Brute force attack although ports forwarding activated

[ColinTaylor]

To improve your security on the ssh-side, you could use ssh keys (under Administration, System) to prevent any brute-forcing of your ssh access if it is exposed to the internet.

The SSH server is on his NAS not the router. So the keys would have to be setup on the NAS.

 

[Pyb]

To improve your security on the ssh-side, you could use ssh keys (under Administration, System) to prevent any brute-forcing of your ssh access if it is exposed to the internet.

Yes, that’s what I did after this incident. But I was wondering about ports forwarding strategy, because, as I did not know very well how it works, I thought it could be a bug into router firmware.
I understood thanks to all of you it‘s not the case!

 

[Pyb]

The SSH server is on his NAS not the router. So the keys would have to be setup on the NAS.

Yes, indeed.

 

[RMerlin]

Something still not clear for me: why does the bot change its port at each attempt?

TCP is a point-to-point connection, between two ports: one on the client (the source), and one on the server (the destination).

The server port will be whatever port the server is listening to: 22 for SSH, 80 for HTTP, etc...
The client port will be a randomly selected port among ports currently available on the client. That port will change with every new connection.

 

[Pyb]

TCP is a point-to-point connection, between two ports: one on the client (the source), and one on the server (the destination).

The server port will be whatever port the server is listening to: 22 for SSH, 80 for HTTP, etc...
The client port will be a randomly selected port among ports currently available on the client. That port will change with every new connection.

Understood. And so, it means:
1) In the logs, we do not see the port which is forwarded for ssh (the port I configure into the nas). That‘s my mistake when analyzing the logs.
2) for each connexion, the hacker scans all the ports, finally find the good one and try to connect.
Am I correct?

 

[RMerlin]

) for each connexion, the hacker scans all the ports, finally find the good one and try to connect.
Am I correct?

This is most likely the case if you were using a non-standard port in your port forward rule.

Using a non standard port greatly reduces the amount of bots hitting you, but there will frequently be a few that do more in depth scans, and will find it.

 

[Pyb]

Yes that was the case here and that’s why I did not understood… I thought the ports seen in the logs were the ones the hacker tries… now It’s clear!

 

[dosborne]

Personally, with multiple NAS vendors being hit hard with ransomware attacks I would disable all dmz, upnp and port forwarding. I know your ssh was the target but you may be exposing yourself to other attacks (search on "deadbolt ransomware" for example).

The safer approach is to connect to a VPN service running on your router then access your devices through the VPN.

 

[Jumpstarter]

Personally, with multiple NAS vendors being hit hard with ransomware attacks I would disable all dmz, upnp and port forwarding. I know your ssh was the target but you may be exposing yourself to other attacks (search on "deadbolt ransomware" for example).

The safer approach is to connect to a VPN service running on your router then access your devices through the VPN.

I would only access the ssh over VPN. IMO opening one port to SSH should be considered the same as opening all ports. If having the SSH port open is necessary, then some form of IPset blocker should be inplace for inbound and/or forward traffic that matchings incoming traffic to a list of known offenders, and also a BAN list should be created for every failed login attempt with a very strict Ban approach on failed attempts. Even then I wouldn't consider the access safe unless someform of cryptographically generated keys are used for sign-in over generic password method.

 

[Pyb]

What is IMO?
I will try to increase my overall network security…

 

[ColinTaylor]

What is IMO?

In My Opinion

 

[Pyb]

Oups!

 

[Pyb]

Well, I’m looking at vpn solutions. And I see that the connexion speed may be affected. What’s your opinion? Do you have this kind of solution?

Many thanks.

 

[ColinTaylor]

Well, I’m looking at vpn solutions. And I see that the connexion speed may be affected. What’s your opinion? Do you have this kind of solution?

Many thanks.

The connection speed might be limited. It depends on how fast your internet is and how much speed you need. Maybe you don't need much speed to do what you want.

 

[Pyb]

Thanks for your feedback.
A VPN customer service explained to me their solution is not compatible with mesh system (I would like to install VPN on main router, because I have got many connected devices).
Is it something common? Never possible to install VPN on a mesh system?
Thanks to you all!

PYB

 

[ColinTaylor]

Thanks for your feedback.
A VPN customer service explained to me their solution is not compatible with mesh system (I would like to install VPN on main router, because I have got many connected devices).
Is it something common? Never possible to install VPN on a mesh system?
Thanks to you all!

PYB

It doesn't matter whether you're using AiMesh or not because the VPN client would be installed on the main router, not the nodes. It might be an issue for other mesh systems. You just need to be sure the VPN service is supported by the router (e.g. NordVPN, etc).

 

[Pyb]

It doesn't matter whether you're using AiMesh or not because the VPN client would be installed on the main router, not the nodes. It might be an issue for other mesh systems. You just need to be sure the VPN service is supported by the router (e.g. NordVPN, etc).

OK, thanks. I will check that with NordVPN.