<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yeah, I didn't think this through enough when I suggested an
alternate port. I believe Nigel has at least one ssh-based network
health scanner implemented so far, and that will only grow.<br>
<br>
One more thing I can think of is to only have accounts which feature
ssh-keys. That way all the failed logins are not a problem since
password auth is impossible with ssh-keys configured. Only if the
attacker has the corresponding private key would they be able to
login.<br>
<br>
--Bart<br>
<br>
<div class="moz-cite-prefix">On 1/1/2014 10:12 AM, Nigel Vander
Houwen wrote:<br>
</div>
<blockquote
cite="mid:CAMgnpq002OP8-2wpnX=aQNqPqkOL_b6L5ts40XX-MhdQcWtMzw@mail.gmail.com"
type="cite">
<div dir="ltr">Hello Jason,
<div><br>
</div>
<div>I'm actually going to have to contradict Bart on one aspect
here, and strongly suggest moving ssh back to the original
port. The way hamwan is designed for the "shared admin" model
where myself and a couple other individuals who are the admins
for the network, doesn't agree well with devices having
non-standard configs.</div>
<div><br>
</div>
<div>Not that changing a port in and of itself is a bad idea,
I've done it a number of times, but it makes the job of the
admins a nightmare when trying to manage the network and
figure out what port ssh is running on for User A's modem.</div>
<div><br>
</div>
<div>Can I suggest instead that you create a firewall rule that
limits SSH to the hamwan address space when coming in over the
wireless interface? Something like</div>
<div><span class=""><br>
</span></div>
<div>
<span class="">ip</span><span class=""> </span><span class="">firewall</span><span
class=""> </span><span class="">filter</span><span class="">
</span><span class="">add</span><span class=""> </span>action<span
class="">=</span><span class="">accept </span>dst-port<span
class="">=</span><span class="">22 </span>src-address<span
class="">=</span><span class=""><a moz-do-not-send="true"
href="http://44.24.240.0/20">44.24.240.0/20</a> </span>protocol<span
class="">=</span><span class="">tcp chain=input
in-interface=w0</span><br>
</div>
<div>
<p class="">is probably along the lines of what you'd be
looking at. This still limits the attempts at your modem,
but still allows for the admins to update or configure your
modem as needed.</p>
<p class="">
P.S. Welcome to the network!</p>
<p class="">Thanks!</p>
<p class="">Nigel</p>
<p class="">K7NVH</p>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Dec 30, 2013 at 12:39 PM, Jason
Maher <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jason@jmaher.org" target="_blank">jason@jmaher.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks for
the suggestions guys,<br>
<br>
I changed the ssh port from the default and installed a SSL
certificate.<br>
<br>
Bart:<br>
I discovered the firewall rules on Mikrotik's wiki after a
little Googling.<br>
Here is the URL: <a moz-do-not-send="true"
href="http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention"
target="_blank">http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention</a><br>
<br>
No need to block anything on your edge routers. "Kill all
internet", I like that! :-)<br>
<br>
--Jason<br>
K7JMM
<div class="im HOEnZb"><br>
<br>
On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:<br>
</div>
<div class="im HOEnZb">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Having worked as a security-focused network engineer at
a wireless ISP, I can tell you that it's very likely an
automated attack against the whole address block in
which you reside.<br>
One way to harden yourself is to deploy two-factor
authentication: password and SSL certificate.<br>
73, Daniel K7DGL<br>
<br>
<br>
</blockquote>
<br>
<br>
</div>
<div class="HOEnZb">
<div class="h5">
_______________________________________________<br>
PSDR mailing list<br>
<a moz-do-not-send="true" href="mailto:PSDR@hamwan.org"
target="_blank">PSDR@hamwan.org</a><br>
<a moz-do-not-send="true"
href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org"
target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Nigel Vander Houwen
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
PSDR mailing list
<a class="moz-txt-link-abbreviated" href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a>
<a class="moz-txt-link-freetext" href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a>
</pre>
</blockquote>
<br>
</body>
</html>