Advice on hack attempts

[Chunkers]

I am a bit concerned because the logs from my Synology server report that someone is attempting to hack my NAS.

Here is a small sample from the logs :

Warning,Connection,2013/03/08 22:34:40,SYSTEM,User [ethernet] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:34:24,SYSTEM,User [legal] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:34:08,SYSTEM,User [groups] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:33:52,SYSTEM,User [group] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:33:37,SYSTEM,User [share] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:33:20,SYSTEM,User [moderator] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:33:05,SYSTEM,User [firewall] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:32:49,SYSTEM,User [eth0] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:32:32,SYSTEM,User [project] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:32:16,SYSTEM,User [beta] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:32:00,SYSTEM,User [hitch] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:31:43,SYSTEM,User [portmap] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:31:28,SYSTEM,User [home] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.
Warning,Connection,2013/03/08 22:31:12,SYSTEM,User [customer] from [200.85.154.2] failed to log in via [SSH] due to authorization failure.

I did an IP search on this IP and it appears to originate from Argentina (I am in the UK). Many attempts have also been made, including from other IP addresses in other countries also. I have since enabled the IP autoblock function on my server so I would expect this person to get blocked from now on.

It is just a home network and my NAS has a few movies, some music and family photos on it so not much of a target! I have a few other devices like notepad, HTPC and laptops and PC's. I have a Billion 7800n router with a firewall enabled.

I am not very knowledge-able about this stuff and am a bit worried, is there anything else I should do or be concerned about?

Regards

Chunks

 

[vdemarco]

On my machine i have set up ssh to only allow ssh's from certain IP address (work, my mother inlaws house)

I need to move this to the router. (does anyone have an example on how to do this)

Also the next version of merlin is going to have the ipset commands and kernel support, so you could block all of china/Argentina etc..

the next thing i did was add this to

the nat-start script


#!/bin/sh
modprobe xt_recent

iptables -t nat -N SSH_CHECK
iptables -t nat -I VSERVER -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -t nat -A SSH_CHECK -m recent --set --name SSH
iptables -t nat -I SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP


So this will drop someones ssh attempt if they try more than 4 times in a row.

 

[Chunkers]

Thanks for your reply, my NAS will block an IP after 5 attempts but by the look of the logs the person / bot has access to multiple IP addresses.

For the time being I think I am going to close off remote access of my NAS from the net which is a shame (for me) but I am worried that at some point my security will break.

I have no idea how I ended up being targeted for this.

Is there any point in trying to report this activity?

Regards

Chunks

 

[vdemarco]

Thanks for your reply, my NAS will block an IP after 5 attempts but by the look of the logs the person / bot has access to multiple IP addresses.

For the time being I think I am going to close off remote access of my NAS from the net which is a shame (for me) but I am worried that at some point my security will break.

I have no idea how I ended up being targeted for this.

Is there any point in trying to report this activity?

Regards

Chunks

I don't think so. I just look at my logs and laugh now.

 

[stevech]

for years, I've seen our servers get robo-atttempts to login. It can't be stopped. Mostly from Asia.

One trend I've noticed: If your IP gets posted to the DNS servers of the 'net, either static or via a dynamic DNS service, the "new" IP address seems to go to the evil-doers and they consider it fresh meat.

As an experiment, I tried running a number of servers without publishing their IP address to DNS servers. Almost no hack attempts.

 

[Chunkers]

Thanks for your replies, I feel a bit less worried now! I thought perhaps they had me confused with MI5 or the department of Defense.

Cheers

Chunks

 

[YeOldeStonecat]

Stick any device on the internet, and it gets grinding attempts within minutes. This is normal. If home users with basic linksys or netgear routers had detailed logging for its firewall features, you'd unplug it because you'd see so much activity and would get scared.

Any devices you make available on the public side (such as your NAS)...have a good complex admin password, and any other user accounts...ensure they have good passwords.

As touched on in above replies....there are tons of bots/kits which do nothing but scan IP ranges of ISPs. Thousands and thousands...no...millions and millions, of them are unleashed on the internet to go out, find things, and report back to their "owners". This is normal "noise" that it out there on the internet.

 

[stevech]

Stick any device on the internet, and it gets grinding attempts within minutes. This is normal. .

Not always practical, but if you obtain a static public IP address, don't enable WAN side ping responses, and don't allow the IP address to be sent to the DNS servers, the attacks are almost non-existent. This is my experience using cellular modems for telemetry.

 

[vdemarco]

I don't think so. I just look at my logs and laugh now.

Now I have added using ipsets, blocking of all ip addresses from China (there are very complete lists of address in CDR format from https://www.countryipblocks.net) You can get a free copy from the net.

Blocking China has pretty much slowed the hacking attempts to a crawl.

 

[YeOldeStonecat]

Not always practical, but if you obtain a static public IP address, don't enable WAN side ping responses, and don't allow the IP address to be sent to the DNS servers, the attacks are almost non-existent. This is my experience using cellular modems for telemetry.

Yes, certainly they vary, dynamic IPs will get poked less than static blocks. But then again....just sit back and let your NAT router do its job. And if you have services exposed via port forwarding...ensure those services have been hardened/secured.

Years ago as I was learning my Microsoft Server stuff at home....in the early days of broadband, I setup my Small Business Server 2000 box and put ISA 2000 on it, and swapped that in place of whatever router I was using that month. I was amazed at the logs. They were crazy huge with lots of details.

Analogy...if you roll your windows up, who cares if it's raining out?

 

[stevech]

on cellular modems for telemetry, the junk scans and probes affect airtime costs, etc.

The solution (from Verizon and others I suppose), is to buy their service where the cell modems (for M2M and telemetry) are no exposed to the Internet. You VPN into their data center to get on your own subnet.