1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

er... getting hacking attempts

Discussion in 'Tomato Firmware' started by Hypernova, Mar 26, 2007.

  1. Hypernova

    Hypernova LI Guru Member


    How right now it's more of an annoyance since it's rising CPU load to 60%.
  2. bokh

    bokh LI Guru Member

    Seems to me like you have the "SSH Daemon" on the WRT54 set to allow "Remote Access".
    Do you really need that? If yes, I suggest using a different portnumber than the default 22, because most scriptkiddies use brute force tools that only scan for SSH listening on that port.
    If not, simply turn it off (how often do you log in from the outside into Tomato?).
  3. skwf1985

    skwf1985 LI Guru Member

    I use it to check up on data usage from school and there's no remote for telnet. would changing the port to higher (60000) help? It's all I use it for since it costs a few cents per MB of traffic at Uni so it would be a bit costly to see things through web interface.

    [edit] just realised I already have an linksys account and it was in my home comp's cookie all this time.
  4. bokh

    bokh LI Guru Member

    Yeah, that would help for sure. As long as the scriptkiddies don't do a full port-scan... but that would take them too long to figure out which one is running what specific protocol / service.
    Port-number makes no big difference, as long as it's higher than 1024 IMHO. Below 1024 are most of the other known services.

    But... to check up on data-usage from school, you definitely don't need SSH. HTTP(S) and "Remote Access" will do!
  5. lwf-

    lwf- Network Guru Member

    I run my SSHd on port 443 (since its open in most firwalls) and I have never had a failed login attempt.
  6. Hypernova

    Hypernova LI Guru Member

    At about 4 US cents per MB it's cheaper through PUTTY. And is this a bug?: After changing port restarting the services still sets the same port. New port is used only after reboot.
  7. mikester

    mikester Network Guru Member

    You can block the incomming IP range
    iptables -I INPUT -s -j DROP

    The better suggestion would be to block all incoming IP EXCEPT for the ones from your school AS WELL AS changing the SSH port number.

    You also might try going to the culprits ISP (http://whois.domaintools.com/ and complain but as it's from Mexico you might not have any luck. Send a copy of the log - who knows you might get lucky.

Share This Page