DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
ssh attack after port forward on 2830n
- simonh123
- Topic Author
- Offline
- New Member
Less
More
- Posts: 1
- Thank you received: 0
27 Jan 2013 13:20 #74968
by simonh123
ssh attack after port forward on 2830n was created by simonh123
I want to check what I am doing with port forwarding as something does not make sense to me. That suggests I misunderstand something.
I am running an apache webserver on a linux box on my LAN. I wanted to ssh in from work during my lunchhour in order to get some things configured correctly, so set a port forward for 22 to the private IP of the linux box. That works as required.
I then find regular attacks reported as failed logins. They are reported by sshd to auth.log like so: " Failed password for root from 222.184.230.118 port 35522 ssh2". There are multiple attempts from the same IP, and this started happening from a lot of different IPs.
I err on the side of caution and have disabled the port forward for now. Anyway these attacks on root do not worry me too much as I have disabled root login in the sshd config. My Draytek configuration is quite simple, not much changed from default: no open ports, dmz, filters. I have added multi-nat port forward of http (only) on different external IPs to corresponding local apache servers.
Before doing anything to reinstate ssh I need to understand one thing. I have only enabled the port forward for 22, yet the attacks are coming in on high-numbered ports. In the example above 35522, but that is just one in a seemingly random sequence, 33512, 34584 etc. How are these ports being forwarded to the same local IP? Other linux servers that are running on the network are not getting any traffic from the outside world.
I'm interested to hear if someone can explain this, maybe point out if I am doing something wrong or need do something else.
Thanks.
I am running an apache webserver on a linux box on my LAN. I wanted to ssh in from work during my lunchhour in order to get some things configured correctly, so set a port forward for 22 to the private IP of the linux box. That works as required.
I then find regular attacks reported as failed logins. They are reported by sshd to auth.log like so: " Failed password for root from 222.184.230.118 port 35522 ssh2". There are multiple attempts from the same IP, and this started happening from a lot of different IPs.
I err on the side of caution and have disabled the port forward for now. Anyway these attacks on root do not worry me too much as I have disabled root login in the sshd config. My Draytek configuration is quite simple, not much changed from default: no open ports, dmz, filters. I have added multi-nat port forward of http (only) on different external IPs to corresponding local apache servers.
Before doing anything to reinstate ssh I need to understand one thing. I have only enabled the port forward for 22, yet the attacks are coming in on high-numbered ports. In the example above 35522, but that is just one in a seemingly random sequence, 33512, 34584 etc. How are these ports being forwarded to the same local IP? Other linux servers that are running on the network are not getting any traffic from the outside world.
I'm interested to hear if someone can explain this, maybe point out if I am doing something wrong or need do something else.
Thanks.
Please Log in or Create an account to join the conversation.
- jmann
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
07 Feb 2013 12:31 #75101
by jmann
Replied by jmann on topic Re: ssh attack after port forward on 2830n
Hello Simon.
The high numbered ports you are seeing are the source port of the connections and are completely normal. When a host makes a TCP connection to another host, the operating system will usually select a random port between 1024 and 65535 to use as the source port.
sshd listens on port 22, so that is the destination port of the connections. The port forwarding rule on your router is acting upon the destination port in the packets.
One unfortunate consequence of running services on their well-known ports on the internet is that you'll get loads of connection attempts from script-kiddies and other opportunistic idiots looking for hosts to exploit. As long as you're running a secure version of sshd and have a strong username and password, then this shouldn't be anything more than an annoyance that might fill up your logs a bit.
However, it's trivially easy to avoid this annoyance by making your sshd service listen on a non-standard port. Unless the script-kiddies want to spend time scanning all 65535 TCP ports on your system, then they won't know which port sshd is listening on. I set mine to listen on a five-digit port number and then specify this in my ssh client program.
The high numbered ports you are seeing are the source
sshd listens on port 22, so that is the destination
One unfortunate consequence of running services on their well-known ports on the internet is that you'll get loads of connection attempts from script-kiddies and other opportunistic idiots looking for hosts to exploit. As long as you're running a secure version of sshd and have a strong username and password, then this shouldn't be anything more than an annoyance that might fill up your logs a bit.
However, it's trivially easy to avoid this annoyance by making your sshd service listen on a non-standard port. Unless the script-kiddies want to spend time scanning all 65535 TCP ports on your system, then they won't know which port sshd is listening on. I set mine to listen on a five-digit port number and then specify this in my ssh client program.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek