DSM-G600, DNS-3xx and NSA-220 Hack Forum

bound4h · 2010-11-13 04:22:22

So, I have SSH setup with one user and I have port 22 forwarded to the NAS. While logged in via SSH at HOME, when I run top I see a lot of activity for processes called:

sshd [accepted]
sshd [priv]
or
sshd unknown

They keep popping up when I hit refresh. As soon as I turned off port forwarding for port 22, they went away so it's obviously outside my network. I read here that it's likely some kind of dictionary attack: http://forum.openvz.org/index.php?t=msg … 35448&

So my questions are:

1. Does SSH keep a log somewhere on the DNS323 (using FFP0.5) so I can see the IPs
2. Can I deny hosts somehow
3. How can I setup a log to log this info if one does not exist

Thanks

UPDATE: I figured out how to start syslogd.sh so logging is happening in /var/log/messages. Not sure if I will see ssh activity in here but I wanted to add this.

Last edited by bound4h (2010-11-13 04:40:15)

InBonobo · 2010-11-14 20:51:12

I presume your DNS box is behind your firewall and you poked a hole in it. How about restricting access at firewall level only from specific IPs?

I only enable access to my DNS323 from outside when I know I will need it, which is very seldom.

InBonobo · 2010-11-14 21:01:48

Another thing I've done with mine (explained in my guide) is use only the PPK for login. Once you're sure it works, you can disable login / pass altoghether. On mine, I had to modify /mnt/HD_a2/ffp/etc/ssh/sshd_config as follows:

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

Uncomment PasswordAuth and change it to no, then restart the daemon with

# service sshd restart

Last edited by InBonobo (2010-11-14 21:03:29)

bjby · 2010-11-14 21:41:46

I made a script which emails the abuse email published by network owner in the whois database. I dont use it anymore but I did for a while. The script assumes the abuse email adress is of format abuse@<ipscompanydomain> otherwise no mail is sent.

Code:

#!/ffp/bin/bash
#
IPLOGFILE="abuseips.txt"
TMPFILE="/ffp/tmp/abuse.tmp"
set -e
PATH=/opt/bin:/opt/sbin:/ffp/sbin:/usr/sbin:/sbin:/ffp/bin:/usr/bin:/bin
     
touch $IPLOGFILE
cat /var/log/messages | grep 'Invalid user' | sed 's/  / /g' | cut -f 11 -"d " | sort -u > "$TMPFILE"
 
for i in $(cat "$TMPFILE"  "$IPLOGFILE" "$IPLOGFILE" | sort | uniq -u) 
do
 echo $i >> $IPLOGFILE;
 abuseip=$i;
 abusemail=$(whois $i  | grep -i -o -E 'abuse@[-a-z\.A-Z0-9]*' | head -1);
 if [ -n "$abusemail" ]; then
   #echo "$abuseip : $abusemail";
   #cat /var/log/messages | grep $abuseip);
   abusesubject="abuse: ssh hacking attempt from $abuseip";
   echo $abusemail;
   echo $abusesubject;
   #abusebody
   cat /var/log/messages | grep $abuseip | head -10;

   #email
   cat /var/log/messages | grep $abuseip | head -10 | mutt -s"$abusesubject" -c mail@mymail.com "$abusemail"
                                                    
 fi
done;

Last edited by bjby (2010-11-14 21:51:59)

karlrado · 2010-11-15 23:25:38

It is pretty common for attackers to focus on port 22 for SSH break-ins. I've set up my NAS to use a different port and forward that one through the router. It isn't perfect, but it helps some.

bound4h · 2010-11-16 00:42:12

karlrado, I was thinking of doing the same thing. Can't I just forward port (make up something, say 5555) for the EXTERNAL port to the INTERNAL port 22 of the NAS? Would this accomplish the same thing without having to change any settings on the NAS.

So, if you try to ping from external, 22 is closed and only 5555 is open. But internally, you would need to use 22. Am I saying this correctly? And would it do the same thing as you've suggested?

karlrado · 2010-11-16 04:37:59

I think that you can do it either way, as long as your router has the flexibility. I was going to say that my router doesn't allow different source/destination (or public/private) ports, but I just looked and the router/modem combo firmware had been upgraded without me knowing about it, and it now has a new feature to allow this!

So, I was sort of forced to keep the source/destination ports the same when forwarding them in the router. And that meant changing the default SSH ports. I didn't mind this as that kept the ports the same from my point of view when I am accessing the boxes from either side of the router. It was easier for me to do that, but there's an equally valid argument to use the default ports on the internal lan.

I also picked a range and an "algorithm" that helped me remember what port is the SSH port, based on the machine's IP address. I had already modified the SSHD config file on my servers anyway, so another change for a new port number was no big deal. Yeah, it is a pain to remember to add a -p option on ssh, etc. But I also made heavy use of SSH config files already, with hosts defined with easy to remember nicknames along with all the parms that I was already overriding, such as User. Adding a port was no big deal. It takes some setup, but ends up being pretty nice in the end.

Now I forward only the SSH port to each NAS/server that I want to access externally, and then use SSH tunneling for other services, like the mediatomb port, etc. That seemed easier and perhaps more secure than forwarding tons of ports in the router. I think my particular router didn't allow port forwards to be added in the external admin mode.

capitainabloc · 2012-06-20 22:03:31

Hi everyone!

I come back on this thread:

1. Does SSH keep a log somewhere on the DNS323 (using FFP0.5) so I can see the IPs
2. Can I deny hosts somehow
3. How can I setup a log to log this info if one does not exist

I also would like to know if my SSH has been attacked, where can I find a connection log?

Thanks

bjby · 2012-06-21 16:32:30

cat /var/log/messages | grep 'Invalid user'

capitainabloc · 2012-07-02 10:33:35

ok, I managed to install syslogd, and now I can see the huge amount of failed tentatives from all aver the world...

I installed denyhosts on my DNS323, but it doesn't seem to work! denyhosts.sh status is running.
The IPs of attackers are well written in deny.hosts file, but when a IP attacks, it should be stopped after the first failed tentative on root user, but there's dozens of tentatives.

Somebody has a denyhosts installed and working on DNS323 that could help me?

Second question: I tried to change the sshd port number, in /ffp/etc/ssh/sshd_config, and by adding a flag in /ffp/start/sshd.sh, and none has worked, even together... do you know how to do?

Thanks.

forre · 2012-07-05 14:20:29

sshd has to read from /etc/hosts.deny to block ip adresses. To fix that, you need to start sshd through inetd.

bound4h · 2012-07-09 01:49:15

What is the model of your router?

capitainabloc · 2012-07-09 06:40:27

Ok, I deinstalled, and reinstalled denyhosts, and it works great now! So I think, there maybe no need to change the port now... but if you know how to do, I'm interested!

DSM-G600, DNS-3xx and NSA-220 Hack Forum

Announcement

#1 2010-11-13 04:22:22

SSH log to catch brute-force dictionary attacks

#2 2010-11-14 20:51:12

Re: SSH log to catch brute-force dictionary attacks

#3 2010-11-14 21:01:48

Re: SSH log to catch brute-force dictionary attacks

#4 2010-11-14 21:41:46

Re: SSH log to catch brute-force dictionary attacks

Code:

#5 2010-11-15 23:25:38

Re: SSH log to catch brute-force dictionary attacks

#6 2010-11-16 00:42:12

Re: SSH log to catch brute-force dictionary attacks

#7 2010-11-16 04:37:59

Re: SSH log to catch brute-force dictionary attacks

#8 2012-06-20 22:03:31

Re: SSH log to catch brute-force dictionary attacks

#9 2012-06-21 16:32:30

Re: SSH log to catch brute-force dictionary attacks

#10 2012-07-02 10:33:35

Re: SSH log to catch brute-force dictionary attacks

#11 2012-07-05 14:20:29

Re: SSH log to catch brute-force dictionary attacks

#12 2012-07-09 01:49:15

Re: SSH log to catch brute-force dictionary attacks

#13 2012-07-09 06:40:27

Re: SSH log to catch brute-force dictionary attacks

Board footer