[arm-allstar] Brute force root attack on node from China?

Doug Crompton wa3dsp at gmail.com
Tue Jul 3 16:27:14 EST 2018 

Please please stop the paranoia!  Our system is NOT Windows. It is about as
secure as you can get in Linux with very few ports open. Please stop
recommending heavy duty stuff like fail2ban to be installed on a hamvoip
installation. If you need it you will know but suggesting its use as
something everyone should do is not good.

I have said this too many times. If you don't want ssh exposed don't port
forward it. If you do use a good password. Don't tell anyone you don't
trust the password. You won't be hacked!

These discussions get started regularly and usually beyond the scope of
this mailing list! Lets end this discussion yet another time!


*73 Doug*

*WA3DSP*

*http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*


On Tue, Jul 3, 2018 at 4:39 PM, "John Huggins via arm-allstar" <
arm-allstar at hamvoip.org> wrote:

> This plus fail2ban. The later is important to ensure your port's popularity
> doesn't become the equivalent of a DOS attack. Never let anyone continue to
> hammer your ports so your tiny little pi only focuses on all-star. Life is
> plenty hard enough without red China constantly at the door... Others too!
>
>   https://vapn.org/security/the-internet-menace.html
>
> And yes this relates to all-star, albeit indirectly, because this list is
> the only viable watering hole for kindred spirits to understand the level
> of security required for something as obscure, in the context of the larger
> internet, as hamvoip. Yeah we shouldn't dwell on fail2ban installation
> details here, but certainly should cover it at a high level.
>
> John, kx4o
>
> On Tue, Jul 3, 2018, 3:21 PM "Sean McCarthy via arm-allstar" <
> arm-allstar at hamvoip.org> wrote:
>
> > I use public key authentication for ssh and disable root password. Sleep
> > well at night...
> >
> > On Tue, Jul 3, 2018 at 1:41 AM "Doug Crompton via arm-allstar" <
> > arm-allstar at hamvoip.org> wrote:
> >
> > > I am not sure what this has to do with hamvoip allstar. We use port 222
> > for
> > > ssh by default but you can change it to whatever you want. If you do
> > > preferably a hi port like 23222 or 17222 or something else you pick.
> But
> > > remember protecting by obfuscation of the port is poor security. Better
> > > than nothing but poor. At least you will not be hit constantly like you
> > > would on port 22. A good password is the best security.  At least 10
> > random
> > > characters of mixed upper/lower letters, numbers, and special
> characters.
> > > Using a good password and the way ssh works it would take a very long
> > time,
> > > probably much longer than your lifetime to break it assuming a constant
> > try
> > > 24/7!
> > >
> > >
> > > *73 Doug*
> > >
> > > *WA3DSP*
> > >
> > > *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
> > >
> > >
> > >
> > > On Mon, Jul 2, 2018 at 10:27 PM, "Jim Kinter Jr. via arm-allstar" <
> > > arm-allstar at hamvoip.org> wrote:
> > >
> > > > Hi Glenn.
> > > > On any/every linux box that I admin, that is connected to the outside
> > > > world, I move the port the SSH daemon listens to from port 22 to port
> > 24.
> > > > 24 is an unassigned port (rarely if ever used), and script kiddies
> > > usually
> > > > dont port scan first, their scripts are designed just to attack IP's
> at
> > > 22.
> > > > You may also need to change it in IPTABLES, to  now allow 24 and
> block
> > > 22.
> > > >
> > > > Usually this change is made in the SSH daemon config file,
> > > > (/etc/ssh/sshd.conf) usually marked with "Listen 22" or listen = 22,
> > just
> > > > change 22 to 24, save/exit, and restart sshd. Not even a reboot
> > required
> > > > (but would work too).
> > > >
> > > > You move the door from where they expect it to be and they cant find
> > it.
> > > >
> > > > Just remember to reset any SSH software you use (Putty, etc) to use
> 24
> > > > from the default 22 when talking to your unit.
> > > >
> > > > 73
> > > > Jim
> > > > K5KTF
> > > >
> > > > At 05:15 AM 7/2/2018, you wrote:
> > > >
> > > >> To add, an easy way to view failed login attempts is through the
> > > command:
> > > >> ====
> > > >> last -f /var/log/btmp
> > > >> ====
> > > >>
> > > >> In my case I had a number of entries like these, from the same
> > address:
> > > >> ====
> > > >> root     ssh:notty    118.186.17.9     Sun Jul  1 21:09 - 21:35
> > (00:25)
> > > >> root     ssh:notty    118.186.17.9     Sun Jul  1 20:44 - 21:09
> > (00:25)
> > > >> root     ssh:notty    118.186.17.9     Sun Jul  1 20:31 - 20:44
> > (00:12)
> > > >> root     ssh:notty    118.186.17.9     Sun Jul  1 20:19 - 20:31
> > (00:12)
> > > >> root     ssh:notty    118.186.17.9     Sun Jul  1 20:06 - 20:19
> > (00:12)
> > > >> ====
> > > >>
> > > >>
> > > >> On Mon, Jul 2, 2018 at 2:53 AM, Glenn Morgon <radion8hc at gmail.com>
> > > wrote:
> > > >>
> > > >> > I was digging through my Linux log and saw a lot of these in the
> > log:
> > > >> > ====
> > > >> >
> > > >> > Jul 02 02:06:34 n8hc-47380 sshd[9371]: pam_unix(sshd:auth):
> > > >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > > >> rhost=118.186.17.9  user=root
> > > >> > Jul 02 02:06:36 n8hc-47380 sshd[9371]: Failed password for root
> from
> > > >> 118.186.17.9 port 33831 ssh2
> > > >> > Jul 02 02:06:36 n8hc-47380 sshd[9371]: Connection closed by
> > > >> 118.186.17.9 port 33831 [preauth]
> > > >> > Jul 02 02:10:28 n8hc-47380 wpa_supplicant[294]: wlan0: WPA: Group
> > > >> rekeying completed with b8:8d:12:5f:a5:11 [GTK=CCMP]
> > > >> > Jul 02 02:19:33 n8hc-47380 sshd[9702]: pam_unix(sshd:auth):
> > > >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > > >> rhost=118.186.17.9  user=root
> > > >> > Jul 02 02:19:35 n8hc-47380 sshd[9702]: Failed password for root
> from
> > > >> 118.186.17.9 port 45437 ssh2
> > > >> > Jul 02 02:19:35 n8hc-47380 sshd[9702]: Connection closed by
> > > >> 118.186.17.9 port 45437 [preauth]
> > > >> >
> > > >> > ====
> > > >> >
> > > >> > There are literally scores of these line entries in my log in the
> > last
> > > >> > couple hours since I had reboot it.  All coming from 118.186.17.9,
> > > which
> > > >> > shows as being from China.
> > > >> >
> > > >> > Curious that the log reports the port as not being the actual ssh
> > > port I
> > > >> > have configured, although, when I ssh into my node it too shows a
> > port
> > > >> that
> > > >> > is not the same port I am using.
> > > >> >
> > > >> > I ended up blocking further attempts by running the command:
> > > >> > ====
> > > >> >  iptables -A INPUT -s 118.186.17.0/24 -j DROP
> > > >> > ====
> > > >> > Although I think I'll change it to 118.186.0.0/16 as it appears
> all
> > > 256
> > > >> > nets are associated to China.  While I realize this doesn't
> address
> > > them
> > > >> > using a proxy, perhaps it will encourage them to seek out an
> easier
> > > >> target.
> > > >> >
> > > >> > I've got a couple of nodes on my network with forwarded custom ssh
> > > ports
> > > >> > but this is the only one they seem to have noticed at this point.
> > > >> >
> > > >> > So this is my PSA for using strong passwords and checking your
> logs
> > > now
> > > >> > and again.
> > > >> >
> > > >> > Glenn
> > > >> >
> > > >> _______________________________________________
> > > >>
> > > >> arm-allstar mailing list
> > > >> arm-allstar at hamvoip.org
> > > >> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > > >>
> > > >> Visit the BBB and RPi2/3 web page - http://hamvoip.org
> > > >>
> > > >
> > > >
> > > > 73
> > > > Jim Kinter, Jr. K5KTF
> > > > Cedar Park TX
> > > > Webmaster
> > > >         <http://www.broadband-hamnet.org/>www.Broadband-Hamnet.org
> > > >         www.CTDXCC.org
> > > >         <http://www.austinsummerfest.org/>www.AustinSummerfest.org
> > > > Williamson County ARES
> > > >         2010/11/15/16/17/18 Board Member/AEC BBHN
> > > > Travis County ARES
> > > >         Member
> > > > ARRL
> > > >         Field Instructor/Field Examiner/VE Liaison
> > > > W5YI VE # 34031E
> > > > NWS Skywarn Spotter
> > > > Lone Star Spotter Network Member
> > > >
> > > > _______________________________________________
> > > >
> > > > arm-allstar mailing list
> > > > arm-allstar at hamvoip.org
> > > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > > >
> > > > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> > > >
> > > _______________________________________________
> > >
> > > arm-allstar mailing list
> > > arm-allstar at hamvoip.org
> > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > >
> > > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> > >
> > _______________________________________________
> >
> > arm-allstar mailing list
> > arm-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> >
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>

More information about the arm-allstar mailing list