[arm-allstar] Selective IP Blocking

Anthony (N2KI) n2ki.ham at gmail.com
Thu Feb 15 06:35:59 EST 2024


Thank you for your insight David.  I did follow your suggestion and change
the external port pointing to the internal.  That has stopped it (for now).



*Regards,Anthony *
*   N2KI*









On Wed, Feb 14, 2024 at 10:31 PM David McGough <kb4fxc at inttek.net> wrote:

>
> iptables isn't going anywhere!  It is true that the actual kernel modules
> (AKA: netfilter) have evolved to become nftables (and the nft command),
> which can be considered a superset of the more limited functionality
> originally found in iptables.
>
> Since nft is a superset, the original iptables commands are now simply
> internally mapped to the nft equivalents.  I expect that the iptables
> command syntax and functionality will be here for the foreseeable future
> and it most certainly is still fully supported as of now.
>
> All this being said, if the SSHD is being attacked, the simple and
> effective solution is simply to change the TCP port used.  There is no
> reason to overcomplicate the solution!  ....If changing ports doesn't
> resolve the attack issues, then as a next step add a capable firewall,
> which will certainly resolve this concern.
>
>
>
> 73, David K4FXC
>
>
> On Wed, 14 Feb 2024, Anthony (N2KI) via ARM-allstar wrote:
>
> > I was looking at IP Tables and it is sunsetted according to what I read.
> So
> I am not sure I want to add a package that will no longer be supported.
>
>
>
> Anthony
>   N2KI
>
> On Wed, Feb 14, 2024, 20:10 Benjamin Naber via ARM-allstar <
> arm-allstar at hamvoip.org> wrote:
>
> > Possibly more elegant solution is actually Implement your firewall either
> > using IP tables on the Node itself or at the router and only allow ports
> > for IAX and SSH and block everything else inbound.
> >
> > Benjamin, KB9LFZ
> >
> >
> > On Wed, Feb 14, 2024, 06:20 David McGough via ARM-allstar <
> > arm-allstar at hamvoip.org> wrote:
> >
> > >
> > > ...In proofreading, be below should say:  ....which doesn't end in 22,
> > 222
> > > -OR- 2222.   *sigh*   73, David K4FXC
> > >
> > >
> > > On Wed, 14 Feb 2024, David McGough via ARM-allstar wrote:
> > >
> > > >
> > > > The simplest solution to fix this issue is simply to change the SSH
> > port
> > > > to some obscure port number which doesn't end in 22, 222 to 2222.
> This
> > > > simple change will typically eliminate 99.99% of the attacks.  If the
> > > > attack issue persists, there are other techniques which will help
> > > further.
> > > >
> > > > But, for a simple, first step, just change the SSHD port.  This can
> be
> > > > done via the admin menu, option 8.  NOTE that if your node is behind
> a
> > > NAT
> > > > firewall (running on a private IP address), you may need to change
> the
> > > > port forwarding as setup in the router to the new port number, too.
> > > >
> > > >
> > > > 73, David K4FXC
> > > >
> > > >
> > > > On Tue, 13 Feb 2024, Lloyd Duck wrote:
> > > >
> > > > > It’s on the Linux logs on supermon where I’m seeing it.
> > > > >
> > > > > Command: export TERM=vt100 && /usr/bin/sudo /usr/bin/journalctl
> > > --no-pager --since "1 day ago" | /bin/sed -e "/sudo/ d"
> > > > > -----------------------------------------------------------------
> > > > > -- Logs begin at Sun 2024-02-11 14:29:50 CST, end at Tue 2024-02-13
> > > 09:17:51 CST. --
> > > > > Feb 12 09:34:14 W5AW sshd[32556]: rexec line 110: Deprecated option
> > > UsePrivilegeSeparation
> > > > > Feb 12 09:34:15 W5AW sshd[32556]: Invalid user ic from
> 146.59.228.105
> > > port 49302
> > > > > Feb 12 09:34:15 W5AW sshd[32556]: pam_tally(sshd:auth):
> pam_get_uid;
> > > no such user
> > > > <snip>
> > > >
> > > > _______________________________________________
> > > >
> > > > ARM-allstar mailing list
> > > > ARM-allstar at hamvoip.org
> > > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > > >
> > > > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> > > >
> > >
> > > _______________________________________________
> > >
> > > ARM-allstar mailing list
> > > ARM-allstar at hamvoip.org
> > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > >
> > > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> > >
> > _______________________________________________
> >
> > ARM-allstar mailing list
> > ARM-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >
> _______________________________________________
>
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>
>


More information about the ARM-allstar mailing list