dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1964
share rss forum feed

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US

Who keeps their router's SSH port open?

My 1841 is apparently falling victim to a dictionary attack via SSH. I happened to check the NAT statistics and see there's an IP address from China making a large number of inbound connections to my router via SSH.

Yes, I have SSH open for my convenience. Apparently, I probably should only SSH into my router via VPN.

Who keeps their router's SSH port open to the world?


state
stress magnet
Premium,Mod
join:2002-02-08
Purgatory
kudos:6
No access lists?

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
Yes. I only allow local internal subnet and one IP address from my job to access all VTY lines.

The only thing that worries me is that in order to get the ACL to work I had to allow to any that equals 22 and apply it inbound to the VTY lines. I wanted to specify an IP address in the destination but as far as I know, you can't set an IP address to a VTY line.

Network Guy
Premium
join:2000-08-25
New York
kudos:2

1 edit
reply to state
Doh! I checked the VTY lines. I created the ACL but forgot to set it to the lines.

The script kiddie from China is no longer in my NAT statistics table.

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to Network Guy
I do when I'm bored. And I create a priv level 0 user named "root" with password "root"... sit back and watch their scripts fail. None of these idiots know what to do when they find something that's not tHe LiNuX.

(generally, NEVER leave port 22 open to the internet. Even if it's not an SSH server.)


DaSneaky1D
what's up
Premium,MVM
join:2001-03-29
The Lou
reply to Network Guy
Nothing wrong with leaving it open to the world. Just have to keep a proper access list.

It'll be much safer if you only allow a specific range of IPs access to the router(s).

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
reply to cramer
said by cramer:

I do when I'm bored. And I create a priv level 0 user named "root" with password "root"... sit back and watch their scripts fail. None of these idiots know what to do when they find something that's not tHe LiNuX.

(generally, NEVER leave port 22 open to the internet. Even if it's not an SSH server.)

I should do this for kicks. My 1841 at home isn't all that busy as it is.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
Im thinking the same thing. My FreeBSD box is constantly being "attacked" from all over the place. This could be quite amusing.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Network Guy
I do. Control Plane Policing gets alot of the ones set to connect at too high a rate, thought I should probably
retune my thresholds lower now.

Are you logging your SSH attempts? Ones that just don't get the hint I nullroute to the bit bucket (and
their subnet too) for a very permanent solution. Sending emails to their ISP's abuse email is the highlight
of the day.

@cramer
I'll have to try your idea as well and see how it goes.

Regards

jh2010

join:2009-09-03
Brooklyn, NY
reply to Network Guy
If you leave SSH open to the Internet, then it is possible to get dos'ed if all lines are kept open. You will not be able to login(except via the console).

nosx

join:2004-12-27
00000
kudos:5
For SSH its simpler to avoid scans by using the rotary feature to move ssh to a new port other than 22.

Additional security through obscurity is available by using a "knock" rotary configuration for your router. You have to "knock"/authenticate on a given TCP port, and then you can initiate a new SSH session for the next say 60 seconds (dynamic ACL knock entry). This is useful to prevent scan / attack of hosts behind your router that you may want to NAT to ssh/rdp/vnc/whatever to.

ip ssh port 2222 rotary 1
username knock secret 5 $1$whatever
username knock autocommand access-enable host timeout 1
ip access-list extended ACL_PROTECT_WAN_IN
dynamic knock permit tcp any any eq 3389 22 log-input
deny ip any any

HELLFIRE
Premium
join:2009-11-25
kudos:18
@jh2010
I still have the CPU screenshot of what my first attempt at leaving my SSH port open to the world at large looked like,
plus the logfiles to back it up.... fun times indeed.

@nosx
Wanna give a breakdown of what each line of that config does? Some of the commands I've never seen before.
But it looks interesting...

Regards


battleop

join:2005-09-28
00000
reply to Network Guy
If you are being attacked you need to setup some ACLs.

This is a sample from one of my routers. We have a /24 that is used for our support group, management servers, snmp, etc. So I just created a single ACL for everything like SSH, SNMP etc and then allow access only from that one /24.

access-list 50 remark remote-access
access-list 50 permit 216.x.x.0 0.0.0.255
access-list 50 deny any

line vty 0 4
access-class 50 in
exec-timeout 120 0
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
The attacks seem to be done and over with from what I can see in the NAT stats and the ACL lists. I setup this 1841 last week for the first time ever. I created the ACL keeping in mind that if I opened 22 over the WAN that it would equate to hanging meat for the piranhas, but I forgot to apply it to the VTY lines.

What I should do is log any attempts that match the ACL rules applied to the VTY lines just to see what's going on.

So far from what I can see, it's been relatively quiet.


Extended IP access list 100
10 deny ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7 (4272 matches)
20 permit ip 10.17.12.0 0.0.0.255 any (38774 matches)
Extended IP access list 101 ---- This is the one applied to VTY lines ----
10 permit tcp host xxx any eq 22 (8 matches) ---- This is for my access from work ----
20 permit tcp 10.17.12.0 0.0.0.255 any eq 22 (4 matches)
30 deny ip any any (39 matches)
Extended IP access list 110
5 permit tcp 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
10 permit ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
router#

nschlutter

join:2003-02-07
Osseo, MN

1 recommendation

reply to Network Guy
Another option is to enable some of the enhanced security features mentioned in this document

Basically these features allow you to deny logins after a certain number of failed logins as well as insert a delay between login attempts.

The quiet-mode can be accomplished with the commands:

login block-for X attempts Y within Z

An access-list can also be created that allows logins from certain network(s) during the quiet-mode time. The configuration for this looks like:

login quiet-mode access-class ACL

The delay is accomplished with the command:

login delay X

I wrote a blog post about this as well if you're looking for a slightly more wordy version

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Interesting you post this now. I'm reading a Cisco Press book to get my CCNA Security and I just read past this very same topic explaining that command.

Cool stuff

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to nschlutter
Thanks for that as well nschlutter See Profile

Cisco refers to the second feature as “quiet mode” and also includes an option to specify an access-list which is exempted during the block period.

The second line of configuration will reference the access-list created above to never block the specified networks.

A bit vague, then again some stuff on how Cisco does it is vague... till you put it into practice. I'm not referring to
the way you write it up nschlutter See Profile, it's just personal experience with the way Cisco writes up the way
their commands (are supposed) to work.

Also, a bit of a personal gripe... why'd it take Cisco till 12.4T to introduce this command...

Regards