Accesso LAN dai log del router remoto

1

Ho un server Ubuntu nella mia rete con SSH aperto, porta 22, abilitato UFW per quello. L'SSH è protetto con la mia password e ho creato un altro utente per la mia connessione SSH.

Oggi ho notato questi log.

Ci sono alcuni IP che stanno cercando di connettersi alla mia rete ... Non li conosco però. Questo IP ad esempio: 121.18.238.22 viene dalla Cina, "whois" dice: Baoding China Unicom Hebei Province Network

Purtroppo c'è un log che dice che finalmente hanno scoperto la mia password e quindi ho dovuto bannare l'IP con ufw.

Ora sto usando Fail2Ban per prevenire questo tipo di attacchi.

[LAN access from remote] from 183.37.22.227:58298 to 192.168.0.7:22, Monday, July 04,2016 10:09:53
[admin login] from source 192.168.0.4, Monday, July 04,2016 10:08:22
[LAN access from remote] from 192.168.0.4:63385 to 192.168.0.7:80, Monday, July 04,2016 10:03:02
[admin login] from source 192.168.0.4, Monday, July 04,2016 10:02:47
[LAN access from remote] from 169.229.3.91:40301 to 192.168.0.7:80, Monday, July 04,2016 10:00:52
[LAN access from remote] from 169.229.3.91:38487 to 192.168.0.7:80, Monday, July 04,2016 10:00:52
[LAN access from remote] from 121.18.238.22:38685 to 192.168.0.7:22, Monday, July 04,2016 10:00:07
[LAN access from remote] from 121.18.238.22:54199 to 192.168.0.7:22, Monday, July 04,2016 09:59:57
[LAN access from remote] from 121.18.238.22:45582 to 192.168.0.7:22, Monday, July 04,2016 09:59:47
[LAN access from remote] from 121.18.238.22:33867 to 192.168.0.7:22, Monday, July 04,2016 09:59:37
[LAN access from remote] from 121.18.238.22:48962 to 192.168.0.7:22, Monday, July 04,2016 09:59:25
[LAN access from remote] from 121.18.238.22:42182 to 192.168.0.7:22, Monday, July 04,2016 09:59:15
[LAN access from remote] from 121.18.238.22:35939 to 192.168.0.7:22, Monday, July 04,2016 09:59:05
[LAN access from remote] from 121.18.238.22:50380 to 192.168.0.7:22, Monday, July 04,2016 09:58:53
[LAN access from remote] from 121.18.238.22:41018 to 192.168.0.7:22, Monday, July 04,2016 09:58:42
[LAN access from remote] from 121.18.238.22:56730 to 192.168.0.7:22, Monday, July 04,2016 09:58:30
[LAN access from remote] from 121.18.238.22:48769 to 192.168.0.7:22, Monday, July 04,2016 09:58:19
[DoS Attack: RST Scan] from source: 121.18.238.22, port 40454, Monday, July 04,2016 09:58:10
[LAN access from remote] from 121.18.238.22:43529 to 192.168.0.7:22, Monday, July 04,2016 09:58:08
[LAN access from remote] from 121.18.238.22:40454 to 192.168.0.7:22, Monday, July 04,2016 09:58:00
[LAN access from remote] from 121.18.238.22:56935 to 192.168.0.7:22, Monday, July 04,2016 09:57:48
[LAN access from remote] from 121.18.238.22:46752 to 192.168.0.7:22, Monday, July 04,2016 09:57:37
[LAN access from remote] from 121.18.238.22:35769 to 192.168.0.7:22, Monday, July 04,2016 09:57:26
[LAN access from remote] from 121.18.238.22:60140 to 192.168.0.7:22, Monday, July 04,2016 09:57:18
[LAN access from remote] from 121.18.238.22:53270 to 192.168.0.7:22, Monday, July 04,2016 09:57:09
[LAN access from remote] from 121.18.238.22:40038 to 192.168.0.7:22, Monday, July 04,2016 09:56:58
[LAN access from remote] from 121.18.238.22:32905 to 192.168.0.7:22, Monday, July 04,2016 09:56:49
[LAN access from remote] from 121.18.238.22:57638 to 192.168.0.7:22, Monday, July 04,2016 09:56:40
[LAN access from remote] from 192.168.0.4:63336 to 192.168.0.7:80, Monday, July 04,2016 09:56:26
[LAN access from remote] from 121.18.238.22:52719 to 192.168.0.7:22, Monday, July 04,2016 09:56:24
[LAN access from remote] from 121.18.238.22:48129 to 192.168.0.7:22, Monday, July 04,2016 09:56:13
[LAN access from remote] from 121.18.238.22:42942 to 192.168.0.7:22, Monday, July 04,2016 09:56:05
[LAN access from remote] from 192.168.0.4:63333 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 192.168.0.4:63332 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 192.168.0.4:63331 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 192.168.0.4:63330 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 121.18.238.22:60581 to 192.168.0.7:22, Monday, July 04,2016 09:55:57
[DoS Attack: ACK Scan] from source: 172.217.19.78, port 443, Monday, July 04,2016 09:54:40
[DoS Attack: ACK Scan] from source: 172.217.19.78, port 443, Monday, July 04,2016 09:54:28
[DoS Attack: ACK Scan] from source: 138.108.96.100, port 80, Monday, July 04,2016 09:54:25
[LAN access from remote] from 5.90.72.134:2356 to 192.168.0.7:1723, Monday, July 04,2016 09:54:15
[LAN access from remote] from 192.168.0.2:63287 to 192.168.0.7:1723, Monday, July 04,2016 09:54:01
[LAN access from remote] from 121.18.238.9:59422 to 192.168.0.7:22, Monday, July 04,2016 09:51:33
[LAN access from remote] from 121.18.238.9:49290 to 192.168.0.7:22, Monday, July 04,2016 09:51:24
[LAN access from remote] from 121.18.238.9:38058 to 192.168.0.7:22, Monday, July 04,2016 09:51:14
[LAN access from remote] from 121.18.238.9:58639 to 192.168.0.7:22, Monday, July 04,2016 09:51:05
[LAN access from remote] from 121.18.238.9:51981 to 192.168.0.7:22, Monday, July 04,2016 09:50:57
[LAN access from remote] from 121.18.238.9:40686 to 192.168.0.7:22, Monday, July 04,2016 09:50:47
[LAN access from remote] from 121.18.238.9:33384 to 192.168.0.7:22, Monday, July 04,2016 09:50:39
[LAN access from remote] from 221.194.44.227:34213 to 192.168.0.7:22, Monday, July 04,2016 09:50:31
[LAN access from remote] from 121.18.238.9:53152 to 192.168.0.7:22, Monday, July 04,2016 09:50:30
[LAN access from remote] from 221.194.44.227:56795 to 192.168.0.7:22, Monday, July 04,2016 09:50:23
[LAN access from remote] from 121.18.238.9:42253 to 192.168.0.7:22, Monday, July 04,2016 09:50:22
[LAN access from remote] from 221.194.44.227:52907 to 192.168.0.7:22, Monday, July 04,2016 09:50:13
[LAN access from remote] from 121.18.238.9:33132 to 192.168.0.7:22, Monday, July 04,2016 09:50:12
[LAN access from remote] from 121.18.238.9:54038 to 192.168.0.7:22, Monday, July 04,2016 09:50:04
[LAN access from remote] from 221.194.44.227:43711 to 192.168.0.7:22, Monday, July 04,2016 09:50:03
[LAN access from remote] from 121.18.238.9:45113 to 192.168.0.7:22, Monday, July 04,2016 09:49:56
[LAN access from remote] from 221.194.44.227:40385 to 192.168.0.7:22, Monday, July 04,2016 09:49:53
[LAN access from remote] from 121.18.238.9:39202 to 192.168.0.7:22, Monday, July 04,2016 09:49:47
[LAN access from remote] from 221.194.44.227:57962 to 192.168.0.7:22, Monday, July 04,2016 09:49:42
[LAN access from remote] from 121.18.238.9:52268 to 192.168.0.7:22, Monday, July 04,2016 09:49:37
[LAN access from remote] from 221.194.44.227:42415 to 192.168.0.7:22, Monday, July 04,2016 09:49:29
[LAN access from remote] from 121.18.238.9:42971 to 192.168.0.7:22, Monday, July 04,2016 09:49:29
[LAN access from remote] from 121.18.238.9:37777 to 192.168.0.7:22, Monday, July 04,2016 09:49:21
[LAN access from remote] from 221.194.44.227:40557 to 192.168.0.7:22, Monday, July 04,2016 09:49:21
[LAN access from remote] from 121.18.238.9:59635 to 192.168.0.7:22, Monday, July 04,2016 09:49:14
[LAN access from remote] from 121.18.238.9:59576 to 192.168.0.7:22, Monday, July 04,2016 09:49:13
[LAN access from remote] from 221.194.44.227:36473 to 192.168.0.7:22, Monday, July 04,2016 09:49:12
[LAN access from remote] from 121.18.238.9:49344 to 192.168.0.7:22, Monday, July 04,2016 09:49:05
[LAN access from remote] from 121.18.238.9:49097 to 192.168.0.7:22, Monday, July 04,2016 09:49:05
[LAN access from remote] from 221.194.44.227:58954 to 192.168.0.7:22, Monday, July 04,2016 09:49:02
[LAN access from remote] from 121.18.238.9:33639 to 192.168.0.7:22, Monday, July 04,2016 09:48:55
[LAN access from remote] from 121.18.238.9:33629 to 192.168.0.7:22, Monday, July 04,2016 09:48:55
[LAN access from remote] from 221.194.44.227:55456 to 192.168.0.7:22, Monday, July 04,2016 09:48:53
[LAN access from remote] from 121.18.238.9:49028 to 192.168.0.7:22, Monday, July 04,2016 09:48:46
[LAN access from remote] from 121.18.238.9:48956 to 192.168.0.7:22, Monday, July 04,2016 09:48:46
[LAN access from remote] from 221.194.44.227:49145 to 192.168.0.7:22, Monday, July 04,2016 09:48:41
[LAN access from remote] from 121.18.238.9:33426 to 192.168.0.7:22, Monday, July 04,2016 09:48:36
[LAN access from remote] from 121.18.238.9:33393 to 192.168.0.7:22, Monday, July 04,2016 09:48:36
[LAN access from remote] from 221.194.44.227:43452 to 192.168.0.7:22, Monday, July 04,2016 09:48:31
[LAN access from remote] from 121.18.238.9:46965 to 192.168.0.7:22, Monday, July 04,2016 09:48:27
[LAN access from remote] from 121.18.238.9:46881 to 192.168.0.7:22, Monday, July 04,2016 09:48:27
[LAN access from remote] from 221.194.44.227:37404 to 192.168.0.7:22, Monday, July 04,2016 09:48:22
[LAN access from remote] from 121.18.238.9:58887 to 192.168.0.7:22, Monday, July 04,2016 09:48:17
[LAN access from remote] from 121.18.238.9:58799 to 192.168.0.7:22, Monday, July 04,2016 09:48:17
[LAN access from remote] from 221.194.44.227:34731 to 192.168.0.7:22, Monday, July 04,2016 09:48:13
[LAN access from remote] from 121.18.238.9:47059 to 192.168.0.7:22, Monday, July 04,2016 09:48:07
[LAN access from remote] from 121.18.238.9:44687 to 192.168.0.7:22, Monday, July 04,2016 09:48:07
[LAN access from remote] from 221.194.44.227:57545 to 192.168.0.7:22, Monday, July 04,2016 09:48:04
[LAN access from remote] from 121.18.238.9:37208 to 192.168.0.7:22, Monday, July 04,2016 09:47:59
[LAN access from remote] from 221.194.44.227:49639 to 192.168.0.7:22, Monday, July 04,2016 09:47:54
[LAN access from remote] from 121.18.238.9:52557 to 192.168.0.7:22, Monday, July 04,2016 09:47:49
[LAN access from remote] from 221.194.44.227:43237 to 192.168.0.7:22, Monday, July 04,2016 09:47:45
[LAN access from remote] from 121.18.238.9:41335 to 192.168.0.7:22, Monday, July 04,2016 09:47:40
[LAN access from remote] from 221.194.44.227:34902 to 192.168.0.7:22, Monday, July 04,2016 09:47:35
[LAN access from remote] from 121.18.238.9:52772 to 192.168.0.7:22, Monday, July 04,2016 09:47:30
[LAN access from remote] from 221.194.44.227:54658 to 192.168.0.7:22, Monday, July 04,2016 09:47:26
[LAN access from remote] from 121.18.238.9:41885 to 192.168.0.7:22, Monday, July 04,2016 09:47:21
[LAN access from remote] from 221.194.44.227:46651 to 192.168.0.7:22, Monday, July 04,2016 09:47:16
[LAN access from remote] from 121.18.238.9:57163 to 192.168.0.7:22, Monday, July 04,2016 09:47:11
[LAN access from remote] from 221.194.44.227:44183 to 192.168.0.7:22, Monday, July 04,2016 09:47:07
[LAN access from remote] from 121.18.238.9:46415 to 192.168.0.7:22, Monday, July 04,2016 09:47:02
[LAN access from remote] from 121.18.238.9:58226 to 192.168.0.7:22, Monday, July 04,2016 09:46:52
[LAN access from remote] from 221.194.44.227:36430 to 192.168.0.7:22, Monday, July 04,2016 09:46:47
[LAN access from remote] from 121.18.238.9:49359 to 192.168.0.7:22, Monday, July 04,2016 09:46:43

Aggiornamento n. 2

Hanno attaccato con successo la mia macchina.

Ho deciso di passare all'autenticazione RSA basata su file chiave, ma hanno installato una backdoor nel mio computer (e non lo sapevo, il mio antivirus non è riuscito a bloccarlo)

Le chiavi RSA sono archiviate in un contenitore criptato ma la backdoor ha intercettato la mia password e poi ha rubato la chiave privata RSA.

Hanno creato una VPN nel mio server Ubuntu.

Ho dovuto bloccare qualsiasi connessione dal router e ora sto rimuovendo la VPN.

    
posta Albert 04.07.2016 - 12:20
fonte

1 risposta

1

Se tu whois l'IP puoi scoprire che molto probabilmente qualcuno sta provando a forzare le tue credenziali SSH. Basta impostare una password complessa o, per preferenza, richiedere una coppia di chiavi per l'autenticazione.

Ci sono altri passaggi che daranno ulteriore protezione .

Sto avendo attacchi anche sul mio Synology NAS. Niente di cui preoccuparsi se hai la configurazione corretta. Dovresti impostare un massimo di 5 tentativi dallo stesso IP per limitare anche l'impatto di questo tipo di attacco. Probabilmente non è un vero attacco DOS dal momento che si otterrebbero molti più pacchetti e si noterebbe questo dalla velocità di Internet.

È possibile controllare i log SSH per vedere se questi tentativi sono seguiti da un'autenticazione corretta. Se sei davvero curioso del loro incentivo, puoi impostare un honeypot e monitorarne il comportamento. Ma è molto più avanzato. Mi piacerebbe vedere cosa fanno queste persone quando entrano. Quindi, se qualcuno ha mai condotto un simile esperimento, per favore fatemelo sapere.

    
risposta data 04.07.2016 - 12:44
fonte

Leggi altre domande sui tag