1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Someone trying to hack me or Tomato reporting something else?

Discussion in 'Tomato Firmware' started by powersquad, Apr 28, 2008.

  1. powersquad

    powersquad Addicted to LI Member

    here are my logs which I just randomly checked out of the blue today...

    its the same IP address all along which is not mine obviously....is it someone trying to hack the tomato router via ssh or web ui? I have remote viewing enabled for both ssh and https, with web ui on https with a strong password and have never told anyone about my tomato router or that I have remote viewing enabled. OR is it tomato trying to tell me something else here?

    Whois shows the IP from Japan and I am in New Zealand....dont have enemys :(

    Thanks
     
  2. LLigetfa

    LLigetfa LI Guru Member

    Yes, you are under attack. Is remote access that important to you?
     
  3. HennieM

    HennieM Network Guru Member

    dropbear = ssh
     
  4. rcordorica

    rcordorica Network Guru Member

    I personally don't open my ssh to the WAN, but I think this script is useful. I use it on my laptop which does expose ssh to the WLAN. This would be a cool feature for a Tomato mod to put in (or the offical, Jon!).

    http://hostingfu.com/article/ssh-dictionary-attack-prevention-with-iptables

    It limits the connection attempts per minute by dropping the client for failing too many times.

    I am not sure if tomato supports all the iptables attributes needed for this to work.
     
  5. MarioT

    MarioT LI Guru Member

    These IPs are probably from "Zombie" PCs taken over by hackers...

    Only solutions possibles I can think:

    1. Change SSH port 22 to something else. (Might not be an option connection going out from your friend prohibits non std ports)

    2. Enable RSA Key Authentication. (No chances the key will be found, but more difficult to manage. Plus the logs will still show signs of attacks)

    3. Recompile a FW like I did to add the "recent" module to IPtables + Reconfigure the default SSH rules so the hackers gets no answers after the 3rd attempt in 90 secs. (Not for everyone...)

    I emailed Jon about the 3rd solution, but seems it is not top priority on his list. I'll keep running my modded v1.11 until I really needs the new FW features.
     
  6. nvtweak

    nvtweak LI Guru Member

    how about ipkg install knockd?

    knockd will keep ports stealth until you send correct port knocking sequence.
     
  7. TexasFlood

    TexasFlood Network Guru Member

    I've been attacked on standard services many times, from all over the globe. If you expose a standard service to the Internet on a standard port then make sure the service is configured as securely as possible since hackers can & do run automated attacks targeting these.

    Moving exposed services to non-standard ports reduces the exposure to these attack.
    For example, open configure RDP to listen on the standard port 3389 and I bet you'll find automated attacks hitting that port. If you limit accounts that can be logged into with RDP and have strong passwords, the attacks probably won't succeed, but it's irritiating and worrying. Move it to an arbitrary high port and chances are you won't see the attacks anymore, once the automated attack sees no response on the standard port.
     
  8. powersquad

    powersquad Addicted to LI Member

    Turned off SSH as I hardly used it (will change the port from 22 to something else in future if I turn it on again), though I still use HTTPS and pretty much everyday to login from work to use Wake On Lan and check on few other things. Have got RDP turned on as well but luckily for me work has Port 3389 blocked so I had to change it to a different port long time back. Also someone from S.Korea in the morning was also trying to hack into my network, before I decided to turn off SSH.

    Thanks for your feedback guys....:)
     
  9. LLigetfa

    LLigetfa LI Guru Member

    On my linux server at work that is exposed to the world, I run fail2ban to stop the brute force attacks. I don't expose other ports for RDP, VNC, etc. to the whole world, just to a small select group of IPs.

    On my Tomato router at home, I don't expose any ports at all.
     

Share This Page