BlueWyvern Posted February 17, 2014 Share Posted February 17, 2014 Hi Guys, I am having an issue with SSH Brute Forcers and have been now auto blocking anywhere between 14 and 22 IPs a day. Is there any pre-compiled list of known country offenders I notice the majority of these are China and a few are Russia, but I don't check every IP. Am I stuck either paying for a service or creating the list myself? Thanks! Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted February 17, 2014 Share Posted February 17, 2014 What is the external port you are running SSH on? I would change it from the default. I would also disable password authentication and only use key pairs. Quote Link to comment Share on other sites More sharing options...
BlueWyvern Posted February 17, 2014 Author Share Posted February 17, 2014 sadly the situation requires port 22 and will not allow me to use a username other than admin without the ability to switch to key pairs at all. Synology Time Backup to an Offsite Unit. I do have a stupidly strong password on it that would take quite some time to brute force, but still it's annoying seeing so many attempts every day. Quote Link to comment Share on other sites More sharing options...
digip Posted February 18, 2014 Share Posted February 18, 2014 There are public and paid for databases of country IP blocks, but they change often which means constantly updating your list as well, so it becomes a cat and mouse game, and blocking countries will just make them move to proxies or other country IP's from nodes they've compromised. If they really want in, they'll keep hammering it if its sitting on the net and. Especially if its known the username is admin only(I guess someone must know its a "Synology Time Backup" and thats the default or hardcoded username??), its just a matter of time before the password is hammered out if you can't change the username as well. https://www.google.com/search?num=50&newwindow=1&q=country+IP+block+lists&oq=country+IP+block+lists&gs_l=serp.3..0.477164.477164.0.477784.1.1.0.0.0.0.130.130.0j1.1.0....0...1c.1.35.serp..0.1.129.bVV9eRX054U If you can't change it to key pairs like mentioned above(and port changing really just delays the attack since a banner grab via an nmap or other scanning tool will return an SSH version no matter what port its on if its listening on the internet) can you instead create a whitelist of nodes you want allowed vs trying to block each one individually? Not 100% effective, but might help cut down on the attacks. If you can set rules to block an IP, hopefully you can set a rule or ACL to only accept specific IP's which might work better for you until you figure out a better solution, like moving it behind another zone/nat'd device and only accessible over a VPN. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.