DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

Announcement

#1 2010-11-13 04:22:22

bound4h
Member
Registered: 2010-04-12
Posts: 209

SSH log to catch brute-force dictionary attacks

So, I have SSH setup with one user and I have port 22 forwarded to the NAS.  While logged in via SSH at HOME, when I run top I see a lot of activity for processes called:

sshd [accepted]
sshd [priv]
or
sshd unknown

They keep popping up when I hit refresh.  As soon as I turned off port forwarding for port 22, they went away so it's obviously outside my network.  I read here that it's likely some kind of dictionary attack: http://forum.openvz.org/index.php?t=msg … 35448&

So my questions are:

1. Does SSH keep a log somewhere on the DNS323 (using FFP0.5) so I can see the IPs
2. Can I deny hosts somehow
3. How can I setup a log to log this info if one does not exist

Thanks

UPDATE: I figured out how to start syslogd.sh so logging is happening in /var/log/messages.  Not sure if I will see ssh activity in here but I wanted to add this.

Last edited by bound4h (2010-11-13 04:40:15)

Offline

 

#2 2010-11-14 20:51:12

InBonobo
Member
From: Toronto
Registered: 2009-01-18
Posts: 34
Website

Re: SSH log to catch brute-force dictionary attacks

I presume your DNS box is behind your firewall and you poked a hole in it. How about restricting access at firewall level only from specific IPs?

I only enable access to my DNS323 from outside when I know I will need it, which is very seldom.


1 DNS-323, HW B1, 2 x 2TB WD Black (WD2001FASS), fw 1.09, fun_plug 0.5
1 DNS-321, HW A2, 2 x 1TB Seagate Barracuda 7200.11 (currently failed)
Here's my Hacking DNS-323 and DNS-321 NAS Guide smile

Offline

 

#3 2010-11-14 21:01:48

InBonobo
Member
From: Toronto
Registered: 2009-01-18
Posts: 34
Website

Re: SSH log to catch brute-force dictionary attacks

Another thing I've done with mine (explained in my guide) is use only the PPK for login. Once you're sure it works, you can disable login / pass altoghether. On mine, I had to modify /mnt/HD_a2/ffp/etc/ssh/sshd_config as follows:

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

Uncomment PasswordAuth and change it to no, then restart the daemon with

# service sshd restart

Last edited by InBonobo (2010-11-14 21:03:29)


1 DNS-323, HW B1, 2 x 2TB WD Black (WD2001FASS), fw 1.09, fun_plug 0.5
1 DNS-321, HW A2, 2 x 1TB Seagate Barracuda 7200.11 (currently failed)
Here's my Hacking DNS-323 and DNS-321 NAS Guide smile

Offline

 

#4 2010-11-14 21:41:46

bjby
Member
Registered: 2009-02-22
Posts: 265

Re: SSH log to catch brute-force dictionary attacks

I made a script which emails the abuse email published by network owner in the whois database. I dont use it anymore but I did for a while. The script assumes the abuse email adress is of format abuse@<ipscompanydomain> otherwise no mail is sent.

Code:

#!/ffp/bin/bash
#
IPLOGFILE="abuseips.txt"
TMPFILE="/ffp/tmp/abuse.tmp"
set -e
PATH=/opt/bin:/opt/sbin:/ffp/sbin:/usr/sbin:/sbin:/ffp/bin:/usr/bin:/bin
     
touch $IPLOGFILE
cat /var/log/messages | grep 'Invalid user' | sed 's/  / /g' | cut -f 11 -"d " | sort -u > "$TMPFILE"
 
for i in $(cat "$TMPFILE"  "$IPLOGFILE" "$IPLOGFILE" | sort | uniq -u) 
do
 echo $i >> $IPLOGFILE;
 abuseip=$i;
 abusemail=$(whois $i  | grep -i -o -E 'abuse@[-a-z\.A-Z0-9]*' | head -1);
 if [ -n "$abusemail" ]; then
   #echo "$abuseip : $abusemail";
   #cat /var/log/messages | grep $abuseip);
   abusesubject="abuse: ssh hacking attempt from $abuseip";
   echo $abusemail;
   echo $abusesubject;
   #abusebody
   cat /var/log/messages | grep $abuseip | head -10;

   #email
   cat /var/log/messages | grep $abuseip | head -10 | mutt -s"$abusesubject" -c mail@mymail.com "$abusemail"
                                                    
 fi
done;

Last edited by bjby (2010-11-14 21:51:59)

Offline

 

#5 2010-11-15 23:25:38

karlrado
Member
Registered: 2009-12-07
Posts: 229

Re: SSH log to catch brute-force dictionary attacks

It is pretty common for attackers to focus on port 22 for SSH break-ins.  I've set up my NAS to use a different port and forward that one through the router.  It isn't perfect, but it helps some.


DNS-323 FW 1.07 : 2 1TB WD Caviar Green SATA : fun_plug: utelnet + optware (no ffp)

Offline

 

#6 2010-11-16 00:42:12

bound4h
Member
Registered: 2010-04-12
Posts: 209

Re: SSH log to catch brute-force dictionary attacks

karlrado, I was thinking of doing the same thing.  Can't I just forward port (make up something, say 5555) for the EXTERNAL port to the INTERNAL port 22 of the NAS?  Would this accomplish the same thing without having to change any settings on the NAS.

So, if you try to ping from external, 22 is closed and only 5555 is open.  But internally, you would need to use 22.  Am I saying this correctly?  And would it do the same thing as you've suggested?

Offline

 

#7 2010-11-16 04:37:59

karlrado
Member
Registered: 2009-12-07
Posts: 229

Re: SSH log to catch brute-force dictionary attacks

I think that you can do it either way, as long as your router has the flexibility.  I was going to say that my router doesn't allow different source/destination (or public/private) ports, but I just looked and the router/modem combo firmware had been upgraded without me knowing about it, and it now has a new feature to allow this!

So, I was sort of forced to keep the source/destination ports the same when forwarding them in the router.  And that meant changing the default SSH ports.  I didn't mind this as that kept the ports the same from my point of view when I am accessing the boxes from either side of the router.  It was easier for me to do that, but there's an equally valid argument to use the default ports on the internal lan.

I also picked a range and an "algorithm" that helped me remember what port is the SSH port, based on the machine's IP address.  I had already modified the SSHD config file on my servers anyway, so another change for a new port number was no big deal.  Yeah, it is a pain to remember to add a -p option on ssh, etc.  But I also made heavy use of SSH config files already, with hosts defined with easy to remember nicknames along with all the parms that I was already overriding, such as User.  Adding a port was no big deal.  It takes some setup, but ends up being pretty nice in the end.

Now I forward only the SSH port to each NAS/server that I want to access externally, and then use SSH tunneling for other services, like the mediatomb port, etc.  That seemed easier and perhaps more secure than forwarding tons of ports in the router.  I think my particular router didn't allow port forwards to be added in the external admin mode.


DNS-323 FW 1.07 : 2 1TB WD Caviar Green SATA : fun_plug: utelnet + optware (no ffp)

Offline

 

#8 2012-06-20 22:03:31

capitainabloc
Member
Registered: 2011-10-05
Posts: 22

Re: SSH log to catch brute-force dictionary attacks

Hi everyone!

I come back on this thread:

1. Does SSH keep a log somewhere on the DNS323 (using FFP0.5) so I can see the IPs
2. Can I deny hosts somehow
3. How can I setup a log to log this info if one does not exist

I also would like to know if my SSH has been attacked, where can I find a connection log?

Thanks

Offline

 

#9 2012-06-21 16:32:30

bjby
Member
Registered: 2009-02-22
Posts: 265

Re: SSH log to catch brute-force dictionary attacks

cat /var/log/messages | grep 'Invalid user'

Offline

 

#10 2012-07-02 10:33:35

capitainabloc
Member
Registered: 2011-10-05
Posts: 22

Re: SSH log to catch brute-force dictionary attacks

ok, I managed to install syslogd, and now I can see the huge amount of failed tentatives from all aver the world...

I installed denyhosts on my DNS323, but it doesn't seem to work! denyhosts.sh status is running.
The IPs of attackers are well written in deny.hosts file, but when a IP attacks, it should be stopped after the first failed tentative on root user, but there's dozens of tentatives.

Somebody has a denyhosts installed and working on DNS323 that could help me?

Second question: I tried to change the sshd port number, in /ffp/etc/ssh/sshd_config, and by adding a flag in /ffp/start/sshd.sh, and none has worked, even together... do you know how to do?

Thanks.

Offline

 

#11 2012-07-05 14:20:29

forre
Member
Registered: 2008-04-22
Posts: 26

Re: SSH log to catch brute-force dictionary attacks

sshd has to read from /etc/hosts.deny to block ip adresses. To fix that, you need to start sshd through inetd.

Offline

 

#12 2012-07-09 01:49:15

bound4h
Member
Registered: 2010-04-12
Posts: 209

Re: SSH log to catch brute-force dictionary attacks

What is the model of your router?

Offline

 

#13 2012-07-09 06:40:27

capitainabloc
Member
Registered: 2011-10-05
Posts: 22

Re: SSH log to catch brute-force dictionary attacks

Ok, I deinstalled, and reinstalled denyhosts, and it works great now! So I think, there maybe no need to change the port now... but if you know how to do, I'm interested!

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB