[HamWAN PSDR] Recently connected... Now being attacked?

Bart Kus me at bartk.us
Wed Jan 1 13:25:20 PST 2014 

Yeah, I didn't think this through enough when I suggested an alternate 
port.  I believe Nigel has at least one ssh-based network health scanner 
implemented so far, and that will only grow.

One more thing I can think of is to only have accounts which feature 
ssh-keys.  That way all the failed logins are not a problem since 
password auth is impossible with ssh-keys configured.  Only if the 
attacker has the corresponding private key would they be able to login.

--Bart

On 1/1/2014 10:12 AM, Nigel Vander Houwen wrote:
> Hello Jason,
>
> I'm actually going to have to contradict Bart on one aspect here, and 
> strongly suggest moving ssh back to the original port. The way hamwan 
> is designed for the "shared admin" model where myself and a couple 
> other individuals who are the admins for the network, doesn't agree 
> well with devices having non-standard configs.
>
> Not that changing a port in and of itself is a bad idea, I've done it 
> a number of times, but it makes the job of the admins a nightmare when 
> trying to manage the network and figure out what port ssh is running 
> on for User A's modem.
>
> Can I suggest instead that you create a firewall rule that limits SSH 
> to the hamwan address space when coming in over the wireless 
> interface? Something like
>
> ipfirewallfilteraddaction=accept dst-port=22 
> src-address=44.24.240.0/20 <http://44.24.240.0/20> protocol=tcp 
> chain=input in-interface=w0
>
> is probably along the lines of what you'd be looking at. This still 
> limits the attempts at your modem, but still allows for the admins to 
> update or configure your modem as needed.
>
> P.S. Welcome to the network!
>
> Thanks!
>
> Nigel
>
> K7NVH
>
>
>
> On Mon, Dec 30, 2013 at 12:39 PM, Jason Maher <jason at jmaher.org 
> <mailto:jason at jmaher.org>> wrote:
>
>     Thanks for the suggestions guys,
>
>     I changed the ssh port from the default and installed a SSL
>     certificate.
>
>     Bart:
>     I discovered the firewall rules on Mikrotik's wiki after a little
>     Googling.
>     Here is the URL:
>     http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
>
>     No need to block anything on your edge routers. "Kill all
>     internet", I like that! :-)
>
>     --Jason
>     K7JMM
>
>
>     On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:
>
>         Having worked as a security-focused network engineer at a
>         wireless ISP, I can tell you that it's very likely an
>         automated attack against the whole address block in which you
>         reside.
>         One way to harden yourself is to deploy two-factor
>         authentication: password and SSL certificate.
>         73, Daniel K7DGL
>
>
>
>
>     _______________________________________________
>     PSDR mailing list
>     PSDR at hamwan.org <mailto:PSDR at hamwan.org>
>     http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
>
>
>
>
> -- 
> Nigel Vander Houwen
>
>
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20140101/0683a16c/attachment.html>

More information about the PSDR mailing list