Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
1388 posts

Uber Geek
+1 received by user: 357


  Reply # 1468249 12-Jan-2016 10:01
Send private message

eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)


Understood, but they'll notify you pretty quick if they cant get access?

cisconz
1184 posts

Uber Geek
+1 received by user: 78

Trusted
Lifetime subscriber

  Reply # 1468252 12-Jan-2016 10:07
Send private message

eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)



Surely you could limit to https://www.spark.co.nz/help/mobile-data/troubleshooting/spark-apns-and-ip-ranges/ and a similar list for Voda?




Hmmmm




74 posts

Master Geek
+1 received by user: 16


  Reply # 1468256 12-Jan-2016 10:10
Send private message

Dairyxox:
eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)


Understood, but they'll notify you pretty quick if they cant get access?


Very true. But the mobile terminals that move all around its impossible to do properly. The fixed sites less so.



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468257 12-Jan-2016 10:11
One person supports this post
Send private message

cisconz:
eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)



Surely you could limit to https://www.spark.co.nz/help/mobile-data/troubleshooting/spark-apns-and-ip-ranges/ and a similar list for Voda?


Looking into this at the moment with out current Voda Global M2M provider and Spark Provider

2812 posts

Uber Geek
+1 received by user: 1064

Subscriber

  Reply # 1468670 12-Jan-2016 20:22
One person supports this post
Send private message

Is it possible to setup port knocking?

Or otherwise setup a couple of computers on static IPs ( 2 for redundancy) Which you login to and from there login to the terminals. Then you can make a simple IP whitelist for the terminals. Then you would only have the 2 IPs that would be exposed to the world.





1543 posts

Uber Geek
+1 received by user: 381


  Reply # 1468751 12-Jan-2016 21:30
2 people support this post
Send private message

so so so many fails here for a device with a public IP:

 

  • Still have an enabled admin account
  • Both telnet and ssh enabled on the WAN interface
  • Not employing black listing

I suggest:

 

  • Employing an L2TP + IPSec VPN and using that if you must have remote access to it, setting the services to LAN only.
  • Create your own login account and disable admin
  • Turn on port scan drop
  • Add anyone that hits your deny everything rule (I'm betting you don't even employ that) to a list and if someone from that list hits it again, ban them for an hour (poor mans fail2ban).  Your rules have to be good to employ this, in fact if your rules are good enough you won't have to.  Possibly a good measure to employ anyway if you continue to have problems or if you like watching logs :)

3474 posts

Uber Geek
+1 received by user: 1250

Subscriber

  Reply # 1468770 12-Jan-2016 22:04
Send private message

Yea I can't figure out why direct telnet access would be required to the router?...

Surely just firewall off all the service ports and then a VPN to connect to for management. Means you expose only the VPN ports and no more annoying 'red' entries in your logs.

Mangle rules are great to build up a list of repeat offenders.



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468788 12-Jan-2016 22:06
Send private message

So some updates in place.

VPN in place for RDP to Terminal SW Server with non-standard port number

Admin login gone, now a mnemonic instead

Terminal login username and password cant be changed easily but I have one terminal manufacturer looking into how they achieve this in USA

Finalising with consultant to implement a poor mans fail2ban

Looking at blocking non-NZ IP addresses from connecting. However the issue is the Voda Global M2M connections which route back from overseas.

In any case a lot of whats currently in place serves the needs as there are underlying encryption methods from the terminal to the Terminal SW Server

My original post was really just to highlight the first time that had happened in over 2 years. Seemed to be a constant barrage of wierd and wonderful login name attempts over the course of an hour or so. Nothing more since this morning.





1543 posts

Uber Geek
+1 received by user: 381


  Reply # 1468797 12-Jan-2016 22:37
Send private message

Depending on what's behind that router, a Mikrotik may not be your best choice. You might want to consider employing an actual firewall such as a Fortigate that could do the country based restrictions for you along with antivirus/antispam/ssl-vpn/better support/etc/etc.  Fortigate comes at a cost but you'd want to weigh this up with the cost of security.  I would suggest not trying to do country based restrictions, especially not with a Mikrotik which will be manual unless you can script it.  Involves downloading a list file and relying on that list file being maintained and feeding it to an address list -- doable with ROS scripting but you're going to be in for constant maintenance despite the script.  Paring a Mikrotik with a Fortigate may be useful.

Meow
7523 posts

Uber Geek
+1 received by user: 3635

Moderator
Trusted
Lifetime subscriber

  Reply # 1468809 12-Jan-2016 23:02
Send private message

Honestly. Ensure you've got your network firewalled off correctly.

Personally I have a backdoor to my network via a non-standard SSH port of which I can tunnel traffic over if really needed - this SSH server has fail2ban + 2FA (which wouldn't work in your case). Grab a Raspberry Pi and use that as your SSH/Telnet box, shove some IPTables rules in to block countries as needed or even find out what Vodafone's M2M IP ranges are and only allow them.

Never allow SSH/Telnet access to your router - use a dedicated device more suited for the task if really needed.




26617 posts

Uber Geek
+1 received by user: 6107

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1468878 13-Jan-2016 07:56
One person supports this post
Send private message

IMHO you're crazy leaving a Mikrotik with ports open and have no intrusion detection with blacklists enabled and port scanning scripts - something which only requires a handful of firewall lines to do and takes about 2 mins to impliment.







74 posts

Master Geek
+1 received by user: 16


  Reply # 1468891 13-Jan-2016 08:32
Send private message

Thanks for all the input, started implementing changes overnight. Just had a look this morning and no signs of anything untoward so pretty happy about that.

Also thanks to those who PM'd me with ideas; always great to know people are willing to help out.

There are several sites still running legacy terminals that we will inevitably need to upgrade in the coming months. Those are the ones that use the oldest forms of communications and authentication with the Terminal Software Server and at least with the newer units we can increase security (as they have support) on both sides.

Have a window this evening where I can have the implementation of a blacklist and port scanning rules put in place.

So all in all a lesson learned.

1543 posts

Uber Geek
+1 received by user: 381


  Reply # 1469019 13-Jan-2016 12:09
Send private message

Did I miss why having telnet access open on a mikrotik router is required for terminal access to your servers?

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40


Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36


Microsoft ices heated developers
Posted 6-Jul-2018 20:16


PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45


Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40


Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.