<div dir="ltr">Hello Jason,<div><br></div><div>I'm actually going to have to contradict Bart on one aspect here, and strongly suggest moving ssh back to the original port. The way hamwan is designed for the "shared admin" model where myself and a couple other individuals who are the admins for the network, doesn't agree well with devices having non-standard configs.</div>
<div><br></div><div>Not that changing a port in and of itself is a bad idea, I've done it a number of times, but it makes the job of the admins a nightmare when trying to manage the network and figure out what port ssh is running on for User A's modem.</div>
<div><br></div><div>Can I suggest instead that you create a firewall rule that limits SSH to the hamwan address space when coming in over the wireless interface? Something like</div><div><span class=""><br></span></div><div>
<span class="">ip</span><span class=""> </span><span class="">firewall</span><span class=""> </span><span class="">filter</span><span class=""> </span><span class="">add</span><span class=""> </span>action<span class="">=</span><span class="">accept </span>dst-port<span class="">=</span><span class="">22 </span>src-address<span class="">=</span><span class=""><a href="http://44.24.240.0/20">44.24.240.0/20</a> </span>protocol<span class="">=</span><span class="">tcp chain=input in-interface=w0</span><br>
</div><div><p class="">is probably along the lines of what you'd be looking at. This still limits the attempts at your modem, but still allows for the admins to update or configure your modem as needed.</p><p class="">
P.S. Welcome to the network!</p><p class="">Thanks!</p><p class="">Nigel</p><p class="">K7NVH</p></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Dec 30, 2013 at 12:39 PM, Jason Maher <span dir="ltr"><<a href="mailto:jason@jmaher.org" target="_blank">jason@jmaher.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks for the suggestions guys,<br>
<br>
I changed the ssh port from the default and installed a SSL certificate.<br>
<br>
Bart:<br>
I discovered the firewall rules on Mikrotik's wiki after a little Googling.<br>
Here is the URL: <a href="http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention" target="_blank">http://wiki.mikrotik.com/wiki/<u></u>Bruteforce_login_prevention</a><br>
<br>
No need to block anything on your edge routers. "Kill all internet", I like that! :-)<br>
<br>
--Jason<br>
K7JMM<div class="im HOEnZb"><br>
<br>
On 12/29/2013 12:39 PM, Daniel Luechtefeld wrote:<br>
</div><div class="im HOEnZb"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Having worked as a security-focused network engineer at a wireless ISP, I can tell you that it's very likely an automated attack against the whole address block in which you reside.<br>
One way to harden yourself is to deploy two-factor authentication: password and SSL certificate.<br>
73, Daniel K7DGL<br>
<br>
<br>
</blockquote>
<br>
<br></div><div class="HOEnZb"><div class="h5">
______________________________<u></u>_________________<br>
PSDR mailing list<br>
<a href="mailto:PSDR@hamwan.org" target="_blank">PSDR@hamwan.org</a><br>
<a href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org" target="_blank">http://mail.hamwan.org/<u></u>mailman/listinfo/psdr_hamwan.<u></u>org</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Nigel Vander Houwen
</div>