Someone really wants to get access to my network

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Someone really wants to get access to my network

1 | 2

Dairyxox

1594 posts

Uber Geek

#1468249 12-Jan-2016 10:01

eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban

Also really not a good idea having telnet open to the world.

We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.

Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.

I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)

Understood, but they'll notify you pretty quick if they cant get access?

cisconz

cisconz
1341 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1468252 12-Jan-2016 10:07

eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban

Also really not a good idea having telnet open to the world.

We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.

Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.

I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)

Surely you could limit to https://www.spark.co.nz/help/mobile-data/troubleshooting/spark-apns-and-ip-ranges/ and a similar list for Voda?

Hmmmm

eftpos

74 posts

Master Geek

#1468256 12-Jan-2016 10:10

Dairyxox:
eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban

Also really not a good idea having telnet open to the world.

We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.

Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.

I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)

Understood, but they'll notify you pretty quick if they cant get access?

Very true. But the mobile terminals that move all around its impossible to do properly. The fixed sites less so.

eftpos

74 posts

Master Geek

#1468257 12-Jan-2016 10:11

cisconz:
eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban

Also really not a good idea having telnet open to the world.

We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.

Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.

I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)

Surely you could limit to https://www.spark.co.nz/help/mobile-data/troubleshooting/spark-apns-and-ip-ranges/ and a similar list for Voda?

Looking into this at the moment with out current Voda Global M2M provider and Spark Provider

Aredwood

3885 posts

Uber Geek

#1468670 12-Jan-2016 20:22

Is it possible to setup port knocking?

Or otherwise setup a couple of computers on static IPs ( 2 for redundancy) Which you login to and from there login to the terminals. Then you can make a simple IP whitelist for the terminals. Then you would only have the 2 IPs that would be exposed to the world.

MadEngineer

4278 posts

Uber Geek

Trusted

#1468751 12-Jan-2016 21:30

so so so many fails here for a device with a public IP:

Still have an enabled admin account
Both telnet and ssh enabled on the WAN interface
Not employing black listing

I suggest:

Employing an L2TP + IPSec VPN and using that if you must have remote access to it, setting the services to LAN only.
Create your own login account and disable admin
Turn on port scan drop
Add anyone that hits your deny everything rule (I'm betting you don't even employ that) to a list and if someone from that list hits it again, ban them for an hour (poor mans fail2ban). Your rules have to be good to employ this, in fact if your rules are good enough you won't have to. Possibly a good measure to employ anyway if you continue to have problems or if you like watching logs :)

You're not on Atlantis anymore, Duncan Idaho.

chevrolux

4962 posts

Uber Geek
Inactive user

#1468770 12-Jan-2016 22:04

Yea I can't figure out why direct telnet access would be required to the router?...

Surely just firewall off all the service ports and then a VPN to connect to for management. Means you expose only the VPN ports and no more annoying 'red' entries in your logs.

Mangle rules are great to build up a list of repeat offenders.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

eftpos

74 posts

Master Geek

#1468788 12-Jan-2016 22:06

So some updates in place.

VPN in place for RDP to Terminal SW Server with non-standard port number

Admin login gone, now a mnemonic instead

Terminal login username and password cant be changed easily but I have one terminal manufacturer looking into how they achieve this in USA

Finalising with consultant to implement a poor mans fail2ban

Looking at blocking non-NZ IP addresses from connecting. However the issue is the Voda Global M2M connections which route back from overseas.

In any case a lot of whats currently in place serves the needs as there are underlying encryption methods from the terminal to the Terminal SW Server

My original post was really just to highlight the first time that had happened in over 2 years. Seemed to be a constant barrage of wierd and wonderful login name attempts over the course of an hour or so. Nothing more since this morning.

MadEngineer

4278 posts

Uber Geek

Trusted

#1468797 12-Jan-2016 22:37

Depending on what's behind that router, a Mikrotik may not be your best choice. You might want to consider employing an actual firewall such as a Fortigate that could do the country based restrictions for you along with antivirus/antispam/ssl-vpn/better support/etc/etc. Fortigate comes at a cost but you'd want to weigh this up with the cost of security. I would suggest not trying to do country based restrictions, especially not with a Mikrotik which will be manual unless you can script it. Involves downloading a list file and relying on that list file being maintained and feeding it to an address list -- doable with ROS scripting but you're going to be in for constant maintenance despite the script. Paring a Mikrotik with a Fortigate may be useful.

You're not on Atlantis anymore, Duncan Idaho.

michaelmurfy

meow
13244 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1468809 12-Jan-2016 23:02

Honestly. Ensure you've got your network firewalled off correctly.

Personally I have a backdoor to my network via a non-standard SSH port of which I can tunnel traffic over if really needed - this SSH server has fail2ban + 2FA (which wouldn't work in your case). Grab a Raspberry Pi and use that as your SSH/Telnet box, shove some IPTables rules in to block countries as needed or even find out what Vodafone's M2M IP ranges are and only allow them.

Never allow SSH/Telnet access to your router - use a dedicated device more suited for the task if really needed.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1468878 13-Jan-2016 07:56

IMHO you're crazy leaving a Mikrotik with ports open and have no intrusion detection with blacklists enabled and port scanning scripts - something which only requires a handful of firewall lines to do and takes about 2 mins to impliment.

eftpos

74 posts

Master Geek

#1468891 13-Jan-2016 08:32

Thanks for all the input, started implementing changes overnight. Just had a look this morning and no signs of anything untoward so pretty happy about that.

Also thanks to those who PM'd me with ideas; always great to know people are willing to help out.

There are several sites still running legacy terminals that we will inevitably need to upgrade in the coming months. Those are the ones that use the oldest forms of communications and authentication with the Terminal Software Server and at least with the newer units we can increase security (as they have support) on both sides.

Have a window this evening where I can have the implementation of a blacklist and port scanning rules put in place.

So all in all a lesson learned.

MadEngineer

4278 posts

Uber Geek

Trusted

#1469019 13-Jan-2016 12:09

Did I miss why having telnet access open on a mikrotik router is required for terminal access to your servers?

You're not on Atlantis anymore, Duncan Idaho.

1 | 2