host_key [email]admin@xxxxx.asuscomm.com[/email]
ssh: Exited: Error connecting: Connection timed out

 

[watusi]

Is there any good reason for anybody from China to access your server?

If not, I believe there is a package that will block unfriendly countries. Or at least people with IP addresses in unfriendly countries.

You might want to edit the list, as I noticed that Australia was one of the unfriendly countries....

I think there are a couple of different packages.

Don't know much about it, just came across it reading through optware packages.

It's something I should do on my VPS.

 

[huotg01]

Is there any good reason for anybody from China to access your server?
If not, I believe there is a package that will block unfriendly countries. Or at least people with IP addresses in unfriendly countries.
You might want to edit the list, as I noticed that Australia was one of the unfriendly countries....
I think there are a couple of different packages.
Don't know much about it, just came across it reading through optware packages.
It's something I should do on my VPS.

It's always a good thing to start looking at our log files...
In this specific case it seems to come from China, but this is irrelevant. Based on what I read, some techno-friends, from anywhere, find on internet a program to make brute attacks and plays with it to start new bases to start other brute attacks, and so on.

In my case, as suggested by RMerlin, I also changed my ssh port number to make the router more difficult to attack. To confuse the attacker, I switched the position of the 2 numbers of the standard ssh port number. Therefore it's now 22.

GH ;-)

 

[watusi]

I always user a random port number for SSH. I only want the more sophisticated hackers.

 

[RMerlin]

It ends on a:

Admin@1080-Router:/jffs/scripts# ssh -i /jffs/dropbear/dropbear_rsa_host_key [email]admin@xxxxx.asuscomm.com[/email]
ssh: Exited: Error connecting: Connection timed out

Check if it's not an issue with your DDNS. I tested it here, and it worked fine for me - I was able to connect using my key from both a LAN and a WAN machine.

 

[huotg01]

Check if it's not an issue with your DDNS. I tested it here, and it worked fine for me - I was able to connect using my key from both a LAN and a WAN machine.

I don't know what to say other than, ... as usual you are right (the point where we can read "Remote closed the connection" is when password login password was turned off on the remote):

ASUSWRT-Merlin RT-AC56U_3.0.0.4 Sat Nov  8 02:23:13 UTC 2014
xxxx@RT-AC56U:/tmp/home/root# exit
Admin@1080-Router:/tmp/home/root# ssh -p xxxx -i /jffs/dropbear/dropbear_rsa_host_key xxxx@xxxx.asuscomm.com


ASUSWRT-Merlin RT-AC56U_3.0.0.4 Sat Nov  8 02:23:13 UTC 2014
admin@RT-AC56U:/tmp/home/root# 
ssh: Connection to xxxx@xxxx.asuscomm.com:xxxxx exited: Remote closed the connection
Admin@1080-Router:/tmp/home/root# ssh -p xxxx -i /jffs/dropbear/dropbear_rsa_host_key xxxx@xxxx.asuscomm.com


ASUSWRT-Merlin RT-AC56U_3.0.0.4 Sat Nov  8 02:23:13 UTC 2014
xxxx@RT-AC56U:/tmp/home/root# exit
Admin@1080-Router:/tmp/home/root# ssh -p xxxx -i /jffs/dropbear/dropbear_rsa_host_key xxxx@xxxx.asuscomm.com


ASUSWRT-Merlin RT-AC56U_3.0.0.4 Sat Nov  8 02:23:13 UTC 2014
xxxx@RT-AC56U:/tmp/home/root#

That said, I don't know what else could affect the result. I think that the DDNS was ok because I tried the process on 2 cycles, always with the same URL. The only thing I could add about yesterday's tests is that after turning OFF the password login on the remote, noticed that it was then impossible to login the remote, with or without password, just re-enabling the login password on the remote was not enough to make the connection possible, with or without passord. I had to reboot the remote.

Anyways, it works. Thanks.

 

[huotg01]

I always user a random port number for SSH. I only want the more sophisticated hackers.

Still better: random on both sides...

 

[sfx2000]

Is fail2ban an option for the Asuswrt-merlin builds?

requires python, but otherwise... could be useful for many things, not just SSH

 

[huotg01]

[...]In this specific case it seems to come from China, but this is irrelevant. Based on what I read, some techno-friends, from anywhere, find on internet a program to make brute attacks and plays with it to start new bases to start other brute attacks, and so on.[...]

The "readings" were from that site: http://www.websworld.org/?explain=yes&numat=72

 

[RMerlin]

Is fail2ban an option for the Asuswrt-merlin builds?

requires python, but otherwise... could be useful for many things, not just SSH

Considering how bloated python is, I wouldn't run anything based on Python on a router when the same thing could be done more efficiently with a plain sh script.

 

[gatorback]

@Merlin: Do you have a link to an sh script that would substitute for fail2ban?

 

[RMerlin]

@Merlin: Do you have a link to an sh script that would substitute for fail2ban?

None for a router. For my servers, I use CSF.

 

[bayern1975]

None for a router. For my servers, I use CSF.

may i install this CSF to asus router with your firmware? i realy looking some script for blocking IP ranges to my router?

 

[cameos]

Is fail2ban an option for the Asuswrt-merlin builds?

requires python, but otherwise... could be useful for many things, not just SSH

I would much prefer sshguard (http://www.sshguard.net/) to fail2ban, it does not depend on python, just a tiny C program. I use it on all my embedded systems, including raspbian.

 

[RMerlin]

may i install this CSF to asus router with your firmware? i realy looking some script for blocking IP ranges to my router?

No. You will need a customized solution, as a router's firewall is far too different from a standard Linux distro firewall.

 

[icornish]

Elsewhere on this forum there is a script that dynamically blocks these cases, and also blocks based on country etc. http://www.snbforums.com/threads/ho...ious-ips-using-ipset-firewall-addition.16798/
I've used this extensively, and have not seen one of these attacks since then.