Security Concerns - Log File

[Jagstyles]

I just checked my System Information log file and notice a slew of IP addresses with the following message:

[System] ssh login failure from IP "xxx.xxx.xxx.xxx". In fact, I see at 9:42 PM last night, the same IP hammering away for 11 tries all within the same time 9:42PM.

Does this mean that someone is trying to login to my NAS? I'm using No-IP for my DDNS. I used No-IP because I couldn't get the Asustor one to work at the time.

Any ideas/suggestions?

[Jagstyles]

Here's a lookup of one of the IP addresses that was hammering away:

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '116.224.0.0 - 116.239.255.255'

inetnum: 116.224.0.0 - 116.239.255.255
netname: CHINANET-SH
descr: CHINANET Shanghai province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: WWQ4-AP
tech-c: WWQ4-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-SH
mnt-routes: MAINT-CHINANET-SH
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: To report network abuse, please contact the IRT
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: For assistance, please contact the APNIC Helpdesk
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
source: APNIC
mnt-irt: IRT-CHINANET-CN
changed: hm-changed@apnic.net 20070404

irt: IRT-CHINANET-CN
address: No.31 ,jingrong street,beijing
address: 100032
e-mail: anti-spam@ns.chinanet.cn.net
abuse-mailbox: anti-spam@ns.chinanet.cn.net
admin-c: CH93-AP
tech-c: CH93-AP
auth: # Filtered
mnt-by: MAINT-CHINANET
changed: anti-spam@ns.chinanet.cn.net 20101115
source: APNIC

person: Weng Wen Qian
address: Room 2405,357 Songlin Road,Shanghai 200122
country: CN
phone: +86-21-68405784
fax-no: +86-21-50623458
e-mail: wengwq@online.sh.cn
nic-hdl: WWQ4-AP
mnt-by: MAINT-CHINANET-SH
changed: ip-admin@mail.online.sh.cn 20050403
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

[MikeG.6.5]

Yes, there is someone trying to get into your machine. They likely used a port sniffer on your IP and tried to get into any open ports you have on your router. If you are torrenting, this is likely how they got the IP to start with.

You can use the geographic IP blocking function to prevent their log in, but not sure if this affects torrenting or not.

[Jagstyles]

But even without torrenting, don't we need to have port 8000 open for us to be able to connect to our NAS from remote so we can access our files from anywhere?

Are there additional measures I should be taking to secure my NAS?

[Jagstyles]

I've gone ahead and blocked entire regions use Geo Blocking. Thanks for pointing me in that direction, hadn't even realized we had that functionality. For now, I've blocked everything outside of North America just to see how things go and will keep checking the logs.

I've also changed all passwords for the 3 users on my NAS to 30 character strong passwords using a password generator. Any other measures I can take? I also changed my router password to 30 character length password. Only port forwarding I have is for the NAS itself port 8000.

Thanks

[MikeG.6.5]

Locking down the ports is a good idea, if you don't plan to do any remote access at all.

As I do a lot of remote access of Plex and some of my downloading apps, I use port forwards to non-standard ports, and password the apps. IMO, if I'm sitting in the GF's house and want to see if any movies or shows have finished, I can get to them on my tablet and make sure they get added to Plex. and I can watch about anything I want from within Plex itself sitting there or in the bar.

And the Geo Blocking will stop a lot of potential problems.

[PinguMann]

I administer some Linux boxes in the EU and US.

This is a common issue on almost all servers. It is done automatically, especially when a TLD is connected to the box. Info is taken from the whois database to get to IP addresses.

Practically, I usually do 5 things:

1. Change the ssh port 22 to some other port you will never use, like a port a system may use, but your server does not. Look at the /etc/services file for some ports that may be used, otherwise use a high port.

2. Block root remote login with ssh. You have to use sudo on normal Linux servers, but the Asustor boxes are inbeded on one chip as firmware - sudo is not available. Create a new user with admin rights and make a very long and complicated code generated password for admin. Normally root is deactivated for direct usage. Not sure what is done on the Asustor systems. root is UID=0 and admin is UID=999. Normal switching to root with su is not possible. It seems group members of "administrators" have root access (I suspect restricted like sudo).
Look at the user and group lists with cat /etc/passwd & cat /etc/group.

3. Use keys to log in to servers with ssh. It allows password-less access form only single identified servers and clients with each other, and is the best secure access at the moment on a ssh level.

4. Use port-knocking techniques to add another security level. See: http://www.portknocking.org/ for an explanation how it works. I still have to get to this on the Asustor. On CentOS it is installed with "sudo apt-get install knockd". I need to talk to the techis at Asustor or someone here to find a way to install on the Asustor.

5. Configure IP-Tables to block unwanted traffic. A rather complicated procedure, covered by the access lists of ADM Defender. Not sure how well it is configured. Checking can be done with tables list (iptables -L -- but it needs root to check and change it). A nice description at Ubuntu site: https://help.ubuntu.com/community/IptablesHowTo. Still have to research this point.

The first 3 points will secure 95% of the attacks.

The first 2 points eliminates about 80 % of the script-kiddies and automatic log-in attempts.

HTH a little.


Pingumann

[MikeG.6.5]

Router side IP rules eliminate 95% or greater potential problems, as they never even see the NAS.

And they are fairly easy to put in most routers....

This uses ipset which most routers already have installed. SSH into the roughter and make a file in the /jffs/scripts folder and make a file called firewall-start and paste the following into it:

Code: Select all

#!/bin/sh

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Different routers got different iptables syntax
case $(uname -m) in
  armv7l)
    MATCH_SET='--match-set'
    ;;
  mips)
    MATCH_SET='--set'
    ;;
esac

# Block traffic from Tor nodes
if [ "$(ipset --swap TorNodes TorNodes 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N TorNodes iphash
    [ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
    for IP in $(cat $IPSET_LISTS_DIR/tor.lst)
    do
        ipset -A TorNodes $IP
    done
fi
[ -z "$(iptables-save | grep TorNodes)" ] && iptables -I INPUT -m set $MATCH_SET TorNodes src -j DROP

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N BlockedCountries nethash
    for country in pk cn
    do
        [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/countries/$country.zone
        for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
        do
            ipset -A BlockedCountries $IP
        done
    done
fi
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j DROP

# Block Microsoft telemetry spying servers
if [ "$(ipset --swap MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N MicrosoftSpyServers iphash
    for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
              65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
              65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
              65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
              131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
              134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
              191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254
    do
        ipset -A MicrosoftSpyServers $IP
    done
fi
[ -z "$(iptables-save | grep MicrosoftSpyServers)" ] && iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers dst -j DROP

Then add in the appropriate country codes based on a search of the site http://www.ipdeny.com/ipblocks/ and any machine from that country that attempts to attach gets rejected 100% of the time. The only ones that might have a chance after this is someone using a VPN to mask their base IP, and then the steps taken above prevent most if not all of those.

Comes down to probably as close to 100% as you can get for protection on a home network. And is as tight of security as some of the big commercial operations.