Thread replies: 40
Thread images: 1
Thread images: 1
File: OpenWrtPuTTY.png (14KB, 826x413px) Image search:
[Google]
14KB, 826x413px
As many of you have probably noticed, when you attach an ssh server to the internet on port 22 you almost instantly start getting attacked by bots.
As far as I can tell they'll go after default logins. One I see a lot is for the user "pi".
What the hell are the people running this stuff trying to achieve?
Has anyone found out anything interesting from setting up a honeypot?
>>
Pi is kodi for the raspberry pi which you can ssh into
>>
>>55855674
Who connects a fucking raspberry pi to the internet directly with a dedicated IP address
>>
>>55855761
Stupid people...and then they get pwned instantly apparently.
>>
>>55855761
Who uses port 22?
>>
>>55855924
changing ports doesn't actually do anything
pretty sure you can just nmap anyway
>>
what can I do if I ssh into a server as root and want to do as much damage as possible?
>>
>>55855980
it does a lot in terms of those automatic scans. Even throwing port 22 requests out there is already quite intensive when you try to map the internet, forget about nmapping every device
>>
>>55856000
rm -R / --no-preserve-root
Doesn't get easier than that.
>>
>>55855980
You'd have to script for thousands of ports, hackers aren't stupid, they're lazy and looking for easy targets.
>>
>>55856072
you can easily try every port from 1 to 100000 in parallel
>>
>>55856100
That would take 100,000 times more computational work.
>>
>>55856100
or you can try device 1 to 100000 in parallel
>>
>>55855980
It deters those that just use a script. No, there aren't that many that use a script that finds the proper SSH port either. In fact, across like 7 or so servers that I've changed the SSH port too none of them get touched afterwards.
Then again the proper way to set it up is to only allow pubkey auth outside your network.
>>
>>55856000
Find some dirty info on it and see if you can ransom ware it afterwards
>>
>>55856100
>you can easily try every port from 1 to 100000 in parallel
No, (You) can. Let me know if you come up with anything.
>>
>>55856000
Install Gentoo.
>>
>>55856100
*1 to 65535
>>
I got a VPS that's constantly attacked by Chinese IPs. It runs a proxy server that has an ACL for just my ISP and has iptables rules for SSH attacks. The mysql server gets attacked quite often but I disabled root login on that.
I also run an email server on it but it hasn't been attacked (yet) and I have no protection.
What else should I do to prevent myself from attacks?
>>
>>55856282 Disable password login or use fail2ban.
>>
>>55856311
Yeah I'm probably going to install fail2ban, I forgot about that
>>
>>55856282
1. Not sure if you have, but run mysql_secure_installation and do the steps required.
2. Require public key authentication only.
3. Change SSH port, it will deter automated scripts from attempting access, one single thing to change that will clear up your logs quite a bit.
4. If you have specific bots trying to access junk on some services look at fail2ban, maybe write custom filter/jails for it.
5. Minor MySQL thing, but only make users for specific databases and only give them control over that DB so not to lose everything in your instance.
That's some stuff off the top of my head.
>>
>>55856373
Also, you do not need fail2ban to rate limit, you can do that with iptables by the way.
>>
>>55856373
Oh and setup automated security updates if you haven't already for whatever distribution you're using. Keep the software for your email junk up to date, especially if you have a webmail frontend.
>>
>>55856181
>Then again the proper way to set it up is to only allow pubkey auth outside your network.
pubkey only, different port, no root login, and fail2ban
>>
>>55856418
>>55856400
>>55856373
Thanks for the info
>>
>>55856480
Np mate, good luck.
>>
>>55856400
Not him, but you seem knowledgable, I blocked China's entire IP range in /etc/hosts. Was this retarded? All nuisances seem to come from China.
>>
>>55856512
nah, they deserve it
russia is another contender
>>
>>55856526
>tfw russian and websites wont allow you to visit, especially if something can be bought
can't really blame them though
>>
>>55855596
Turn off passwords over SSH and you can sleep easy.
Watched a guy run a brute force people attack for 40 hours despite having passwords off.
It's sad some of these bots aren't smart enough to give up when they get a key error.
>>
>>55856512
>Not him, but you seem knowledgable
That's the first time anyone's called me that.
Meh, maybe slightly retarded, but unless you're hosting something publicly for others I wouldn't worry about it at all. After all if it's something you're using personally and you don't plan to go to China then don't worry about it.
>>
>>55856512
you should also block them at the firewall level, too
>>
>>55856512
Probably pointless. Just use fail2ban if your really concerned.
You are 100% safe with password logins off. Any computer with passwords on is asking to be owned. There is just no good reason to have that on.
>>
>>55855596
Holy shit I just checked my auth.log and found out that some bot in China has been brute forcing my Raspberry Pi every few minutes for the past week, probably longer. Exactly the same IP every time.
>>
>>55856979
yup, get a firewall solution and block them there
>>
fail2ban
a
i
l
2
b
a
n
>>
I used to get up to ten bots going over a list of usernames on my server before I installed knockd. Unless you're curious as to how bots work these days go and set that up.
>>
>>55856014
No scanning for available NAS to delete things from? No scanning for other hosts ion general? No searching for ssn.txt?
>>
>>55857000
This
Thread posts: 40
Thread images: 1
Thread images: 1