× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Disable SSH with a cron job

milks
Tutor

Disable SSH with a cron job

Hi


someone is attempting to brute force SSH access on my ReadyNas Ultra2 from multiple IPs. This can be in the form of several hundred login attempts within a second at a particular time of day. I have denyhosts installed so each IP is blocked from there on and my password is decent so I'm not really worried they'll be successful but I'd still like to dissuade them from doing so.

I'm attempting to disable SSH each day when the attack is made so I have a couple of jobs scheduled in crontab:

firstly
/etc/init.d/ssh stop
followed by
/etc/init.d/ssh start
a while later however this doesn't appear to be disabling SSH as the attempts still get through. Does this look like the correct command?

I can't see any log from crontab; nothing shows up in syslog at the relevant time of day. Is there a better approach to deal with my NAS's fan club?

TIA 😎
Message 1 of 10
StephenB
Guru

Re: Disable SSH with a cron job

You might want to contact your ISP.

Is there a reason for forwarding port 22 to the NAS?
Message 2 of 10
milks
Tutor

Re: Disable SSH with a cron job

Hadn't thought to contact my ISP about it, is there much they can do if it's from a range of addresses?

The NAS is a gateway to the rest of my network; I need SSH access to occasionally restart a box or do some development work remotely.
Message 3 of 10
StephenB
Guru

Re: Disable SSH with a cron job

I'm not sure how much they will do, but they also are impacted, since the traffic from such attacks also hammers their network (this assumes you are not uniquely targeted). They can track down the IP address owners, and complain to their ISPs. You can potentially do the same, but you likely won't have the same clout.

You could also try forwarding a non-standard port (something over 49152) to the NAS port 22. Then specify that port in putty (or whatever you are using remotely). That would let you close port 22 in your router/firewall.
Message 4 of 10
milks
Tutor

Re: Disable SSH with a cron job

I think I've (unsuccessfully) tried to forward to a different port number in the past. I'm not exactly a linux pro... am I right in thinking this can be achieved with iptables?
Message 5 of 10
StephenB
Guru

Re: Disable SSH with a cron job

You'd normally do it just in your router,there is no need to do it in the NAS.

When you said that you were using the NAS as a gateway, did you mean that there is no NAT router between it and the internet?
Message 6 of 10
milks
Tutor

Re: Disable SSH with a cron job

Yes, there is a NAT router between it and the internet; I'll have a play and see where I get.

Thanks for the help!
Message 7 of 10
StephenB
Guru

Re: Disable SSH with a cron job

There is a way to change the ssh port in linux generally, but that could possibly create issues for remote Netgear support. It's easy to find guides on this, but I think changing the forwarding is easier/safer.

If the NAT router is set up for remote administration, you can also leave the port unforwarded, and simply turn on forwarding manually when you need it. Of course you need a strong password on the router (and should use https for remote administration, not http).

I've seen similar automated attacks on well-known ports, and in my experience switching to a non-standard port usually resolves them. Fundamental security isn't changed (since the attack is still possible, just on a different port). But generally attacks like this are focused on well-known ports, where the application is easily inferred from the port number.
Message 8 of 10
dsm1212
Apprentice

Re: Disable SSH with a cron job

This is not uncommon. If you forward the port from your router sooner or later you'll start being attacked. Most of my hits were from chinese locations :-). On OS4 denyhosts and changing the port is probably the best you can do.

If you are running os6, the system has iptables so you can install knockd. Basically with this you set iptables to block all port 22 traffic and then remotely you can send a sequence of packets to knockd that will tell it to configure iptables to let your one remote ip address into port 22. The reverse knock sequence will remove the access for that remote ip address.

steve
Message 9 of 10
StephenB
Guru

Re: Disable SSH with a cron job

dsm1212 wrote:
This is not uncommon. If you forward the port from your router sooner or later you'll start being attacked. Most of my hits were from chinese locations :-). On OS4 denyhosts and changing the port is probably the best you can do.

If you are running os6, the system has iptables so you can install knockd. Basically with this you set iptables to block all port 22 traffic and then remotely you can send a sequence of packets to knockd that will tell it to configure iptables to let your one remote ip address into port 22. The reverse knock sequence will remove the access for that remote ip address.

steve
I'd try just changing to a non-standard port first, and see if that resolves the problem without the other steps. And of course keep an eye out for future attacks.
Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 5135 views
  • 0 kudos
  • 3 in conversation
Announcements