Hacker attack on sftp?

[iobi]

Hello
I open the thread to report or ask about this:

Sunday 15 August I go home at 12:00 and I notice that my nas has the LEDs on in night mode. Strange.
I check if something went wrong during the scheduled reboot (which is very common, unfortunately) and I don't notice anything. Intrigued, I go to "System Information -> Log" and notice a strange list of events.

These events are failed attempts to SFTP log from an IP address.
The log reported connection attempts
FROM 14/08/2021 21:00
At 15: 08/2021 09:28

So I immediately proceeded to change the passwords of my nas.

Today I checked the situation and noticed that the login attempts were repeated but from another IP address
FROM 08/15/2021 20:16
At 08/15/2021 10:14 pm

Beyond these episodes, no other events seem - for now.

A friend (systems engineer) helped me and traced the ownership of one of the IPs explaining that it would be a hosting / cloud service that could have been hacked and used as a support for these attacks.

Has anyone else encountered such problems with his nas these days, or am I the only victim ?!

[Nazar78]

This is common, I had many similar episodes with bots. Suggest that you disabled sftp/ssh access from the internet unless you understand its risk.

[iobi]

Nazar78,
thanks for your attention and sorry for my delay.

So you tell me is it common? I had never noticed these login attempts, not even when I had poor nas performance (less ram).

Could the login failure be related to the fact that I changed the SFTP port from the standard one OR that it was not open on the router's NAT functions?

However, I don't think I've ever used the SFTP function outside my home, so for now I disable this function from the "Services" menu.

Are there any Asustor apps that use the SFTP protocol? For example, I use AiFoto backup, sharing files from "File Explorer" with friends, accessing my files from outside, and I wouldn't want to lose these comforts.

[Nazar78]

So you tell me is it common? I had never noticed these login attempts, not even when I had poor nas performance (less ram).

Yes this is very common. Review your router logs if they are capable and set to capture these traffics, you'll be astounded by the amount of attempts to break into a network. It can happen anytime, from any source, especially when your subnet is targeted by port scans. I had tons daily when I used to open SSH/SFTP for specific purpose although I know how to deal with it (no password keys only, block or slow them down with iptables etc). Asustor has provided some simple protection against these, Settings->ADM Defender->Network Defender->Auto Black List.

Could the login failure be related to the fact that I changed the SFTP port from the standard one OR that it was not open on the router's NAT functions?

You have to find out whether these are legit attempts, depending on the source IPs. You've mentioned previously you had help from a friend. He can easily find out.

However, I don't think I've ever used the SFTP function outside my home, so for now I disable this function from the "Services" menu.

Are there any Asustor apps that use the SFTP protocol? For example, I use AiFoto backup, sharing files from "File Explorer" with friends, accessing my files from outside, and I wouldn't want to lose these comforts.

IIRC only the EZ Connect app uses SFTP for its SSHFS protocol when you map network shares to a drive remotely.

[ndl101]

Attempts like this cannot be fully avoided while it is exposed to the www. If you absolutely need to access the NAS from the www, I suggest adding additional security layers in the likes of a reverse proxy setup with overload protection, intrusion prevention like and MFA (multi factor authentication). Linuxserver.io's SWAG could be a starting point for ideas as, if i recall correctly, it comes with both fail2ban and Authelia. Ideally, hide it all behind a VPN. Also, move towards SSH-Key Authentication wherever possible.
None of this will make your box 100% secure but it will make it harder by far to gain access to it.