<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Jason,<br>
<br>
Congrats on the successful link! If I'm reading it correctly,
with 0 assistance? You have an excellent signal strength (-61dBm)
and the 16.2Mbit you're seeing is the limit of our presently
configured 5MHz channels. This narrow bandwidth was chosen to
optimize coverage over speed.<br>
<br>
You're also the first node on the other side of the Puget Sound,
so cheers for that. :) Can you share some pix / details of the
setup?<br>
<br>
The attack you're seeing is all automatic botnet stuff. We see it
24/7 on all the routers and servers. It's just a sad fact about
being on the Internet. We can do a few things to help:<br>
<br>
1) Sounds like you already installed the firewall rules that
discard packets from IPs with repeated failed login attempts. I
don't recall our rules for dealing with this being published
anywhere though, so which rules did you use? We can compare/share
our rules, although I'm too lazy to pull them up right now. :)<br>
<br>
2) We can push rules to our edge routers that would prevent this
traffic from hitting your IP(s). It's up to you how severe you
want to make these. "Kill all internet" being the extreme.
"Apply your edge router dynamic blacklist to my IP's traffic"
being probably the least extreme. We can also just block all TCP
port 22 traffic from going to you, but that's probably also not
desired.<br>
<br>
One simple option you have is to practice some security through
obscurity and remap the ssh port to a non-standard number. This
is done in the /ip service menu.<br>
<br>
Above all else though, be sure you don't use the default "admin"
account, but instead create a k7jmm account or something. Set a
very long passphrase on it (no need to remember it) and enable
ssh-key authentication on the account. One of the quirks of
RouterOS is when an account has an ssh-key defined for
authentication, password authentication is effectively disabled.
The password auth will still work for that account for other
services though, like winbox.<br>
<br>
For any servers you attach for the network, I would recommend
using sshguard (<a class="moz-txt-link-freetext" href="http://www.sshguard.net/">http://www.sshguard.net/</a>). It's a nice light
solution, and I've used it successfully for years.<br>
<br>
Anyway, congrats on the link! If you'd like to help in
beta-testing some new features, please join #HamWAN on freenode.<br>
<br>
--Bart<br>
<br>
<br>
On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:<br>
</div>
<blockquote
cite="mid:CAHz2X3R4FUQ+ua90Vk2UVNzWDUtwsfkw4=XCecGCtdzZV1dodA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Having worked as a security-focused network engineer at a
wireless ISP, I can tell you that it's very likely an
automated attack against the whole address block in which you
reside. </div>
<div> </div>
<div>One way to harden yourself is to deploy two-factor
authentication: password and SSL certificate.</div>
<div> </div>
<div>73, Daniel K7DGL</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sun, Dec 29, 2013 at 12:21 PM, Jason
Maher <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jason@jmaher.org" target="_blank">jason@jmaher.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi folks,<br>
<br>
I have recently connected to the PSDR from my QTH in
Suquamish via the Capital Park node. My Metal 5SHPN is fed
from a Puynting 31dBi Grid antenna. I have a 16.2 Mbps
connection at 21.4 Kilometers!<br>
<br>
My concern is that it appears that someone is attempting to
log into my router as root via SSH. There are multiple log
entries every day citing "login failures". A whois on any of
the IPs show up as originating from China.<br>
<br>
A few examples:<br>
<br>
58.215.56.110<br>
120.105.81.190<br>
49.203.248.133<br>
202.119.236.121<br>
95.211.8.134<br>
<br>
I have applied the suggested scripts to blacklist an IP
after several failed attempts. I also have a hardware
firewall between the router and my LAN.<br>
<br>
Are these just normal internet hacking attempts from bots,
or is there something else going on?<br>
<br>
Thanks!<br>
<br>
--Jason<br>
K7JMM<br>
<br>
_______________________________________________<br>
PSDR mailing list<br>
<a moz-do-not-send="true" href="mailto:PSDR@hamwan.org"
target="_blank">PSDR@hamwan.org</a><br>
<a moz-do-not-send="true"
href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org"
target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
PSDR mailing list
<a class="moz-txt-link-abbreviated" href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a>
<a class="moz-txt-link-freetext" href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a>
</pre>
</blockquote>
<br>
</body>
</html>