Constant Hacking Attempts

[sapper]

Hey all.

I seem to be having an issue with Chinese hackers. It seems all day every day for the past week my FreeNas server has been under a brute force SSH attack. I have SSH disables at the moment because of it, but they keep pushing. They have run through port after port after port using various passwords and usernames. It seems as though its all coming from 8 or 9 IP addresses in total though. Is there any way to ban the IP addresses?

 

[pirateghost]

why on earth do you have your FreeNAS open to public???

 

[KMR]

Seriously.. Why is your FreeNAS box accessible to the public? Your first step should be locking things down to the outside world until you can get things under wraps. I'm not sure what FreeNAS has for a built in firewall, but a good second step would be to start using google to find out how to configure it.

There are a number of options for blocking IP addresses depending upon how far you want to go. I'm new to FreeNAS but with my Linux servers it is trivial to block brute force attempts coming from a small number of IP addresses. With UFW you can use the "limit" command to automatically ban IPs after a certain amount of failed attempts.

What sort of router do you have?
I am running pfSense which has a package called pfBlocker; I block all traffic to and from asia. Problem solved (kind of).
Depending upon your router firmware you can block a countries IP address range entirely (my preferred method) or those specific IPs. Look into DD-WRT or similar, but you should seriously consider why you have that box open to the internet in the first place.

More information on your setup would help.

 

[sapper]

First off, its not open to the public in the sense of open access. It never has been. I do occasionally log into it from outside of my home (I'm testing the system and at present it has nothing on it) so the admin panel log in page is accessible but requires the username and password to gain access so yes, port 80 on my router is forwarded to the FreeNas box. SSH is turned off and the only other service running is SMB which is locked down to all IP's other than another box I have running within the house.

As for a router - I'm on an Apple Time Capsule

 

[Whattteva]

Opening the webadmin to the outside world is something you should never do IMO. You could do way too many things through it (even root console). On top of that, the login only requires a simple username/password scenario, which is really weak compared to a typical certificate-based login.

 

[pirateghost]

if you want to play around with the admin panel while working remotely, you should consider VPN (most secure) or use a different port other than 80 to hit your outside network...NEVER leave it open to the WAN, that is asking for trouble

 

[JaimieV]

With the Apple router, you can pick any external port and route it to your internal FreeNAS port 80 - this alone would help massively. But as per everyone else, allowing external access to the web GUI is a terrible idea.

The Apple routers don't support hosting a VPN unfortunately, so you'd need to set up a VPN endpoint yourself to do that. If you have Macs on the inside, why not use Back To My Mac screensharing from outside to get to a home machine and access the FreeNAS from a browser there? That's all encrypted and secured.

 

[KMR]

Another option could be to leave teamviewer running on another machine and connect to that machine to access your internal network. Opening up ports opens machines to the internet and is the last thing you want to do if there are other options available. If you want to check on your FreeNAS box away from home setup some email reporting. VPN is the best option, but if your router doesn't support it something like Teamviewer is another good step. You might want to consider upgrading your router and using the Apple box as an AP.

 

[Caesar]

Most routers allow you to open ports for allowed IPs only. If you only access this from work rather than blocking these attack IP just add your work's IP to the allowed list. I would also setup your router to listen on another port besides 80. Don't use any other common port either. If your worried about remembering the port, use something that you know like your zip code or address. you can pick any number between 0 to 65535