Block those pesky SSH logins

[Michael Wulff Nielsen]

Hi everyone,

I have a Freenas box that I wish to access from the internet via ssh. So I have enabled port forwarding to port 22. It works perfectly but I am seeing a ton of login attempts from automated scanners.

So being a developer I wrote a little script that scans the auth.logs and generates the appropriate firewall rules.

Please check it out here and give me some feedback: https://github.com/mwulffn/freenas-firewall

On my box it generates the following firewall rules:

#!/bin/sh
ipfw -q flush
ipfw -q add 65510 deny all from 95.167.180.114 to any
ipfw -q add 65511 deny all from 94.84.218.16 to any
ipfw -q add 65512 deny all from 133.242.229.144 to any
ipfw -q add 65513 deny all from 14.63.168.193 to any
ipfw -q add 65514 deny all from 221.230.54.115 to any
ipfw -q add 65515 deny all from 211.202.2.162 to any
ipfw -q add 65516 deny all from 32.65.254.70 to any
ipfw -q add 65517 deny all from 58.186.109.178 to any
ipfw -q add 65518 deny all from 61.147.74.149 to any
ipfw -q add 65519 deny all from 176.74.184.233 to any
ipfw -q add 65520 deny all from 61.147.116.51 to any
ipfw -q add 65521 deny all from 185.5.96.173 to any
ipfw -q add 65522 deny all from 222.189.239.124 to any
ipfw -q add 65523 deny all from 108.171.246.242 to any
ipfw -q add 65524 deny all from 186.215.158.70 to any
ipfw -q add 65525 deny all from 61.142.106.34 to any
ipfw -q add 65526 deny all from 1.93.49.226 to any
ipfw -q add 65527 deny all from 37.48.67.20 to any
ipfw -q add 65528 deny all from 200.86.77.227 to any
ipfw -q add 65529 deny all from 212.146.83.246 to any
ipfw -q add 65530 deny all from 5.39.35.82 to any
ipfw -q add 65531 deny all from 222.189.239.75 to any
ipfw -q add 65532 deny all from 222.189.239.70 to any
ipfw -q add 65533 deny all from 222.189.239.72 to any

I am now looking for suggestions on how to best integrate my script with freenas.

Ohh, and btw this is my first python program ever, so be nice. :)

 

[warri]

Looks useful since we haven't got fail2ban or some equivalent. I might give it a try when I find some more time. Thanks for sharing!

Btw, if you use a non-standard port for your SSH you get a lot less automated login attempts.

 

[Dusan]

There already is a FreeNAS fail2ban how-to here: http://forums.freenas.org/threads/howto-install-file2ban-on-freenas-9-x.16170/

 

[Nindustries]

Isnt that going to give you a huuuge ruleset after a while?

Btw) changing port 22 to something random helps a lot.
EDIT: Woops, what warri said. :)

- Sent from mobile.

 

[DrKK]

Sir, only an idiot exposes ssh port 22 to the WAN from the home.

Automatically, every Chinese and Russian hacker will pound the shit out of your network.

Move your ssh to a non-standard port, and it will be quiet from hacking attempts.

EDIT: I see Warri already said this. I strongly second the motion.

 

[Michael Wulff Nielsen]

@Warri - I would have loved to have fail2ban as standard in FreeNAS, but sometimes it's just fun to roll your own. :)

@Dusan - thanks for the heads up, I'll think about whether to improve my own or switch to fail2ban.

@Nindustries - you're right that this will lead to a ruleset that grows linearly over time. I had planned to not add rules for ip-adresses that haven't attacked for some time to keep the ruleset down. But Rome was never programmed in one night :)

I agree with your point about moving to a non-standard port, that does have the drawback of being a problem for my remote users. They're mighty miffed that I require SSH and the "cryptojello thingy" of them, port numbers might just send them screaming.

@DrKK - now calling somebody an idiot in public won't win you many friends, but I do realize that you mean well. As for russian/chinese hackers pounding the shit out of me: So far attempts have been made to login from 45 ip adresses over a 1 week period. I see root attempts every 30-40 minutes or so, this does not constitute "getting the shit pounded" in my opinion.

As for the SSH service itself, I have mine setup to disallow root login. Users have highly complex passwords that defy simple dictionary attacks and so far no hacker has even guessed a username on the box. So I ask: What service/sharing method in FreeNAS is more suitable to being exposed to the public that SSH? What is more secure and more hardened than SSH?

 

[Nindustries]

What service/sharing method in FreeNAS is more suitable to being exposed to the public that SSH? What is more secure and more hardened than SSH?

The most secure way to connect to any device on a network from the internet is setup a VPN to it and use SSH with key authentication. That's how I am going to do it.
Also saves your clients a lot of hassle from the login-monster!

 

[Michael Wulff Nielsen]

I have been thinking about going the VPN route. But that requires vpn client configurations and so on, but that might be worth looking into. It would also move the job of maintaining security to my router, so it becomes a question of wether I trust FreeNAS/FreeBSD more than I trust an ASUS router. I think I might prefer the security of FreeNas over Asus.

I would also have to do some poking around with different networks there as a VPN could expose my internal network and not just the FreeNAS box. But that is a solvable problem.

Key authentication might be a good idea if I can get keys distributed securely, the advantage of the password is that I can tell people over the phone.

But as with any service there are a set of compromises and circumstances that should be considered.

 

[jonnn]

I may be wrong, but wouldn't it be quite the opposite? A VPN would effectively remove your router from be responsible for security (at least on that particular VPN)

 

[Michael Wulff Nielsen]

@jonn A VPN client requires some kind of "VPN Server" to connect to. So I can either use the built-in vpn server in the asus router or I can setup a dedicated VPN server somewhere on my network. But something, somewhere has to listen to a port connected to the public internet.

 

[Nindustries]

@jonn A VPN client requires some kind of "VPN Server" to connect to. So I can either use the built-in vpn server in the asus router or I can setup a dedicated VPN server somewhere on my network. But something, somewhere has to listen to a port connected to the public internet.

Do note that your FreeNAS is also a possibility.

 

[Michael Wulff Nielsen]

Is that supported from the GUI?

 

[Dusan]

Isnt that going to give you a huuuge ruleset after a while?

ipfw has a solution for this called lookup tables. You need only one rule, e.g.:
ipfw add 100 deny all from table(1) to any
And then you just add the IPs to the lookup table:
ipfw table 1 add 95.167.180.114
ipfw table 1 add 94.84.218.16
ipfw table 1 add 133.242.229.144
...
Lookup tables are very efficient and can easily handle several thousands of entries.

Is that supported from the GUI?

No, but the OpenVPN binary is present on the FreeNAS USB stick, so you don't need to install anything. Here's a guide on how to set it up: http://joepaetzel.wordpress.com/2013/09/22/openvpn-on-freenas-9-1/

 

[DrKK]

Running a VPN and all that other jazz is, of course, very well and good and provides a lot of security...but if you're just looking to have a little ssh server you can log into on your box, and you're not overly paranoid, simply put the server on port 50129 or something (in the United States, I tell people to use the zip code of a family member---that's usually a valid, ephemeral, port that will be safe from most hacker scans). Sure, anyone snooping traffic when you're out and about will see that you're logging in to something on port 50129, but to be honest, in an environment of tens of thousands/millions of Aunt Sally's and morons that don't secure their stuff on default ports, there's really no incentive at all to go after some guy with a server listening on port 50129, who obviously knows what he's doing.

Or, you can use a VPN. :)

I find people are ridiculously paranoid. The mildest security precautions (moving WAN-exposed services to ephemeral ports, for example) make you, already, in the top 1% hardened targets on the internet, and hence there is an incentive for a random h4x0r to just move on to the next IP address. Unless you're being personally targeted, in which case all of the security precautions in the world are probably of no help. In fact, overly-zealous security draws attention to the fact that you might have something interest to hack at.

Just another opinion. My vote is: Just move your SSH service listening port to something absurd, and call it a day.

 

[Michael Wulff Nielsen]

I have been throwing ideas back and forth with my wife, and we've decided to move ssh because it is a good suggestion and DrKK's reasoning seems to be sound. But now my inner geek just wants to improve my python script and turn it into something useful for FreeNAS

 

[cyberjock]

I know you don't like DrKK's response, but nobody that gives two hoots about security runs SSH on port 22. That is "just stupid" to steal DrKK's words. Choose any random port >1024 and your chances of attack drop drastically.

The "best" if security is a concern is to use a VPN(as has been mentioned already). I made a pfsense box and run my VPN through that(among other packages). I don't trust 3rd party companies as routers anymore as they are all a big bag of f*ck when it comes to security. If you read some of their security reports they do so many things wrong that amateur programmers should get right it is disgusting that people are even charged for that kind of quality.

Ever heard of gaining admin privileges on routers without authenticating? Most of the major brands have had those problems! For that reason I'm strictly pfsense now. Besides, all the bonus software packages offered with pfsense(and the 2 orders of magnitude increase in performance) were nice.

 

[Michael Wulff Nielsen]

Just to clarify, I didn't like being called an idiot. But I did agree with his suggestion. Calling people idiots rarely gets any good response.

Also my post should imply that I do take security seriously. I disabled root login and monitored activity to see what was happening and prevent the worst problems.

But you are right about routers having security problems. I have not heard of any particular problems with my asus n-66 something. But it could happen so maybe it's time to look at pfsense. What can run pfsense that is completely quiet, uses almost no power at all?

 

[cyberjock]

Shut up you idiot. :)

I think you do take it seriously, hence your questions. It's more of you've shown you are a noob in this small part of security. I think its good you are asking and I think its good that you are seeing the light and changing your ways.

Here's my pfsense build. Benchmarking it I am "limited" to just 300Mb of throughput to the internet(if I ever get that high). I'm getting 105Mb right now, so maybe in a few years I'll be forced to upgrade. Uses 13w at the wall on full load. If you just blindly buy this hardware you'll end up with a very kick-a** setup for home use! It wouldn't necessarily be great in a business with 50 machines+ since its an Atom, but Atoms are more than sufficiently powerful for home use. My latency has also dropped significantly for MMORPG gaming!

pfsense:

case & PSU($69): http://www.mini-box.com/M350-enclosure-with-picoPSU-80-and-60W-adapter
MB&CPU with dual onboard Intel NICs($105): http://www.mini-box.com/MITAC-PD12TI-D2500CCE-Mini-ITX-Motherboard

I reused some spare laptop RAM. But 2GB of DDR3 SO-DIMM is overkill(I'm using a whole 300MB right now)

I also used an old hand-me-down SSD since it was 30GB and not useful for anything else. I'd recommend whatever cheap SSD you can get that is reliable for long term use. There's literally no writes made to the drive, so even an old SSD with 10% life remaining will be perfect. I'm using one of those REALLY REALLY sh*tty 1st gen SSDs that could do only 3 writes per second or something and despite that it performs very well. Updating pfsense, installing packages and such are a little slower than I'd like, but they don't take absurdly long to complete.

The system has no fan, so is completely silent. My CPU at full load runs about 45C and idle is about 38C. I've built many of these for friends with the exact same hardware with no fan and never had any reason to wish we added one. If you want a fan... http://www.mini-box.com/Top-Motor-40x4010mm-Case-Fans

There are cool wall mounts and monitor mounts if you are compelled to use one. http://www.mini-box.com/Accessories

Keep in mind you will have no wifi with this setup. So you can either turn your Asus into a hotspot(if supported) or you can buy yourself a kick-a** wifi to match your kic-a** router! Here's what I have. Yes, that thing is probably an order of magnitude more powerful than your current router. :)

 

[Michael Wulff Nielsen]

Thank you idiot ;)

First you make me spend $2000 on my nas, just because I read and understood/agreed with your posts on hardware. Now you point out that my router needs to be replaced by a nice pfsense box that will cost even more money.

I would like to find an atom board with a built in wifi antenna so I could have it all in one box. I'm off to do some research. :)

 

[HolyK]

Hahaha ... this "Idiot-party" just remembered me THIS scene from Bulletstorm :D

Anyway, you can keep the ssh as port 22 on NAS and just use another port for your connection from outside world. Then just forward <whatever> to 22 on your router. Even the most stupid SOHO router know how to forward ports these days
Also do not connect as an root. Create another user with limited rights and allow to "su" to root (or "sudo"). Also you might disable password logon and use key-only instead.
If your router is supported by OpenWRT or DDWRT then GO for it. If not then for additional security "layer" you will probably need to invest some $$$. You don't need to go straight for pfsense like cyberjock advised. Take a look on Routerboards
. These are small and very powerful linux-based boxes with (almost) every network-related *things* you might want to use. Since i am using this babies (couple of years), i will never use SOHO plastic routers again ... :D