Brute force attack although ports forwarding activated

[Pyb]

Hello!
I’ve got an issue with the ports forwarding : let me explain.
I‘ve got a livebox (French internet box) with 3 ASUS routers in mesh. Main router is in liveboxs’ DMZ.
And I forward some ports, especially one for ssh for one Nas.
My pb is that the logs from the Nas are showing a regular attack in ssh, with many ports (all are wrong at this time!): I do not understand how it is possible because the ports used by the hacker are not forwarded… How is this possible? The router should stop that isn’t it?
what could be wrong in my configuration?

Thanks for reading and sorry for my bad English !

PYB

 

[ColinTaylor]

Show us the logs from the NAS so that we can understand the problem.

 

[Pyb]

Not possible anymore sorry. But it was pretty clear: IP from the hacker (I think more probably from an infested PC), login used and port used. 2 attempts per hour.
In fact, I would like to know how a hacker can reach a device with a port which is not redirected by the router.

 

[Pyb]

Well, I found a backup I have!
Here are the logs:


freenas.192.168.0.1 kernel log messages:

ugen0.2: <vendor 0x8087> at usbus0 (disconnected)
ugen0.2: <vendor 0x8087> at usbus0

freenas.192.168.0.1 login failures:
Jul 12 00:20:32 freenas sshd[30678]: Invalid user support from 179.60.147.74
Jul 12 00:20:32 freenas sshd[30678]: input_userauth_request: invalid user support [preauth]
Jul 12 00:20:33 freenas sshd[30678]: Failed password for invalid user support from 179.60.147.74 port 59542 ssh2
Jul 12 00:51:10 freenas sshd[31493]: Invalid user support from 179.60.147.74
Jul 12 00:51:10 freenas sshd[31493]: input_userauth_request: invalid user support [preauth]
Jul 12 00:51:11 freenas sshd[31493]: Failed password for invalid user support from 179.60.147.74 port 62148 ssh2
Jul 12 01:21:46 freenas sshd[32343]: Invalid user blank from 179.60.147.74
Jul 12 01:21:46 freenas sshd[32343]: input_userauth_request: invalid user blank [preauth]
Jul 12 01:21:47 freenas sshd[32343]: Failed password for invalid user blank from 179.60.147.74 port 2544 ssh2
Jul 12 01:52:18 freenas sshd[33145]: Invalid user blank from 179.60.147.74
Jul 12 01:52:18 freenas sshd[33145]: input_userauth_request: invalid user blank [preauth]
Jul 12 01:52:19 freenas sshd[33145]: Failed password for invalid user blank from 179.60.147.74 port 12082 ssh2
Jul 12 02:22:57 freenas sshd[33993]: Invalid user support from 179.60.147.74
Jul 12 02:22:57 freenas sshd[33993]: input_userauth_request: invalid user support [preauth]
Jul 12 02:22:58 freenas sshd[33993]: Failed password for invalid user support from 179.60.147.74 port 26056 ssh2
Jul 12 02:53:31 freenas sshd[34790]: Invalid user blank from 179.60.147.74
Jul 12 02:53:31 freenas sshd[34790]: input_userauth_request: invalid user blank [preauth]
Jul 12 02:53:31 freenas sshd[34790]: Failed password for invalid user blank from 179.60.147.74 port 21030 ssh2
Jul 12 03:26:16 freenas sshd[36008]: Invalid user blank from 179.60.147.74
Jul 12 03:26:16 freenas sshd[36008]: input_userauth_request: invalid user blank [preauth]
Jul 12 03:26:16 freenas sshd[36008]: Failed password for invalid user blank from 179.60.147.74 port 29590 ssh2
Jul 12 03:56:47 freenas sshd[36906]: Invalid user support from 179.60.147.74
Jul 12 03:56:47 freenas sshd[36906]: input_userauth_request: invalid user support [preauth]
Jul 12 03:56:47 freenas sshd[36906]: Failed password for invalid user support from 179.60.147.74 port 10580 ssh2
Jul 12 04:27:25 freenas sshd[37753]: Invalid user blank from 179.60.147.74
Jul 12 04:27:25 freenas sshd[37753]: input_userauth_request: invalid user blank [preauth]
Jul 12 04:27:25 freenas sshd[37753]: Failed password for invalid user blank from 179.60.147.74 port 49044 ssh2
Jul 12 04:57:57 freenas sshd[38556]: Invalid user blank from 179.60.147.74
Jul 12 04:57:57 freenas sshd[38556]: input_userauth_request: invalid user blank [preauth]
Jul 12 04:57:58 freenas sshd[38556]: Failed password for invalid user blank from 179.60.147.74 port 2456 ssh2
Jul 12 05:28:27 freenas sshd[39405]: Invalid user blank from 179.60.147.74
Jul 12 05:28:27 freenas sshd[39405]: input_userauth_request: invalid user blank [preauth]
Jul 12 05:28:28 freenas sshd[39405]: Failed password for invalid user blank from 179.60.147.74 port 41148 ssh2
Jul 12 05:59:01 freenas sshd[40231]: Invalid user support from 179.60.147.74
Jul 12 05:59:01 freenas sshd[40231]: input_userauth_request: invalid user support [preauth]
Jul 12 05:59:01 freenas sshd[40231]: Failed password for invalid user support from 179.60.147.74 port 49824 ssh2
Jul 12 06:29:42 freenas sshd[41057]: Invalid user blank from 179.60.147.74
Jul 12 06:29:42 freenas sshd[41057]: input_userauth_request: invalid user blank [preauth]
Jul 12 06:29:43 freenas sshd[41057]: Failed password for invalid user blank from 179.60.147.74 port 65000 ssh2
Jul 12 07:00:14 freenas sshd[41897]: Invalid user support from 179.60.147.74
Jul 12 07:00:14 freenas sshd[41897]: input_userauth_request: invalid user support [preauth]
Jul 12 07:00:14 freenas sshd[41897]: Failed password for invalid user support from 179.60.147.74 port 11898 ssh2
Jul 12 07:30:44 freenas sshd[42700]: Invalid user blank from 179.60.147.74
Jul 12 07:30:44 freenas sshd[42700]: input_userauth_request: invalid user blank [preauth]
Jul 12 07:30:45 freenas sshd[42700]: Failed password for invalid user blank from 179.60.147.74 port 50576 ssh2
Jul 12 08:01:17 freenas sshd[43536]: Invalid user support from 179.60.147.74
Jul 12 08:01:17 freenas sshd[43536]: input_userauth_request: invalid user support [preauth]
Jul 12 08:01:17 freenas sshd[43536]: Failed password for invalid user support from 179.60.147.74 port 50070 ssh2
Jul 12 08:31:57 freenas sshd[44344]: Invalid user unknown from 179.60.147.74
Jul 12 08:31:57 freenas sshd[44344]: input_userauth_request: invalid user unknown [preauth]
Jul 12 08:31:57 freenas sshd[44344]: Failed password for invalid user unknown from 179.60.147.74 port 52212 ssh2
Jul 12 09:02:31 freenas sshd[45176]: Invalid user unknown from 179.60.147.74
Jul 12 09:02:31 freenas sshd[45176]: input_userauth_request: invalid user unknown [preauth]
Jul 12 09:02:32 freenas sshd[45176]: Failed password for invalid user unknown from 179.60.147.74 port 33000 ssh2
Jul 12 09:33:03 freenas sshd[45977]: Invalid user unknown from 179.60.147.74
Jul 12 09:33:03 freenas sshd[45977]: input_userauth_request: invalid user unknown [preauth]
Jul 12 09:33:04 freenas sshd[45977]: Failed password for invalid user unknown from 179.60.147.74 port 25764 ssh2
Jul 12 10:03:37 freenas sshd[46818]: Invalid user unknown from 179.60.147.74
Jul 12 10:03:37 freenas sshd[46818]: input_userauth_request: invalid user unknown [preauth]
Jul 12 10:03:38 freenas sshd[46818]: Failed password for invalid user unknown from 179.60.147.74 port 30470 ssh2
Jul 12 10:34:16 freenas sshd[47641]: Invalid user unknown from 179.60.147.74
Jul 12 10:34:16 freenas sshd[47641]: input_userauth_request: invalid user unknown [preauth]
Jul 12 10:34:17 freenas sshd[47641]: Failed password for invalid user unknown from 179.60.147.74 port 61788 ssh2
Jul 12 11:04:58 freenas sshd[48485]: Invalid user unknown from 179.60.147.74
Jul 12 11:04:58 freenas sshd[48485]: input_userauth_request: invalid user unknown [preauth]
Jul 12 11:04:59 freenas sshd[48485]: Failed password for invalid user unknown from 179.60.147.74 port 12584 ssh2
Jul 12 11:35:23 freenas sshd[49285]: Invalid user guest from 179.60.147.74
Jul 12 11:35:23 freenas sshd[49285]: input_userauth_request: invalid user guest [preauth]
Jul 12 11:35:24 freenas sshd[49285]: Failed password for invalid user guest from 179.60.147.74 port 65490 ssh2
Jul 12 12:05:57 freenas sshd[50111]: Invalid user guest from 179.60.147.74
Jul 12 12:05:57 freenas sshd[50111]: input_userauth_request: invalid user guest [preauth]
Jul 12 12:05:58 freenas sshd[50111]: Failed password for invalid user guest from 179.60.147.74 port 33036 ssh2
Jul 12 12:36:40 freenas sshd[50933]: Invalid user unknown from 179.60.147.74
Jul 12 12:36:40 freenas sshd[50933]: input_userauth_request: invalid user unknown [preauth]
Jul 12 12:36:40 freenas sshd[50933]: Failed password for invalid user unknown from 179.60.147.74 port 55598 ssh2
Jul 12 13:07:15 freenas sshd[51760]: Invalid user unknown from 179.60.147.74
Jul 12 13:07:15 freenas sshd[51760]: input_userauth_request: invalid user unknown [preauth]
Jul 12 13:07:15 freenas sshd[51760]: Failed password for invalid user unknown from 179.60.147.74 port 17340 ssh2
Jul 12 13:37:50 freenas sshd[52558]: Invalid user guest from 179.60.147.74
Jul 12 13:37:50 freenas sshd[52558]: input_userauth_request: invalid user guest [preauth]
Jul 12 13:37:51 freenas sshd[52558]: Failed password for invalid user guest from 179.60.147.74 port 28064 ssh2
Jul 12 14:08:32 freenas sshd[53401]: Invalid user unknown from 179.60.147.74
Jul 12 14:08:32 freenas sshd[53401]: input_userauth_request: invalid user unknown

 

[RMerlin]

And I forward some ports, especially one for ssh for one Nas.

There`s your answer. All those security events were against SSH.

 

[Pyb]

Yes but I forward only a specific port. And all the attempts are with bad ports which are not forwarded. So the router should have stop them and the nas should have nothing to stop… I do not understand how the attack can reach the nas

 

[ColinTaylor]

Yes but I forward only a specific port. And all the attempts are with bad ports which are not forwarded. So the router should have stop them and the nas should have nothing to stop… I do not understand how the attack can reach the nas

Because those are the source ports of the attacker not the destination port that you have forwarded. Change the port that you're forwarding to something uncommon to avoid this.

 

[Pyb]

Yes! And because the attacker uses ports that I do not forward, the router should stop the attacks no? So why does the router send the frames to the nas?

 

[Pyb]

I have not the latest merlin firmware but the version just before.

 

[ColinTaylor]

And because the attacker uses ports that I do not forward, the router should stop the attacks no?

No. That's not how it works.

The attacker creates a random port on his machine that connects to the fixed SSH port on your router (which you are forwarding to your NAS).

 

[Pyb]

Because those are the source ports of the attacker not the destination port that you have forwarded. Change the port that you're forwarding to something uncommon to avoid this.

I forgot something: the ssh port I forward is not the 22. I change it and configure another one into the nas. That’s why I do not understand.

 

[Pyb]

No. That's not how it works.

The attacker creates a random port on his machine that connects to the fixed SSH port on your router (which you are forwarding to your NAS).

How is that possible without knowing the ssh port I use?

 

[ColinTaylor]

I forgot something: the ssh port I forward is not the 22. I change it and configure another one into the nas. That’s why I do not understand.

How is that possible without knowing the ssh port I use?

Then you just got unlucky with that particular attacker doing a sweep scan of all the ports. If you were using port 22 you'd be seeing hundreds of attacks from multiple hosts.

179.60.147.74 | Veraton Projects Ltd. | AbuseIPDB

www.abuseipdb.com

 

[Pyb]

Ok thank you for your time! Bad luck indeed!!

 

[cptnoblivious]

Not bad luck. Changing the port isn't really an effective security strategy. If someone is serious they'll scan a full range of ports for your IP.

 

[ColinTaylor]

Not bad luck. Changing the port isn't really an effective security strategy.

It is in most cases (in the sense of reducing the "noise" in the log). As demonstrated by the fact that he's only getting hits from a single address rather than dozens or hundreds of different addresses if he hadn't changed the port.

If someone is serious they'll scan a full range of ports for your IP.

True. But most people aren't the target of a directed personal attack. If that's the case then all bets are off. In this case we can see that it's just a normal port scanning bot. Most bots don't bother scanning beyond the common addresses that humans choose because it wastes their time waiting for thousands of TCP timeouts when there's easier targets out there.

 

[Pyb]

Ok, I think I almost understand your discussion.
Something still not clear for me: why does the bot change its port at each attempt? It could stay with one, because it found the port I choose…

 

[ColinTaylor]

Something still not clear for me: why does the bot change its port at each attempt?

That's how TCP works. Each new attempt could potentially create a new connection therefore it must use a different source port.

 

[Pyb]

Ok, clear! Thanks!

 

[papypaprika]

To improve your security on the ssh-side, you could use ssh keys (under Administration, System) to prevent any brute-forcing of your ssh access if it is exposed to the internet.