[HamWAN PSDR] Recently connected... Now being attacked?

Bart Kus me at bartk.us
Sun Dec 29 13:42:36 PST 2013 

Hi Jason,

Congrats on the successful link!  If I'm reading it correctly, with 0 
assistance?  You have an excellent signal strength (-61dBm) and the 
16.2Mbit you're seeing is the limit of our presently configured 5MHz 
channels.  This narrow bandwidth was chosen to optimize coverage over speed.

You're also the first node on the other side of the Puget Sound, so 
cheers for that.  :)  Can you share some pix / details of the setup?

The attack you're seeing is all automatic botnet stuff.  We see it 24/7 
on all the routers and servers.  It's just a sad fact about being on the 
Internet.  We can do a few things to help:

1) Sounds like you already installed the firewall rules that discard 
packets from IPs with repeated failed login attempts.  I don't recall 
our rules for dealing with this being published anywhere though, so 
which rules did you use?  We can compare/share our rules, although I'm 
too lazy to pull them up right now.  :)

2) We can push rules to our edge routers that would prevent this traffic 
from hitting your IP(s).  It's up to you how severe you want to make 
these.  "Kill all internet" being the extreme. "Apply your edge router 
dynamic blacklist to my IP's traffic" being probably the least extreme.  
We can also just block all TCP port 22 traffic from going to you, but 
that's probably also not desired.

One simple option you have is to practice some security through 
obscurity and remap the ssh port to a non-standard number.  This is done 
in the /ip service menu.

Above all else though, be sure you don't use the default "admin" 
account, but instead create a k7jmm account or something.  Set a very 
long passphrase on it (no need to remember it) and enable ssh-key 
authentication on the account.  One of the quirks of RouterOS is when an 
account has an ssh-key defined for authentication, password 
authentication is effectively disabled. The password auth will still 
work for that account for other services though, like winbox.

For any servers you attach for the network, I would recommend using 
sshguard (http://www.sshguard.net/).  It's a nice light solution, and 
I've used it successfully for years.

Anyway, congrats on the link!  If you'd like to help in beta-testing 
some new features, please join #HamWAN on freenode.

--Bart


On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:
> Having worked as a security-focused network engineer at a wireless 
> ISP, I can tell you that it's very likely an automated attack against 
> the whole address block in which you reside.
> One way to harden yourself is to deploy two-factor authentication: 
> password and SSL certificate.
> 73, Daniel K7DGL
>
>
> On Sun, Dec 29, 2013 at 12:21 PM, Jason Maher <jason at jmaher.org 
> <mailto:jason at jmaher.org>> wrote:
>
>     Hi folks,
>
>     I have recently connected to the PSDR from my QTH in Suquamish via
>     the Capital Park node. My Metal 5SHPN is fed from a Puynting 31dBi
>     Grid antenna. I have a 16.2 Mbps connection at 21.4 Kilometers!
>
>     My concern is that it appears that someone is attempting to log
>     into my router as root via SSH. There are multiple log entries
>     every day citing "login failures". A whois on any of the IPs show
>     up as originating from China.
>
>     A few examples:
>
>     58.215.56.110
>     120.105.81.190
>     49.203.248.133
>     202.119.236.121
>     95.211.8.134
>
>     I have applied the suggested scripts to blacklist an IP after
>     several failed attempts. I also have a hardware firewall between
>     the router and my LAN.
>
>     Are these just normal internet hacking attempts from bots, or is
>     there something else going on?
>
>     Thanks!
>
>     --Jason
>     K7JMM
>
>     _______________________________________________
>     PSDR mailing list
>     PSDR at hamwan.org <mailto:PSDR at hamwan.org>
>     http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
>
>
>
>
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20131229/ec19f23c/attachment.html>

More information about the PSDR mailing list