Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
1331 posts

Uber Geek
+1 received by user: 334


  Reply # 1468249 12-Jan-2016 10:01
Send private message

eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)


Understood, but they'll notify you pretty quick if they cant get access?

cisconz
1175 posts

Uber Geek
+1 received by user: 77

Trusted
Subscriber

  Reply # 1468252 12-Jan-2016 10:07
Send private message

eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)



Surely you could limit to https://www.spark.co.nz/help/mobile-data/troubleshooting/spark-apns-and-ip-ranges/ and a similar list for Voda?




Hmmmm

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software


72 posts

Master Geek
+1 received by user: 16


  Reply # 1468256 12-Jan-2016 10:10
Send private message

Dairyxox:
eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)


Understood, but they'll notify you pretty quick if they cant get access?


Very true. But the mobile terminals that move all around its impossible to do properly. The fixed sites less so.



72 posts

Master Geek
+1 received by user: 16


  Reply # 1468257 12-Jan-2016 10:11
One person supports this post
Send private message

cisconz:
eftpos:
Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)



Surely you could limit to https://www.spark.co.nz/help/mobile-data/troubleshooting/spark-apns-and-ip-ranges/ and a similar list for Voda?


Looking into this at the moment with out current Voda Global M2M provider and Spark Provider

2510 posts

Uber Geek
+1 received by user: 904

Subscriber

  Reply # 1468670 12-Jan-2016 20:22
One person supports this post
Send private message

Is it possible to setup port knocking?

Or otherwise setup a couple of computers on static IPs ( 2 for redundancy) Which you login to and from there login to the terminals. Then you can make a simple IP whitelist for the terminals. Then you would only have the 2 IPs that would be exposed to the world.





1510 posts

Uber Geek
+1 received by user: 373


  Reply # 1468751 12-Jan-2016 21:30
2 people support this post
Send private message

so so so many fails here for a device with a public IP:

 

  • Still have an enabled admin account
  • Both telnet and ssh enabled on the WAN interface
  • Not employing black listing

I suggest:

 

  • Employing an L2TP + IPSec VPN and using that if you must have remote access to it, setting the services to LAN only.
  • Create your own login account and disable admin
  • Turn on port scan drop
  • Add anyone that hits your deny everything rule (I'm betting you don't even employ that) to a list and if someone from that list hits it again, ban them for an hour (poor mans fail2ban).  Your rules have to be good to employ this, in fact if your rules are good enough you won't have to.  Possibly a good measure to employ anyway if you continue to have problems or if you like watching logs :)

3343 posts

Uber Geek
+1 received by user: 1112

Subscriber

  Reply # 1468770 12-Jan-2016 22:04
Send private message

Yea I can't figure out why direct telnet access would be required to the router?...

Surely just firewall off all the service ports and then a VPN to connect to for management. Means you expose only the VPN ports and no more annoying 'red' entries in your logs.

Mangle rules are great to build up a list of repeat offenders.



72 posts

Master Geek
+1 received by user: 16


  Reply # 1468788 12-Jan-2016 22:06
Send private message

So some updates in place.

VPN in place for RDP to Terminal SW Server with non-standard port number

Admin login gone, now a mnemonic instead

Terminal login username and password cant be changed easily but I have one terminal manufacturer looking into how they achieve this in USA

Finalising with consultant to implement a poor mans fail2ban

Looking at blocking non-NZ IP addresses from connecting. However the issue is the Voda Global M2M connections which route back from overseas.

In any case a lot of whats currently in place serves the needs as there are underlying encryption methods from the terminal to the Terminal SW Server

My original post was really just to highlight the first time that had happened in over 2 years. Seemed to be a constant barrage of wierd and wonderful login name attempts over the course of an hour or so. Nothing more since this morning.





1510 posts

Uber Geek
+1 received by user: 373


  Reply # 1468797 12-Jan-2016 22:37
Send private message

Depending on what's behind that router, a Mikrotik may not be your best choice. You might want to consider employing an actual firewall such as a Fortigate that could do the country based restrictions for you along with antivirus/antispam/ssl-vpn/better support/etc/etc.  Fortigate comes at a cost but you'd want to weigh this up with the cost of security.  I would suggest not trying to do country based restrictions, especially not with a Mikrotik which will be manual unless you can script it.  Involves downloading a list file and relying on that list file being maintained and feeding it to an address list -- doable with ROS scripting but you're going to be in for constant maintenance despite the script.  Paring a Mikrotik with a Fortigate may be useful.

Meow
7273 posts

Uber Geek
+1 received by user: 3477

Moderator
Trusted
Lifetime subscriber

  Reply # 1468809 12-Jan-2016 23:02
Send private message

Honestly. Ensure you've got your network firewalled off correctly.

Personally I have a backdoor to my network via a non-standard SSH port of which I can tunnel traffic over if really needed - this SSH server has fail2ban + 2FA (which wouldn't work in your case). Grab a Raspberry Pi and use that as your SSH/Telnet box, shove some IPTables rules in to block countries as needed or even find out what Vodafone's M2M IP ranges are and only allow them.

Never allow SSH/Telnet access to your router - use a dedicated device more suited for the task if really needed.




26197 posts

Uber Geek
+1 received by user: 5796

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1468878 13-Jan-2016 07:56
One person supports this post
Send private message

IMHO you're crazy leaving a Mikrotik with ports open and have no intrusion detection with blacklists enabled and port scanning scripts - something which only requires a handful of firewall lines to do and takes about 2 mins to impliment.







72 posts

Master Geek
+1 received by user: 16


  Reply # 1468891 13-Jan-2016 08:32
Send private message

Thanks for all the input, started implementing changes overnight. Just had a look this morning and no signs of anything untoward so pretty happy about that.

Also thanks to those who PM'd me with ideas; always great to know people are willing to help out.

There are several sites still running legacy terminals that we will inevitably need to upgrade in the coming months. Those are the ones that use the oldest forms of communications and authentication with the Terminal Software Server and at least with the newer units we can increase security (as they have support) on both sides.

Have a window this evening where I can have the implementation of a blacklist and port scanning rules put in place.

So all in all a lesson learned.

1510 posts

Uber Geek
+1 received by user: 373


  Reply # 1469019 13-Jan-2016 12:09
Send private message

Did I miss why having telnet access open on a mikrotik router is required for terminal access to your servers?

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25


New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48


Shipments tumble as NZ phone upgrades slow
Posted 2-Mar-2018 11:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.