PDA

Bekijk de volledige versie : somebody hacking my router on ssh


KGy
30-04-2007, 10:28
Hi. Sorry my english.

Yesterday somebody try login my router on ssh. I like use iptables for solve this problem.

Drop tcp packets if:
state new
and
time limit: 300 seconds
and
packest: 4 (4 where state=new)

I read this code somewere but not working:



iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP


iptables: No chain/target/match by than name

I try solve problem:


iptables -I SECURITY -p tcp --dport 22 -i ppp0 -m state --state NEW -m limit --limit 300/second --limit-burst 4 -j DROP


Oleg, please check this - the command to do what I like?
Thanks, George
viktike
30-04-2007, 15:25
Same problem. Someone try to hack up mí router as well. I tracked back the IP addresses at www.dnsstuff.com and find out that the attack's are from china and japan, but not always the same address.

By the way,
They can't hack it up, login attemp failed according to the system log. So I just ignore them. (I have strong password)
KGy
30-04-2007, 19:33
[admin@MYROUTER init.d]$ passwd
Changing password for admin
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
[admin@MYROUTER init.d]$

The passwords lenghts is 8 characters and I think it not enought strong (for brute force attack).

George
al37919
30-04-2007, 20:17
The passwords lenghts is 8 characters and I think it not enought strong (for brute force attack).

if you use 8 lower/upper case latin letters + numbers, you have (26+26+10)^8 = 218340105584896

Taking into account that the time between attempts is 2-4 sec, so it will take at least 13847038 years to check all possible combinations to get your root password.

So, be sure that you use 8 char non-vocabulary based password, and you can be relatively calm relative to this situation.

However, I agree, it is unpleasant.

Normally this problem is resolved by tcpwrappers. This library provides easy access control using /etc/hosts.allow and /etc/hosts.deny files. However, all the packages in the optware/oleg feed are compiled without support of tcpwrappers. I don't know why. IMHO this default behavior should be changed.

Don't miss that if you use this method (using ipt_recent) it would actually mean that if somebody is trying to access your ssh daemon in unwanted manner, then firewall denies ssh access for everybody (including you).

Do you remember that you have to install module:
insmod ipt_recent
KGy
30-04-2007, 21:37
Thanks. I try ipt_recent modul.

George