NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Disable SSH with a cron job
Hi
someone is attempting to brute force SSH access on my ReadyNas Ultra2 from multiple IPs. This can be in the form of several hundred login attempts within a second at a particular time of day. I have denyhosts installed so each IP is blocked from there on and my password is decent so I'm not really worried they'll be successful but I'd still like to dissuade them from doing so.
I'm attempting to disable SSH each day when the attack is made so I have a couple of jobs scheduled in crontab:
firstly
I can't see any log from crontab; nothing shows up in syslog at the relevant time of day. Is there a better approach to deal with my NAS's fan club?
TIA 8)
someone is attempting to brute force SSH access on my ReadyNas Ultra2 from multiple IPs. This can be in the form of several hundred login attempts within a second at a particular time of day. I have denyhosts installed so each IP is blocked from there on and my password is decent so I'm not really worried they'll be successful but I'd still like to dissuade them from doing so.
I'm attempting to disable SSH each day when the attack is made so I have a couple of jobs scheduled in crontab:
firstly
/etc/init.d/ssh stopfollowed by
/etc/init.d/ssh starta while later however this doesn't appear to be disabling SSH as the attempts still get through. Does this look like the correct command?
I can't see any log from crontab; nothing shows up in syslog at the relevant time of day. Is there a better approach to deal with my NAS's fan club?
TIA 8)
9 Replies
Replies have been turned off for this discussion
- You might want to contact your ISP.
Is there a reason for forwarding port 22 to the NAS? - Hadn't thought to contact my ISP about it, is there much they can do if it's from a range of addresses?
The NAS is a gateway to the rest of my network; I need SSH access to occasionally restart a box or do some development work remotely. - I'm not sure how much they will do, but they also are impacted, since the traffic from such attacks also hammers their network (this assumes you are not uniquely targeted). They can track down the IP address owners, and complain to their ISPs. You can potentially do the same, but you likely won't have the same clout.
You could also try forwarding a non-standard port (something over 49152) to the NAS port 22. Then specify that port in putty (or whatever you are using remotely). That would let you close port 22 in your router/firewall. - I think I've (unsuccessfully) tried to forward to a different port number in the past. I'm not exactly a linux pro... am I right in thinking this can be achieved with iptables?
- You'd normally do it just in your router,there is no need to do it in the NAS.
When you said that you were using the NAS as a gateway, did you mean that there is no NAT router between it and the internet? - Yes, there is a NAT router between it and the internet; I'll have a play and see where I get.
Thanks for the help! - There is a way to change the ssh port in linux generally, but that could possibly create issues for remote Netgear support. It's easy to find guides on this, but I think changing the forwarding is easier/safer.
If the NAT router is set up for remote administration, you can also leave the port unforwarded, and simply turn on forwarding manually when you need it. Of course you need a strong password on the router (and should use https for remote administration, not http).
I've seen similar automated attacks on well-known ports, and in my experience switching to a non-standard port usually resolves them. Fundamental security isn't changed (since the attack is still possible, just on a different port). But generally attacks like this are focused on well-known ports, where the application is easily inferred from the port number. - This is not uncommon. If you forward the port from your router sooner or later you'll start being attacked. Most of my hits were from chinese locations :-). On OS4 denyhosts and changing the port is probably the best you can do.
If you are running os6, the system has iptables so you can install knockd. Basically with this you set iptables to block all port 22 traffic and then remotely you can send a sequence of packets to knockd that will tell it to configure iptables to let your one remote ip address into port 22. The reverse knock sequence will remove the access for that remote ip address.
steve
I'd try just changing to a non-standard port first, and see if that resolves the problem without the other steps. And of course keep an eye out for future attacks.dsm1212 wrote: This is not uncommon. If you forward the port from your router sooner or later you'll start being attacked. Most of my hits were from chinese locations :-). On OS4 denyhosts and changing the port is probably the best you can do.
If you are running os6, the system has iptables so you can install knockd. Basically with this you set iptables to block all port 22 traffic and then remotely you can send a sequence of packets to knockd that will tell it to configure iptables to let your one remote ip address into port 22. The reverse knock sequence will remove the access for that remote ip address.
steve
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
