Hi
I was "playing" with my AMPR Router yesterday
I had a open user (on purpose) and saw that from that user few IP (not my ones) were logged in
after some more research i have discovered that this users was opening connections to other hosts ....
That made me suspicious on what going on ....
I have checked one of the IP that was connected and back resolve showed customer.worldstream.nl comming via SSH
I understand something not good happening i have closed this user rebooted the router (to clear the connection )
and then i started to get alot of connections to port 22 to my router from that host
I had to put Firewall rule (drop) for that address and destination port (22)(although im against fire-walling)
After less then 24 hours the traffic stopped from that host the trafic (Via UCSD (Encapped) went down from 19 KBytes/sec to less then 1 Kbyte/sec
now. I know how to deal with the technical aspects (firewall .etc)
What is not understand to me is what is the purpose ... If it is a robot what is the point of fluddling SSH connections is it brute force ? or anything else ? and how come that after 24 hours it stopped it supposed to be endless loop if it is an automated process
Please light my eyes on that if you have more experience then me
currently the router is "quiet" without non wanted users logged in and un necessary connections
I see on the log here and there breake attempt mainly to Ports 23 22 and SIP from various hosts but it is few in a minute
Regards
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
Hey Ronen,
Unfortunately that is "normal" behaviour these days on the internet. Bots scanning networks for ssh/telnet/sip to abuse and continue spreading. It stops after a while from that particular IP when that IP gets blocked, but will then continue from other IP's. That is how botnets workaround firewalls if one IP gets blocked, they just retry from other hosts under their control.. It is best practice to firewall anything inbound that you don't need publicly available from the internet..
Ruben - ON3RVH
On 23 May 2017, at 07:24, R P ronenp@hotmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi
I was "playing" with my AMPR Router yesterday
I had a open user (on purpose) and saw that from that user few IP (not my ones) were logged in
after some more research i have discovered that this users was opening connections to other hosts ....
That made me suspicious on what going on ....
I have checked one of the IP that was connected and back resolve showed customer.worldstream.nl comming via SSH
I understand something not good happening i have closed this user rebooted the router (to clear the connection )
and then i started to get alot of connections to port 22 to my router from that host
I had to put Firewall rule (drop) for that address and destination port (22)(although im against fire-walling)
After less then 24 hours the traffic stopped from that host the trafic (Via UCSD (Encapped) went down from 19 KBytes/sec to less then 1 Kbyte/sec
now. I know how to deal with the technical aspects (firewall .etc)
What is not understand to me is what is the purpose ... If it is a robot what is the point of fluddling SSH connections is it brute force ? or anything else ? and how come that after 24 hours it stopped it supposed to be endless loop if it is an automated process
Please light my eyes on that if you have more experience then me
currently the router is "quiet" without non wanted users logged in and un necessary connections
I see on the log here and there breake attempt mainly to Ports 23 22 and SIP from various hosts but it is few in a minute
Regards
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
Several of the servers at work regularly see ping requests in the hundred per second, and amprgw sees them as well. I have ping responses throttled to 5 per second on most of my hosts in order to be a good network neighbor. I log a lot of 'open port RST response' probes as well.
I assume these are partly just curious scanners looking for live hosts in our network ranges, but a lot of them are probably requests with forged/spoofed source addresses so as to attack other systems.
The thousands of failed attempts per day to log in as 'root' are also annoying and pollute my log files. Many of these servers are used legitimately by researchers all around the world, so it's not practical to firewall them off from the outside world. I do have root logins disabled, so even if the probers guess the right password, they can't log in as root. And I use 'denyhosts' and 'fail2ban' to block the probers, but there's always another one waiting to start.
During one hour yesterday that I looked at, according to the netflow data for amprgw, as much as half of the inbound packets were DNS queries to either of two hosts on the 44.44.7.224 subnet. There are up to hundreds of these requests per second from many varied source addresses. Those two hosts used to respond to the queries; they don't any more.
It's a hostile world out there. - Brian
On Tue, May 23, 2017 at 06:40:54AM +0000, Ruben ON3RVH wrote:
Hey Ronen,
Unfortunately that is "normal" behaviour these days on the internet. Bots scanning networks for ssh/telnet/sip to abuse and continue spreading. It stops after a while from that particular IP when that IP gets blocked, but will then continue from other IP's. That is how botnets workaround firewalls if one IP gets blocked, they just retry from other hosts under their control.. It is best practice to firewall anything inbound that you don't need publicly available from the internet..
Ruben - ON3RVH
Brian,
For failed SSH login attempts, you might look at fail2ban , configure that one with 2 auth faillures and repeat offenders and you'll be golden and rid of those thousands of login attempts :)
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net [mailto:44net-bounces+on3rvh=on3rvh.be@hamradio.ucsd.edu] On Behalf Of Brian Kantor Sent: dinsdag 23 mei 2017 12:51 To: AMPRNet working group 44net@hamradio.ucsd.edu Subject: Re: [44net] probbing and attacks on my router
(Please trim inclusions from previous messages) _______________________________________________ Several of the servers at work regularly see ping requests in the hundred per second, and amprgw sees them as well. I have ping responses throttled to 5 per second on most of my hosts in order to be a good network neighbor. I log a lot of 'open port RST response' probes as well.
I assume these are partly just curious scanners looking for live hosts in our network ranges, but a lot of them are probably requests with forged/spoofed source addresses so as to attack other systems.
The thousands of failed attempts per day to log in as 'root' are also annoying and pollute my log files. Many of these servers are used legitimately by researchers all around the world, so it's not practical to firewall them off from the outside world. I do have root logins disabled, so even if the probers guess the right password, they can't log in as root. And I use 'denyhosts' and 'fail2ban' to block the probers, but there's always another one waiting to start.
During one hour yesterday that I looked at, according to the netflow data for amprgw, as much as half of the inbound packets were DNS queries to either of two hosts on the 44.44.7.224 subnet. There are up to hundreds of these requests per second from many varied source addresses. Those two hosts used to respond to the queries; they don't any more.
It's a hostile world out there. - Brian
On Tue, May 23, 2017 at 06:40:54AM +0000, Ruben ON3RVH wrote:
Hey Ronen,
Unfortunately that is "normal" behaviour these days on the internet. Bots scanning networks for ssh/telnet/sip to abuse and continue spreading. It stops after a while from that particular IP when that IP gets blocked, but will then continue from other IP's. That is how botnets workaround firewalls if one IP gets blocked, they just retry from other hosts under their control.. It is best practice to firewall anything inbound that you don't need publicly available from the internet..
Ruben - ON3RVH
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Well, I use 'denyhosts' which works the same way as 'fail2ban' and I have it set to allow 5 tries (at 2 tries max, I had too many of my legitimate clients who flubbed their logins get banned and had to contact me). I still get thousands of login attempts per day because there are so many different sources of the probes. Block one and two more spring up to twist the doorknobs. Apparently we're a prime target. - Brian
On Tue, May 23, 2017 at 10:57:47AM +0000, Ruben ON3RVH wrote:
For failed SSH login attempts, you might look at fail2ban , configure that one with 2 auth faillures and repeat offenders and you'll be golden and rid of those thousands of login attempts :)
Everyone running a public ssh/ftp/whatever service is a prime target these days :/
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net [mailto:44net-bounces+on3rvh=on3rvh.be@hamradio.ucsd.edu] On Behalf Of Brian Kantor Sent: dinsdag 23 mei 2017 13:05 To: AMPRNet working group 44net@hamradio.ucsd.edu Subject: Re: [44net] probbing and attacks on my router
(Please trim inclusions from previous messages) _______________________________________________ Well, I use 'denyhosts' which works the same way as 'fail2ban' and I have it set to allow 5 tries (at 2 tries max, I had too many of my legitimate clients who flubbed their logins get banned and had to contact me). I still get thousands of login attempts per day because there are so many different sources of the probes. Block one and two more spring up to twist the doorknobs. Apparently we're a prime target. - Brian
On Tue, May 23, 2017 at 10:57:47AM +0000, Ruben ON3RVH wrote:
For failed SSH login attempts, you might look at fail2ban , configure that one with 2 auth faillures and repeat offenders and you'll be golden and rid of those thousands of login attempts :)
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Yes, that's true. The one I'm thinking of in particular is also a web server serving several dozen domains, so it's a rather visible target. - Brian
On Tue, May 23, 2017 at 11:06:32AM +0000, Ruben ON3RVH wrote:
Everyone running a public ssh/ftp/whatever service is a prime target these days :/ 73, Ruben - ON3RVH
The bigger the wall is built, the taller the ladders get :-(
On 2017-05-23 08:04 AM, Brian Kantor wrote:
(Please trim inclusions from previous messages) _______________________________________________ Well, I use 'denyhosts' which works the same way as 'fail2ban' and I have it set to allow 5 tries (at 2 tries max, I had too many of my legitimate clients who flubbed their logins get banned and had to contact me). I still get thousands of login attempts per day because there are so many different sources of the probes. Block one and two more spring up to twist the doorknobs. Apparently we're a prime target.
- Brian
On Tue, May 23, 2017 at 10:57:47AM +0000, Ruben ON3RVH wrote:
For failed SSH login attempts, you might look at fail2ban , configure that one with 2 auth faillures and repeat offenders and you'll be golden and rid of those thousands of login attempts :)
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
After I researched some of the options in the past (all of which required installation of more software), I decided on an iptables entries that 'flag' and DROP the IP for 5 minutes after 5 connection attempts.
iptables -I FORWARD -p tcp --dport 22 -i eth0.2 -m state --state NEW -m recent --name ssh --update --seconds 300 --hitcount 5 -j DROP iptables -I FORWARD -p tcp --dport 22 -i eth0.2 -m state --state NEW -m recent --name ssh --set
This also covers scanning of the port if it takes more than 5 tries to determine it's SSH. Configuring SSH or your port forward to connect to the SSH on a non standard port reduced my scan attempts to 0%. Be careful that you type your password correctly from now on...you only get 5 attempts...lol.
- Lynwood KB3VWG
Alternate SSH ports are a good plan. Internally we use pubkey ssh mostly, so flubbed passwords are much less common, but we have so many legitimate 'guest' users that password-enabled logins are still needed.
FreeBSD doesn't have 'iptables', that's mostly a Linux thing. It has 'ipfw', which I'm getting pretty good at. :-) - Brian
On Tue, May 23, 2017 at 07:08:08AM -0400, lleachii--- via 44Net wrote:
After I researched some of the options in the past (all of which required installation of more software), I decided on an iptables entries that 'flag' and DROP the IP for 5 minutes after 5 connection attempts.
This also covers scanning of the port if it takes more than 5 tries to determine it's SSH. Configuring SSH or your port forward to connect to the SSH on a non standard port reduced my scan attempts to 0%. Be careful that you type your password correctly from now on...you only get 5 attempts...lol.
- Lynwood
KB3VWG
Hello Lynwood et al.
Amongst many other iptables rules I use the following:
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP -A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource -A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:" -A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
...
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP -A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource -A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:" -A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
Above rules together with fail2ban effectively block/unblock portscan attempts for predefined period of time, here 86400 seconds.
Best regards. Tom - SP2L
I'm just curious why you are against firewalling your hosts. If you don't want someone connecting to your device over SSH, just setup a rule that blocks it at the router level and be done with it. On my router, I only allow SSH from a couple known hosts (my work subnets as an example). When I opened up my firewall to allow SSH to itself, I got over 66,000 ssh login attempts within a few hours.
Thanks
Craig
On Tue, May 23, 2017 at 8:14 AM, SP2L SP2L@wp.pl wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hello Lynwood et al.
Amongst many other iptables rules I use the following:
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP -A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource -A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:" -A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
...
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP -A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource -A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:" -A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
Above rules together with fail2ban effectively block/unblock portscan attempts for predefined period of time, here 86400 seconds.
Best regards. Tom - SP2L
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
You say "used legitimately"
Is opening 10th of connection to say to Port 22 in a second sound legitimate ? for me no ... am i right ?
Maybe in a big university lot of students do SSH but in AmprNet certianly no .. its ok to run probers lets say 1 connection a second ......
When I wanted to run Network monitor that do 5 pings every few minutes you all shouted on me not to do it (and my intention was to provide real time network map accessible by web to all the AMPRNET users to see which gateway is up and which no ... So how come that 10th of connection try in a second from same host to same destination consider "legitimate" ?
and this lead me to the second issue question
I want to put a dynamic black list in my router to block this incidents (of lets say more 10 connection from same host to same target in a second) for lets say an hour
I have mikrotik
Are there any experts that can tell me if that cen be done with Mikrotik or i need Celever firewall before it ?
Regared
Ronen - 4Z4ZQ
________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Brian Kantor Brian@UCSD.Edu Sent: Tuesday, May 23, 2017 3:51 AM To: AMPRNet working group Subject: Re: [44net] probbing and attacks on my router
(Please trim inclusions from previous messages) _______________________________________________ Many of these servers are used legitimately by researchers all around the world, so it's not practical to firewall them off from the outside world.
Ronen,
I agree with Ruben.
Regarding that connection, if it was inbound, they may have successfully logged into a device. Its Command Server may simply be maintaining the connection, testing SSH tunneling, seeing if it does X11, Secure Copy, etc.
*If it's a hosted VPS service and SSH Keys are allowed for login, make sure YOU MADE FRESH KEYS for your VPS' SSH Server. If this is a state actor (or even another customer in the same company), they may have your private SSH key.*
*And in fact, if you determine you've been logged into, you may wish to start with a fresh install/VM. *
**
73,
- Lynwood KB3VWG
What is not understand to me is what is the purpose ... If it is a robot what is the point of fluddling SSH connections is it brute force ? or anything else ? and how come that after 24 hours it stopped it supposed to be endless loop if it is an automated process
-
Brian Kantor -
Craig Brauckmiller -
lleachii@aol.com -
R P -
Ruben ON3RVH -
SP2L -
ve1jot