Soorma

Brute force ssh attacks

Recommended Posts

anyone else seeing this? my firewall reported that my "server ip" is getting Brute froce ssh attack.

 

attack is coming from China IP's.

 

Thanks

-Soorma

Share this post


Link to post
Share on other sites

anyone else seeing this? my firewall reported that my "server ip" is getting Brute froce ssh attack.

 

attack is coming from China IP's.

 

Thanks

-Soorma

Share this post


Link to post
Share on other sites

Any computer connected to the net is going to see attacks.

 

Me personally I don't have anything accessable to the net...

Share this post


Link to post
Share on other sites

Any computer connected to the net is going to see attacks.

 

Me personally I don't have anything accessable to the net...

Share this post


Link to post
Share on other sites
Any computer connected to the net is going to see attacks.

 

Me personally I don't have anything accessable to the net...

 

my firewall , cctv camera server & Diskstation 212+ also has open ssh port but attack was only going to Xpenology box ip. i did has default mac address / SN# but i changed it last night.

Share this post


Link to post
Share on other sites
Any computer connected to the net is going to see attacks.

 

Me personally I don't have anything accessable to the net...

 

my firewall , cctv camera server & Diskstation 212+ also has open ssh port but attack was only going to Xpenology box ip. i did has default mac address / SN# but i changed it last night.

Share this post


Link to post
Share on other sites

Change MAC and S/N and they will be gone.

Otherwise change default port, have common ports opened on default port number is not a good idea.

Share this post


Link to post
Share on other sites

Change MAC and S/N and they will be gone.

Otherwise change default port, have common ports opened on default port number is not a good idea.

Share this post


Link to post
Share on other sites

I set my MAC address to native for my card and randomized the other three dummy MACs. I also changed the SSH port as well. That stopped everything for a couple of weeks, but I did see some fresh some IP blocks yesterday in my logs (I block after five failed attempts)... Definitely changing to a non default port cut way way down on the attacks though.

 

Frank

Share this post


Link to post
Share on other sites

I set my MAC address to native for my card and randomized the other three dummy MACs. I also changed the SSH port as well. That stopped everything for a couple of weeks, but I did see some fresh some IP blocks yesterday in my logs (I block after five failed attempts)... Definitely changing to a non default port cut way way down on the attacks though.

 

Frank

Share this post


Link to post
Share on other sites

I changed MAC address, SN, default ports and SN but still be attached from China's IP (218.6.6.70 =>Fuzhou, Fujian, China).

 

Please teach me how to check someone success attach my NAS or not?

 

2014_02_17_08_25_47.png

Share this post


Link to post
Share on other sites

I changed MAC address, SN, default ports and SN but still be attached from China's IP (218.6.6.70 =>Fuzhou, Fujian, China).

 

Please teach me how to check someone success attach my NAS or not?

 

2014_02_17_08_25_47.png

Share this post


Link to post
Share on other sites
[attachment=0]Capture.PNG[/attachment]

 

change your ssh port number from 22 to somthing else and then do auto block ip after 3-4 fail tries etc.

Share this post


Link to post
Share on other sites
[attachment=0]Capture.PNG[/attachment]

 

change your ssh port number from 22 to somthing else and then do auto block ip after 3-4 fail tries etc.

Share this post


Link to post
Share on other sites

For an added layer you can forward a port in your router to your SSH port on DSM.

 

Your router's config would look like this :

 

External port : 35775

Internal port : 22

 

now you only have to connect to it using ssh -p 35775 user@ip

 

You can also disable the ability to ssh as root, this is common practice to any ssh box, you can then login as say "admin" and then switch to root if you have to. DSM is particular tho and we have to change something first or we won't be able to switch user afterwards.

 

1. Login as ssh root@dsm
2. Change permissions on /bin/su with chmod a+s /bin/su
3. Try it, login with ssh admin@dsm
4. Type su
5. Enter password and type whoami  < this should return "root"
6. Disable root login in /etc/ssh/sshd_config 
as root user do vi /etc/ssh/sshd_config
locate the line that says #PermitRootLogin yes
Press insert and edit it so it looks like "PermitRootLogin no"
Press escape and type ":wq" and press enter
7. In the web GUI, Control Panel > Terminal > Disable SSH and apply > Enable SSH and apply
8. Try to connect as root, it shouldn't let you anymore, so connect as admin

 

That's it, nobody can longer connect to your DSM as root but you still have root capabilities!

 

 

 

 

 

Place your cursor over this line

Share this post


Link to post
Share on other sites