Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Bot attacks - death to the bot

James S

Newbie
Joined
Apr 14, 2014
Messages
77
In the last few days I've been seeing multiple login attemps similiar to:
Jan 6 22:19:04 freenas sshd[53755]: Disconnected from invalid user unm 51.77.140.111 port 38102 [preauth]
Jan 6 22:30:56 freenas sshd[54290]: Disconnected from invalid user zhz 34.66.28.207 port 34648 [preauth]
Jan 6 22:54:28 freenas sshd[54977]: Disconnected from invalid user nagios 218.78.54.84 port 46548 [preauth]
Jan 6 23:30:30 freenas sshd[56247]: Disconnected from invalid user pondering 59.51.65.17 port 56748 [preauth]
Jan 6 23:30:49 freenas sshd[56249]: Disconnected from invalid user pi 59.41.65.251 port 9167 [preauth]
Jan 6 23:33:04 freenas sshd[56338]: Disconnected from invalid user db2inst3 110.164.205.133 port 19259 [preauth]
Jan 6 23:45:42 freenas sshd[56687]: Disconnected from invalid user fl 51.158.104.58 port 50542 [preauth]
Jan 6 23:48:38 freenas sshd[56769]: Disconnected from invalid user odell 150.95.212.72 port 37430 [preauth]
I'm running 11.2-U7 on a local network. However, I allow users to backup to the machine over SFTP. While this puts the machine "on the net" I've followed suggestions to (1) use a non-standard port (port forward) plus each user has SSH keys (plus password). All has been quiet for well over acouple of years until these attacks. I've disabled the port-forward and all goes quiet.

What has happened here? Has a scanner managed to find the non-standard port, got lucky and then told the bot-net army to pay a visit?
As a current mitigation I've changed the external port but should I be doing more? Is Pfsense and fail2ban a good way / worthwhile way to go?

Please help me kill the bots!
Thanks.
 

artlessknave

FreeNAS Experienced
Joined
Oct 29, 2016
Messages
346
those are...weirdly specific names for a bot. are you sure those arent the users you allow to backup, OR their friends they maybe have shared info to?
 

James S

Newbie
Joined
Apr 14, 2014
Messages
77
those are...weirdly specific names for a bot. are you sure those arent the users you allow to backup, OR their friends they maybe have shared info to?
No - luckily no recognized users here. These just seem to be a bit poking common names (admin test etc)?
 

artlessknave

FreeNAS Experienced
Joined
Oct 29, 2016
Messages
346
poking common names
yet "Admin", probably the most common admin name ever, isn't present. so ya, i dunno. I would probably say check your security and then just block those IP's directly
 

Tigersharke

BOfH in User's clothing
Administrator
Moderator
Joined
May 18, 2016
Messages
198
I assume that your FreeNAS is NOT directly attached to the internet, ie, there is a firewall device between the NAS and the unfiltered public. ANY type of firewall will be an absolute benefit. The best being one that you can maintain and keep up-to-date, since expecting cisco/linksys not to obsolete your functioning hardware (and quit updating needed security stuff) is pointless. I use OPNsense which is actively developed and has a friendly community, devs.
 

James S

Newbie
Joined
Apr 14, 2014
Messages
77
I assume that your FreeNAS is NOT directly attached to the internet
Yes :) There is a cisco RV345 in between the FN and the outside world... so "something"
Tigersharke said:
I use OPNsense which is actively developed and has a friendly community, devs.
Interesting! Have you any recommended "how-tos" on how to implement for FN 11?

Thanks!
 

artlessknave

FreeNAS Experienced
Joined
Oct 29, 2016
Messages
346
Interesting! Have you any recommended "how-tos" on how to implement for FN 11?
uh. how to implement what for FN11? opnsense? opnsense is a router OS, a fork of pfsense; what do you mean by "implement"?
 

Tigersharke

BOfH in User's clothing
Administrator
Moderator
Joined
May 18, 2016
Messages
198
For a firewall/router that can include the greater number of features, you'll need: One low to moderately powered PC with at least 2 NICs (intel preferred), an SSD or HDD or other NOT usbstick storage to boot and run and cache as desired (squid!), requisite ethernet cables, a minimum 3GiB usbstick to use for installing OPNsense. Viola!

The community is at the OPNsense forums: 19.7 production series. They will be happy to help, plenty of info there. OPNsense is based on HardenedBSD.
IMHO, if you would need wifi access, add that to the OPNsense box as well but best to use a hardline (ethernet) for source from your provider. Ethernet is a guaranteed signal that will not suffer all of the possible frequency overlap that exists as intentional radio and unintentional noise (microwave etc).
 

James S

Newbie
Joined
Apr 14, 2014
Messages
77
a fork of pfsense; what do you mean by "implement"?
From the dictionary: "to put into effect" :)

I'd seen various posts about using pfsense on the FreeNas system and assumed this was the idea.

For a firewall/router that can include the greater number of features,
Thanks for putting me right. I need to research this a bit and think how far I want to go with this!
 

jgreco

Resident Grinch
Moderator
Joined
May 29, 2011
Messages
12,153
yet "Admin", probably the most common admin name ever, isn't present. so ya, i dunno. I would probably say check your security and then just block those IP's directly
I've seen a number of these in our SSH honeypot recently. The large number of IP addresses available to some of these bots means that they can get away with testing at rates previously unimagined, and they have lists of previously distributed default login/passwords, common ones that have been found in a variety of ways, etc., and it doesn't really hurt *them* to try them all just in case.
 
Top