brutce force ssh login attempts

[andrewjs18]

my freenas box has been getting pounded by brute force ssh login attempts over the past few days, probably from bots. what is everyone doing to help mitigate this stuff? has anyone had good success using fail2ban?

 

[rvassar]

FreeNAS should be used behind a firewall, and not exposed to the unfiltered Internet. Consider, if they can get to ssh, can they also access SMB or NFS?

If you need to present an ssh port to the public facing Internet, use a jail or VM, move to a non-standard port, and harden the sshd configuration. Ideally this should be done on a system other than your FreeNAS.

I like some of the suggestions here:
https://stribika.github.io/2015/01/04/secure-secure-shell.html

 

[andrewjs18]

FreeNAS should be used behind a firewall, and not exposed to the unfiltered Internet. Consider, if they can get to ssh, can they also access SMB or NFS?

If you need to present an ssh port to the public facing Internet, use a jail or VM, move to a non-standard port, and harden the sshd configuration. Ideally this should be done on a system other than your FreeNAS.

I like some of the suggestions here:
https://stribika.github.io/2015/01/04/secure-secure-shell.html

my freenas box is sitting in my basement behind an asus rt-ac68u router, I believe. I'm not sure if it does much firewall filtering.

 

[rvassar]

my freenas box is sitting in my basement behind an asus rt-ac68u router, I believe. I'm not sure if it does much firewall filtering.

Can you identify the source of the brute force attacks? An IP address perhaps? If it's from "outside", then perhaps someone has opened a port on your Asus router and pointed it at the NAS. I do something similar at my house, but it points to a hardened OpenBSD VM, and lives on a non-standard port. If it's internal to your home network, you may have a compromised system in your house, running a worm... In that case I'd probably start with any teenagers...

 

[andrewjs18]

Can you identify the source of the brute force attacks? An IP address perhaps? If it's from "outside", then perhaps someone has opened a port on your Asus router and pointed it at the NAS. I do something similar at my house, but it points to a hardened OpenBSD VM, and lives on a non-standard port. If it's internal to your home network, you may have a compromised system in your house, running a worm... In that case I'd probably start with any teenagers...

they're all outside IPs, in very rapid succession. I can almost guarantee they're bots...

for example, a small sample from the latest failed login email:

Code:

freenas.local login failures:
Jun  2 00:00:08 freenas sshd[43722]: Failed password for invalid user ts3 from 130.61.58.126 port 55924 ssh2
Jun  2 00:00:08 freenas sshd[43722]: Disconnected from invalid user ts3 130.61.58.126 port 55924 [preauth]
Jun  2 00:02:02 freenas sshd[43837]: Failed password for invalid user davida from 178.62.118.53 port 50592 ssh2
Jun  2 00:02:02 freenas sshd[43837]: Disconnected from invalid user davida 178.62.118.53 port 50592 [preauth]
Jun  2 00:02:04 freenas sshd[43909]: Failed password for invalid user skew from 51.254.99.208 port 57574 ssh2
Jun  2 00:02:05 freenas sshd[43909]: Disconnected from invalid user skew 51.254.99.208 port 57574 [preauth]
Jun  2 00:02:22 freenas sshd[43911]: Failed password for invalid user playboy from 178.128.76.6 port 51006 ssh2
Jun  2 00:02:22 freenas sshd[43911]: Disconnected from invalid user playboy 178.128.76.6 port 51006 [preauth]
Jun  2 00:04:35 freenas sshd[44066]: Failed password for invalid user abcd from 51.254.99.208 port 53716 ssh2
Jun  2 00:04:35 freenas sshd[44066]: Disconnected from invalid user abcd 51.254.99.208 port 53716 [preauth]
Jun  2 00:04:49 freenas sshd[44075]: Failed password for invalid user art1 from 178.128.76.6 port 46032 ssh2
Jun  2 00:04:49 freenas sshd[44073]: Failed password for invalid user lisa from 130.61.58.126 port 39733 ssh2
Jun  2 00:04:50 freenas sshd[44075]: Disconnected from invalid user art1 178.128.76.6 port 46032 [preauth]
Jun  2 00:04:50 freenas sshd[44073]: Disconnected from invalid user lisa 130.61.58.126 port 39733 [preauth] 

 

[rvassar]

Yep... Looks like two different machines running a dictionary. You need to log into your Asus router and close the hole.

 

[andrewjs18]

Yep... Looks like two different machines running a dictionary. You need to log into your Asus router and close the hole.

how though? what's the best approach here? freenas is listening for ssh on a non-standard port, I'm using ssh key auth only, etc..

I'll set up fail2ban tonight.

 

[rvassar]

how though? what's the best approach here? freenas is listening for ssh on a non-standard port, I'm using ssh key auth only, etc..

I'll set up fail2ban tonight.

As a default configuration, your router isn't supposed to allow ssh connections from the public internet to your NAS. Someone or something has to configure and enable that. It's a specific tunnel config. I'm not knocking fail2ban, but I have to point out the obvious... Something's not right on the router if it's doing this and you didn't authorize & configure it.

 

[andrewjs18]

As a default configuration, your router isn't supposed to allow ssh connections from the public internet to your NAS. Someone or something has to configure and enable that. It's a specific tunnel config. I'm not knocking fail2ban, but I have to point out the obvious... Something's not right on the router if it's doing this and you didn't authorize & configure it.

of course, but I need to access my freenas box from outside of my LAN....so I tell it to forward traffic for port X (ssh port) to my freenas box. I'm not sure what you're getting at.

this is a fairly common issue per google searches, I was just curious to see what others were doing with freenas to help mitigate the issue.

 

[silverback]

of course, but I need to access my freenas box from outside of my LAN....so I tell it to forward traffic for port X (ssh port) to my freenas box. I'm not sure what you're getting at.

this is a fairly common issue per google searches, I was just curious to see what others were doing with freenas to help mitigate the issue.

Have you considered Merlin firmware and running an Openvpn server on your router.

 

[Heracles]

Hey Andrew,

For remote access, you may consider a VPN instead of SSH. You would need an actual firewall for that, like pfSense, but it would be stronger. DD-WRT may also be an option.

If you wish to keep your SSH daemon reachable from outside, you will always have these attacks. To do SSH Key Authentication only is a good mitigation against that.

Still, the day there will be a vulnerability discovered in the SSH daemon, your NAS will end up compromised instantly.

No single security should be considered as perfect. Here, only SSHD's security is protecting your NAS against Internet. That is not enough and you should have at least 2 security layers if not more.

 

[andrewjs18]

Have you considered Merlin firmware and running an Openvpn server on your router.

I have, yes, but at the time, I was wanting to run asus's aimesh, which, as far as I recall, wasn't supported by the 3rd party firmware for the asus router. I'll need to look into it again.

 

[silverback]

I have, yes, but at the time, I was wanting to run asus's aimesh, which, as far as I recall, wasn't supported by the 3rd party firmware for the asus router. I'll need to look into it again.

It’s a solid router, for home use. I have run OpenVpn on it, no problem. I didn’t really care about the WiFi aspects, myself.

 

[andrewjs18]

It’s a solid router, for home use. I have run OpenVpn on it, no problem. I didn’t really care about the WiFi aspects, myself.

I'll look more into it. at the time when I was testing, aimesh was incredibly buggy for me, so I turned it off and just used the 2nd router I bought as a switch.

 

[rvassar]

of course, but I need to access my freenas box from outside of my LAN....so I tell it to forward traffic for port X (ssh port) to my freenas box. I'm not sure what you're getting at.

this is a fairly common issue per google searches, I was just curious to see what others were doing with freenas to help mitigate the issue.

Ok, so you did configure it... Most of my previous comments were assuming you had not!

Ok... So like I said, I do this also, but I run it on a port way up in the 20k range, and it goes to a locked down VM, not directly to the NAS. When I'm out and about (work, camping, etc...) I have to either add -p <port> or have to edit my ssh_config to use the oddball port. Between that and not allowing password auth, and the hardening in the link I sent earlier, I've been pretty immune. I strongly recommend not connecting to the NAS sshd directly, use a jump VM or a jail, and make use of -L 22:<host>:22 as needed.

Adding in a black list of some sort helps, but it's hard to do without some kind of subscription. The other option here is whitelisting, where you derive some list of address blocks you access the NAS from, and then blacklist everything else. There are 4+ billion addresses in the IPv4 space, so even if you whitelist 100 million of them, you've narrowed your attack surface by 90%+... I like to do stuff like this by ASN number. A great site to do this by is:

https://asn.ipinfo.app/

or it's predecessor site:

https://www.enjen.net/asn-blocklist/index.php

You can determine the ASN for an IP address via:

/usr/bin/whois -h whois.cymru.com $IP |/usr/bin/tail -1 | awk '{ print $1 }'

Then feed that ASN number into the asn-blocklist and get a full map. So, for example, one of the IP addresses attacking you, 130.61.58.126, is AS31898, which is owned by the Oracle Corporation. I'll hazard a guess you're getting attacked from Oracle Cloud... But punch that in and you get a rather large map to block:

Code:

iptables -A INPUT -s 138.1.28.0/22 -j DROP
iptables -A INPUT -s 158.101.0.0/16 -j DROP
iptables -A INPUT -s 192.29.8.0/22 -j DROP
iptables -A INPUT -s 140.91.214.0/23 -j DROP
iptables -A INPUT -s 132.145.88.0/21 -j DROP
iptables -A INPUT -s 132.145.48.0/20 -j DROP
iptables -A INPUT -s 129.146.208.0/21 -j DROP
iptables -A INPUT -s 130.35.148.0/22 -j DROP
iptables -A INPUT -s 140.204.6.0/23 -j DROP
iptables -A INPUT -s 134.70.16.0/23 -j DROP
iptables -A INPUT -s 138.1.128.0/20 -j DROP
iptables -A INPUT -s 129.213.96.0/20 -j DROP
iptables -A INPUT -s 147.154.208.0/21 -j DROP
iptables -A INPUT -s 130.61.0.0/16 -j DROP
iptables -A INPUT -s 130.61.48.0/20 -j DROP
iptables -A INPUT -s 129.146.16.0/23 -j DROP
iptables -A INPUT -s 130.61.112.0/21 -j DROP
iptables -A INPUT -s 138.1.0.0/22 -j DROP
iptables -A INPUT -s 129.146.144.0/20 -j DROP
iptables -A INPUT -s 132.145.176.0/20 -j DROP
iptables -A INPUT -s 129.213.136.0/22 -j DROP
iptables -A INPUT -s 134.70.48.0/23 -j DROP
iptables -A INPUT -s 140.91.34.0/23 -j DROP
iptables -A INPUT -s 130.35.132.0/22 -j DROP
iptables -A INPUT -s 132.145.192.0/21 -j DROP
iptables -A INPUT -s 138.1.224.0/20 -j DROP
iptables -A INPUT -s 129.213.80.0/20 -j DROP
iptables -A INPUT -s 132.145.72.0/21 -j DROP
iptables -A INPUT -s 130.35.180.0/22 -j DROP
iptables -A INPUT -s 130.61.32.0/20 -j DROP
iptables -A INPUT -s 140.204.12.0/23 -j DROP
iptables -A INPUT -s 130.61.7.0/24 -j DROP
iptables -A INPUT -s 130.61.16.0/20 -j DROP
iptables -A INPUT -s 140.204.16.0/23 -j DROP
iptables -A INPUT -s 144.25.40.0/22 -j DROP
iptables -A INPUT -s 129.146.96.0/20 -j DROP
iptables -A INPUT -s 134.70.8.0/23 -j DROP
ip6tables -A INPUT -s 2603:c011:4000::/36 -j DROP
iptables -A INPUT -s 138.1.84.0/22 -j DROP
iptables -A INPUT -s 129.146.48.0/21 -j DROP
iptables -A INPUT -s 144.25.36.0/22 -j DROP
iptables -A INPUT -s 134.70.40.0/23 -j DROP
iptables -A INPUT -s 132.145.128.0/20 -j DROP
iptables -A INPUT -s 130.35.24.0/22 -j DROP
iptables -A INPUT -s 130.61.72.0/21 -j DROP
iptables -A INPUT -s 192.29.36.0/22 -j DROP
iptables -A INPUT -s 129.213.160.0/21 -j DROP
iptables -A INPUT -s 144.25.60.0/22 -j DROP
iptables -A INPUT -s 129.146.28.0/22 -j DROP
iptables -A INPUT -s 138.1.76.0/22 -j DROP
iptables -A INPUT -s 132.145.64.0/23 -j DROP
iptables -A INPUT -s 192.29.32.0/22 -j DROP
iptables -A INPUT -s 140.91.206.0/23 -j DROP
iptables -A INPUT -s 129.213.2.0/23 -j DROP
iptables -A INPUT -s 144.25.44.0/22 -j DROP
iptables -A INPUT -s 130.61.8.0/21 -j DROP
iptables -A INPUT -s 132.145.240.0/21 -j DROP
iptables -A INPUT -s 138.1.208.0/20 -j DROP
iptables -A INPUT -s 132.145.116.0/22 -j DROP
iptables -A INPUT -s 129.213.16.0/20 -j DROP
iptables -A INPUT -s 140.238.168.0/21 -j DROP
iptables -A INPUT -s 144.25.24.0/22 -j DROP
iptables -A INPUT -s 132.145.84.0/22 -j DROP
iptables -A INPUT -s 130.35.64.0/20 -j DROP
iptables -A INPUT -s 144.25.64.0/22 -j DROP
iptables -A INPUT -s 129.146.160.0/22 -j DROP
iptables -A INPUT -s 129.146.0.0/16 -j DROP
iptables -A INPUT -s 130.35.220.0/22 -j DROP
iptables -A INPUT -s 130.61.64.0/21 -j DROP
iptables -A INPUT -s 144.25.16.0/22 -j DROP
iptables -A INPUT -s 129.213.208.0/21 -j DROP
iptables -A INPUT -s 129.213.152.0/21 -j DROP
iptables -A INPUT -s 140.91.32.0/23 -j DROP
iptables -A INPUT -s 129.146.176.0/20 -j DROP
iptables -A INPUT -s 144.25.20.0/22 -j DROP
iptables -A INPUT -s 138.1.100.0/22 -j DROP
iptables -A INPUT -s 147.154.240.0/20 -j DROP
iptables -A INPUT -s 140.91.208.0/23 -j DROP
iptables -A INPUT -s 134.70.26.0/23 -j DROP
iptables -A INPUT -s 138.1.92.0/22 -j DROP
iptables -A INPUT -s 130.61.128.0/17 -j DROP
iptables -A INPUT -s 130.61.104.0/21 -j DROP
iptables -A INPUT -s 132.145.144.0/20 -j DROP
iptables -A INPUT -s 147.154.96.0/20 -j DROP
iptables -A INPUT -s 140.91.40.0/23 -j DROP
iptables -A INPUT -s 129.146.64.0/21 -j DROP
iptables -A INPUT -s 130.35.136.0/22 -j DROP
iptables -A INPUT -s 134.70.84.0/23 -j DROP
iptables -A INPUT -s 138.1.144.0/20 -j DROP
iptables -A INPUT -s 129.213.0.0/23 -j DROP
iptables -A INPUT -s 132.145.200.0/21 -j DROP
iptables -A INPUT -s 140.91.36.0/23 -j DROP
iptables -A INPUT -s 140.204.8.0/23 -j DROP
iptables -A INPUT -s 129.213.176.0/20 -j DROP
iptables -A INPUT -s 134.70.14.0/23 -j DROP
iptables -A INPUT -s 147.154.160.0/20 -j DROP
iptables -A INPUT -s 192.29.16.0/22 -j DROP
iptables -A INPUT -s 130.35.176.0/22 -j DROP
iptables -A INPUT -s 140.204.22.0/23 -j DROP
ip6tables -A INPUT -s 2603:c002:8a00::/40 -j DROP
iptables -A INPUT -s 129.146.56.0/21 -j DROP
iptables -A INPUT -s 130.35.20.0/22 -j DROP
iptables -A INPUT -s 132.145.16.0/20 -j DROP
iptables -A INPUT -s 132.145.68.0/22 -j DROP
iptables -A INPUT -s 130.61.0.0/23 -j DROP
iptables -A INPUT -s 132.145.80.0/22 -j DROP
ip6tables -A INPUT -s 2603:c001:1410::/44 -j DROP
iptables -A INPUT -s 147.154.224.0/20 -j DROP
iptables -A INPUT -s 134.70.78.0/23 -j DROP
iptables -A INPUT -s 132.145.108.0/22 -j DROP
iptables -A INPUT -s 140.91.16.0/23 -j DROP
iptables -A INPUT -s 132.145.224.0/21 -j DROP
iptables -A INPUT -s 132.145.96.0/21 -j DROP
iptables -A INPUT -s 138.1.20.0/22 -j DROP
iptables -A INPUT -s 140.204.24.0/23 -j DROP
iptables -A INPUT -s 134.70.50.0/23 -j DROP
iptables -A INPUT -s 129.146.40.0/22 -j DROP
iptables -A INPUT -s 129.146.18.0/23 -j DROP
iptables -A INPUT -s 129.146.224.0/21 -j DROP
iptables -A INPUT -s 147.154.64.0/21 -j DROP
iptables -A INPUT -s 132.145.112.0/22 -j DROP
iptables -A INPUT -s 140.204.20.0/23 -j DROP
iptables -A INPUT -s 129.213.239.0/24 -j DROP
iptables -A INPUT -s 134.70.64.0/23 -j DROP
iptables -A INPUT -s 129.146.164.0/22 -j DROP
iptables -A INPUT -s 129.146.128.0/20 -j DROP
iptables -A INPUT -s 129.213.0.0/16 -j DROP
iptables -A INPUT -s 138.1.72.0/22 -j DROP
iptables -A INPUT -s 147.154.0.0/20 -j DROP
iptables -A INPUT -s 147.154.176.0/20 -j DROP
iptables -A INPUT -s 138.1.80.0/22 -j DROP
iptables -A INPUT -s 132.145.7.0/24 -j DROP
iptables -A INPUT -s 129.146.14.0/24 -j DROP
iptables -A INPUT -s 138.1.104.0/22 -j DROP
iptables -A INPUT -s 129.146.80.0/21 -j DROP
iptables -A INPUT -s 140.91.200.0/23 -j DROP
iptables -A INPUT -s 130.35.216.0/22 -j DROP
iptables -A INPUT -s 140.91.20.0/23 -j DROP
iptables -A INPUT -s 134.70.74.0/23 -j DROP
iptables -A INPUT -s 130.61.6.0/24 -j DROP
iptables -A INPUT -s 140.91.212.0/23 -j DROP
iptables -A INPUT -s 134.70.24.0/23 -j DROP
iptables -A INPUT -s 129.213.7.0/24 -j DROP
iptables -A INPUT -s 130.35.192.0/22 -j DROP
iptables -A INPUT -s 147.154.144.0/20 -j DROP
iptables -A INPUT -s 129.146.44.0/22 -j DROP
iptables -A INPUT -s 140.238.0.0/20 -j DROP
iptables -A INPUT -s 138.1.12.0/22 -j DROP
iptables -A INPUT -s 140.204.26.0/23 -j DROP
iptables -A INPUT -s 144.25.28.0/22 -j DROP
iptables -A INPUT -s 138.1.96.0/22 -j DROP
iptables -A INPUT -s 140.91.30.0/23 -j DROP
iptables -A INPUT -s 134.70.60.0/23 -j DROP
iptables -A INPUT -s 147.154.200.0/21 -j DROP
iptables -A INPUT -s 129.213.112.0/20 -j DROP
iptables -A INPUT -s 129.146.8.0/23 -j DROP
iptables -A INPUT -s 130.35.80.0/20 -j DROP
iptables -A INPUT -s 129.146.24.0/22 -j DROP
ip6tables -A INPUT -s 2603:c001:1400::/39 -j DROP
iptables -A INPUT -s 129.146.168.0/22 -j DROP
iptables -A INPUT -s 140.204.10.0/23 -j DROP
iptables -A INPUT -s 138.1.16.0/22 -j DROP
iptables -A INPUT -s 144.25.52.0/22 -j DROP
iptables -A INPUT -s 129.146.72.0/21 -j DROP
ip6tables -A INPUT -s 2603:c002:a10::/44 -j DROP
iptables -A INPUT -s 129.146.232.0/21 -j DROP
iptables -A INPUT -s 138.1.64.0/22 -j DROP
iptables -A INPUT -s 192.29.20.0/22 -j DROP
iptables -A INPUT -s 132.145.120.0/21 -j DROP
iptables -A INPUT -s 138.1.240.0/20 -j DROP
iptables -A INPUT -s 147.154.72.0/21 -j DROP
iptables -A INPUT -s 129.213.200.0/21 -j DROP
ip6tables -A INPUT -s 2603:c002:a00::/40 -j DROP
iptables -A INPUT -s 134.70.72.0/23 -j DROP
iptables -A INPUT -s 130.35.28.0/22 -j DROP
iptables -A INPUT -s 129.146.20.0/22 -j DROP
iptables -A INPUT -s 140.204.4.0/23 -j DROP
iptables -A INPUT -s 147.154.48.0/20 -j DROP
iptables -A INPUT -s 129.213.32.0/20 -j DROP
iptables -A INPUT -s 140.91.8.0/23 -j DROP
iptables -A INPUT -s 140.91.6.0/23 -j DROP
iptables -A INPUT -s 140.91.22.0/23 -j DROP
iptables -A INPUT -s 132.145.104.0/22 -j DROP
iptables -A INPUT -s 138.1.160.0/20 -j DROP
iptables -A INPUT -s 132.145.4.0/23 -j DROP
iptables -A INPUT -s 140.91.194.0/23 -j DROP
iptables -A INPUT -s 192.29.56.0/21 -j DROP
iptables -A INPUT -s 132.145.0.0/23 -j DROP
iptables -A INPUT -s 144.25.32.0/22 -j DROP
iptables -A INPUT -s 140.91.38.0/23 -j DROP
iptables -A INPUT -s 130.61.98.0/23 -j DROP
iptables -A INPUT -s 134.70.94.0/23 -j DROP
iptables -A INPUT -s 130.35.208.0/22 -j DROP
iptables -A INPUT -s 144.25.80.0/20 -j DROP
iptables -A INPUT -s 129.146.88.0/21 -j DROP
iptables -A INPUT -s 134.70.98.0/23 -j DROP
iptables -A INPUT -s 134.70.76.0/23 -j DROP
iptables -A INPUT -s 140.91.196.0/23 -j DROP
iptables -A INPUT -s 129.146.36.0/22 -j DROP
iptables -A INPUT -s 138.1.192.0/20 -j DROP
iptables -A INPUT -s 134.70.46.0/23 -j DROP
ip6tables -A INPUT -s 2603:c002:a00::/44 -j DROP
iptables -A INPUT -s 130.35.48.0/20 -j DROP
iptables -A INPUT -s 140.91.24.0/23 -j DROP
iptables -A INPUT -s 192.29.48.0/21 -j DROP
iptables -A INPUT -s 138.1.4.0/22 -j DROP
iptables -A INPUT -s 129.146.32.0/22 -j DROP
iptables -A INPUT -s 129.213.48.0/20 -j DROP
iptables -A INPUT -s 192.29.96.0/20 -j DROP
iptables -A INPUT -s 140.91.14.0/23 -j DROP
iptables -A INPUT -s 140.91.204.0/23 -j DROP
iptables -A INPUT -s 134.70.96.0/23 -j DROP
iptables -A INPUT -s 140.204.18.0/23 -j DROP
iptables -A INPUT -s 129.213.132.0/22 -j DROP
iptables -A INPUT -s 134.70.10.0/23 -j DROP
iptables -A INPUT -s 144.25.68.0/22 -j DROP
iptables -A INPUT -s 129.146.240.0/20 -j DROP
iptables -A INPUT -s 129.146.172.0/22 -j DROP
iptables -A INPUT -s 134.70.90.0/23 -j DROP
iptables -A INPUT -s 132.145.66.0/23 -j DROP
iptables -A INPUT -s 193.122.0.0/15 -j DROP
iptables -A INPUT -s 134.70.88.0/23 -j DROP
iptables -A INPUT -s 129.146.13.0/24 -j DROP
iptables -A INPUT -s 129.213.232.0/24 -j DROP
iptables -A INPUT -s 130.35.140.0/22 -j DROP
iptables -A INPUT -s 130.35.196.0/22 -j DROP
iptables -A INPUT -s 147.154.128.0/20 -j DROP
iptables -A INPUT -s 130.61.120.0/21 -j DROP
iptables -A INPUT -s 129.213.4.0/23 -j DROP
iptables -A INPUT -s 134.70.56.0/23 -j DROP
iptables -A INPUT -s 130.35.96.0/21 -j DROP
iptables -A INPUT -s 130.35.16.0/22 -j DROP
iptables -A INPUT -s 134.70.66.0/23 -j DROP
iptables -A INPUT -s 129.146.216.0/21 -j DROP
iptables -A INPUT -s 129.213.6.0/24 -j DROP
iptables -A INPUT -s 134.70.18.0/23 -j DROP
iptables -A INPUT -s 140.204.14.0/23 -j DROP
ip6tables -A INPUT -s 2603:c002:8a00::/44 -j DROP
iptables -A INPUT -s 130.35.184.0/22 -j DROP
iptables -A INPUT -s 138.1.32.0/21 -j DROP
iptables -A INPUT -s 147.154.80.0/21 -j DROP
iptables -A INPUT -s 130.35.104.0/21 -j DROP
iptables -A INPUT -s 132.145.6.0/24 -j DROP
iptables -A INPUT -s 132.145.8.0/21 -j DROP
iptables -A INPUT -s 168.138.0.0/16 -j DROP
iptables -A INPUT -s 134.70.82.0/23 -j DROP
iptables -A INPUT -s 138.1.48.0/21 -j DROP
iptables -A INPUT -s 130.35.200.0/22 -j DROP
iptables -A INPUT -s 134.70.32.0/23 -j DROP
iptables -A INPUT -s 138.1.24.0/22 -j DROP
iptables -A INPUT -s 192.29.0.0/21 -j DROP
iptables -A INPUT -s 130.35.212.0/22 -j DROP
iptables -A INPUT -s 134.70.80.0/23 -j DROP
iptables -A INPUT -s 134.70.12.0/23 -j DROP
iptables -A INPUT -s 140.91.4.0/23 -j DROP
iptables -A INPUT -s 140.204.0.0/23 -j DROP
iptables -A INPUT -s 129.213.64.0/20 -j DROP
iptables -A INPUT -s 129.213.144.0/21 -j DROP
ip6tables -A INPUT -s 2603:c002:8a10::/44 -j DROP
iptables -A INPUT -s 130.35.112.0/22 -j DROP
iptables -A INPUT -s 140.204.2.0/23 -j DROP
iptables -A INPUT -s 140.238.128.0/20 -j DROP
ip6tables -A INPUT -s 2603:c001:1400::/44 -j DROP
iptables -A INPUT -s 129.213.192.0/21 -j DROP
iptables -A INPUT -s 130.35.144.0/22 -j DROP
iptables -A INPUT -s 152.67.0.0/16 -j DROP
iptables -A INPUT -s 130.35.240.0/20 -j DROP
iptables -A INPUT -s 138.1.40.0/21 -j DROP
iptables -A INPUT -s 134.70.30.0/23 -j DROP
iptables -A INPUT -s 147.154.16.0/20 -j DROP
iptables -A INPUT -s 147.154.192.0/21 -j DROP
iptables -A INPUT -s 130.61.100.0/22 -j DROP
iptables -A INPUT -s 140.91.210.0/23 -j DROP
iptables -A INPUT -s 130.35.0.0/22 -j DROP
iptables -A INPUT -s 132.145.208.0/21 -j DROP
iptables -A INPUT -s 134.70.34.0/23 -j DROP
iptables -A INPUT -s 132.145.248.0/21 -j DROP
iptables -A INPUT -s 129.213.8.0/21 -j DROP
iptables -A INPUT -s 130.35.4.0/22 -j DROP
iptables -A INPUT -s 130.61.88.0/21 -j DROP
iptables -A INPUT -s 140.91.10.0/23 -j DROP
iptables -A INPUT -s 140.238.32.0/20 -j DROP
iptables -A INPUT -s 134.70.28.0/23 -j DROP
iptables -A INPUT -s 132.145.32.0/20 -j DROP
iptables -A INPUT -s 134.70.92.0/23 -j DROP
iptables -A INPUT -s 144.25.56.0/22 -j DROP
iptables -A INPUT -s 132.145.2.0/23 -j DROP
iptables -A INPUT -s 134.70.44.0/23 -j DROP
iptables -A INPUT -s 134.70.62.0/23 -j DROP
iptables -A INPUT -s 132.145.232.0/21 -j DROP
iptables -A INPUT -s 130.35.232.0/21 -j DROP
iptables -A INPUT -s 140.91.12.0/23 -j DROP
iptables -A INPUT -s 144.25.72.0/22 -j DROP
iptables -A INPUT -s 130.61.2.0/23 -j DROP
iptables -A INPUT -s 129.146.4.0/22 -j DROP
ip6tables -A INPUT -s 2603:c000:a00::/40 -j DROP
iptables -A INPUT -s 140.238.64.0/19 -j DROP
iptables -A INPUT -s 130.35.8.0/22 -j DROP
iptables -A INPUT -s 129.146.0.0/22 -j DROP
iptables -A INPUT -s 130.61.4.0/23 -j DROP
iptables -A INPUT -s 140.238.160.0/21 -j DROP
iptables -A INPUT -s 151.104.0.0/16 -j DROP
iptables -A INPUT -s 134.70.86.0/23 -j DROP
iptables -A INPUT -s 138.1.88.0/22 -j DROP
iptables -A INPUT -s 138.1.176.0/20 -j DROP
iptables -A INPUT -s 130.61.80.0/21 -j DROP
iptables -A INPUT -s 130.35.204.0/22 -j DROP
iptables -A INPUT -s 147.154.112.0/20 -j DROP
iptables -A INPUT -s 130.35.188.0/22 -j DROP
iptables -A INPUT -s 140.91.26.0/23 -j DROP
iptables -A INPUT -s 132.145.216.0/21 -j DROP
iptables -A INPUT -s 144.25.48.0/22 -j DROP
iptables -A INPUT -s 129.213.168.0/21 -j DROP
iptables -A INPUT -s 134.70.42.0/23 -j DROP
iptables -A INPUT -s 129.213.128.0/22 -j DROP
iptables -A INPUT -s 138.1.68.0/22 -j DROP
iptables -A INPUT -s 140.91.198.0/23 -j DROP
iptables -A INPUT -s 130.35.12.0/22 -j DROP
iptables -A INPUT -s 134.70.58.0/23 -j DROP
iptables -A INPUT -s 130.35.156.0/22 -j DROP
iptables -A INPUT -s 140.91.202.0/23 -j DROP
iptables -A INPUT -s 129.213.140.0/22 -j DROP
iptables -A INPUT -s 144.25.76.0/22 -j DROP
iptables -A INPUT -s 129.146.12.0/24 -j DROP
iptables -A INPUT -s 129.146.112.0/20 -j DROP
iptables -A INPUT -s 147.154.32.0/20 -j DROP
ip6tables -A INPUT -s 2603:c022:8000::/35 -j DROP
iptables -A INPUT -s 130.35.128.0/22 -j DROP
iptables -A INPUT -s 129.146.10.0/23 -j DROP
iptables -A INPUT -s 138.1.8.0/22 -j DROP
iptables -A INPUT -s 130.35.120.0/21 -j DROP
iptables -A INPUT -s 130.61.96.0/23 -j DROP
iptables -A INPUT -s 132.145.160.0/20 -j DROP
iptables -A INPUT -s 129.146.192.0/20 -j DROP
iptables -A INPUT -s 140.91.28.0/23 -j DROP
iptables -A INPUT -s 130.35.224.0/22 -j DROP
iptables -A INPUT -s 150.136.0.0/16 -j DROP
iptables -A INPUT -s 140.91.18.0/23 -j DROP
iptables -A INPUT -s 130.35.152.0/22 -j DROP

So it's kind like fighting a war with nuclear weapons, you have to choose your collateral damage carefully. You probably can't get away with blocking the entire AS31898 map. But you might be able to block the 130.61.0.0/16, or the individual address. But if it was a colo in Hong Kong, you might dispose of the entire ASN and never have a care.

 

[garm]

Edit: never mind..

One thing though.. the ports being tried are huge, to me it looks like FreeNAS is completely exposed as all those ports are even available to hammer against. That is a much bigger issue then you guys are discussing right now..

 

[anmnz]

If you mean the port numbers in the OP's alert email excerpt, those are merely ephemeral TCP source ports on the client end of the connection. They don't mean anything.

 

[garm]

Of course.. it was early :P

 

[eldo]

For remote access, you may consider a VPN instead of SSH. You would need an actual firewall for that, like pfSense, but it would be stronger. DD-WRT may also be an option.

If you wish to keep your SSH daemon reachable from outside, you will always have these attacks. To do SSH Key Authentication only is a good mitigation against that.

Still, the day there will be a vulnerability discovered in the SSH daemon, your NAS will end up compromised instantly.

No single security should be considered as perfect. Here, only SSHD's security is protecting your NAS against Internet. That is not enough and you should have at least 2 security layers if not more.

What's the difference between relying on SSH vs OVPN as entry point?

You do make a good point regarding a vulnerability in SSH allowing access to the network, but the same could be said for OVPN, IPSEC, etc etc etc, no?

I'm also in the boat of using SSH, but I've got a jumpbox that I use for external access.
Originally I set it up for firewall tunnelling, and needed to also run SSLH to multiplex https/ssh traffic since the corporate ISA firewall I was behind would prevent non-HTTPS traffic over port 443 (I needed to use 2 layers of wrappers to package ssh payload up inside ssl headers), and only allowed ports 80 and 443 outbound. I also hosted an SSL web server that I needed access to for owncloud at the time. Combined with putty/socks proxy, this allowed me transparent browser and certain software access to the 'net.

Now that I'm looking at properly getting a physical box for pfsense to live on, I'm trying to more fully understand the tradeoffs and implications of the options.

This may be a bit too far off topic for this thread, and if so, i'll move it to a new thread.

 

[Ericloewe]

The "correct" way of doing this is to have a hardened SSH server that is exposed from which you can then SSH to your less-than-hardened internal servers.