hacking attempts

[tmacka88]

can someone explain hot to setup Key authentication. I have search for on the net but nothing directly related to freenas is really that great at explaining how to set it up.

 

[bryce2113]

View Logs for ssh. Attempted hacking attacks

I recently received the security report from my NAS running 8.0.2 release. It looks like a bot tried forcing its way into my server via ssh. It using common names to gain access along with root, admin etc.

My question is how can I safeguard my machine from these attacks and how do I view the log showing who last logged in. I've been able to shell into the var/log folder and when I 'ls' I see all the options but I have no idea which one is what I'm looking for.

Also, I can't view the security log, I keep getting the message 'security: permission denied'. I can't sudo into it either, so any ideas? Thanks for any help.

 

[ProtoSD]

My question is how can I safeguard my machine from these attacks and how do I view the log showing who last logged in.

... setting up 'keys' for ssh instead of passwords is one thing.
Another is to change the port that you use for ssh to something 'non-standard'.

You can look in /var/log/security

There's also a command called 'last', there are options for it. Here's the manpage:
Manpage for LAST

Also, FreeBSD uses 'su' instead of sudo, so you would just type 'su' and enter your root password, then your commands. I think sudo can be added on a regular FreeBSD system.

 

[Milhouse]

My question is how can I safeguard my machine from these attacks

Disable username/password authentication for both root (especially root) and ordinary users. Configure root with a private key in Services -> SSH.

and how do I view the log showing who last logged in. I've been able to shell into the var/log folder and when I 'ls' I see all the options but I have no idea which one is what I'm looking for.

User login attempts (both successful and failed attempts) will be logged to /var/log/auth.log.

Also, I can't view the security log, I keep getting the message 'security: permission denied'. I can't sudo into it either, so any ideas? Thanks for any help.

What user are you logged in as? You need to be root. There's no sudo in FreeNAS.

 

[dalex]

I don't understand the advice to move ssh to a different port, port scanners make this effort essentially a waste of time.

I don't agree. I have at least 5 servers exposed to Internet with different ssh ports for 8 years now, and NEVER saw a hit!

So i suggest:

1) Change the port
2) Disable password method and make some keys. I use Putty for Windows and Linux as a client.
3) Filter port 22 in your firewall, and allow your port of course.

If you want to go further, you could check for port scanners. I have a simple strategy:

If an IP starts hitting port 21, 22, 23, 25, 110, and so on, i put it in a "black list" for a couple of hours. Then i drop everything coming from this.

 

[bryce2113]

I've tried to run 'su' but it returns 'su: sorry' . Any ideas?

 

[ProtoSD]

Have you set a password for the user 'root' in the GUI?

EDIT: Try adding the user to the group 'wheel' using the GUI

 

[bryce2113]

Have you set a password for the user 'root' in the GUI?

EDIT: Try adding the user to the group 'wheel'

Tried adding user to group 'wheel' and no luck, returns the same. 'root' has a password as well. Any other ideas? thanks for the help thus far!

 

[ProtoSD]

Tried adding user to group 'wheel' and no luck, returns the same. 'root' has a password as well. Any other ideas? thanks for the help thus far!

You're welcome. How did you add the user to the group wheel? Using the GUI or the command line? In FreeNAS you need to do it from the GUI.

If that doesn't work, I'm stumped for the moment. I actually ran into the same problem setting up a Jail and there I could do it from the command line, but that's all I needed to do and it worked.

 

[bryce2113]

You're welcome. How did you add the user to the group wheel? Using the GUI or the command line? In FreeNAS you need to do it from the GUI.

If that doesn't work, I'm stumped for the moment. I actually ran into the same problem setting up a Jail and there I could do it from the command line, but that's all I needed to do and it worked.

Tried using it through the GUI so I'm stumped as well. Let me know if you come up with anything.

 

[ixidor]

i don't know if you can get it working in freenas,and someone more knowledgeable please chime in. failtoban is what you are looking for. worked wonders on the little ubuntu box i had with apache+fpt+ssh turned on.

 

[Adub]

Indeed, Fail2Ban will scan a number of logs looking for failed login attempts and automatically block them based on your configuration parameters. I haven't tried it on FreeNAS yet (still getting my rig setup), but it should work as long as you have python installed (which we do, considering the GUI is running on Django).

 

[jgreco]

fail2ban is kind of heavyweight. A better choice is usually sshguard. Compiles nicely on FreeBSD, has the advantage of being a C program rather than an interpreted script, so it's fast, small, and extremely effective.

 

[David.Fernando]

attempted hacks

Hi guys,
I was wondering how i would stop people from trying to hack my freenas box. I see that they keep trying different ports, usernames and password combos. I would like to restrict it to automatically ban and blacklist any ip address who fails after x number of times. This is some of what i see:
Dec 18 23:30:57 freenas sshd[34380]: Failed password for root from 117.243.250.249 port 64490 ssh2
Dec 18 23:31:00 freenas sshd[34382]: Failed password for root from 117.243.250.249 port 10122 ssh2
Dec 18 23:31:03 freenas sshd[34386]: Failed password for root from 117.243.250.249 port 12406 ssh2
Dec 18 23:31:05 freenas sshd[34388]: Failed password for root from 117.243.250.249 port 14395 ssh2
Dec 18 23:31:23 freenas sshd[34402]: Failed password for bin from 117.243.250.249 port 29691 ssh2


Dec 18 23:06:17 freenas sshd[32264]: Failed password for root from 208.96.60.210 port 53821 ssh2
Dec 18 23:06:17 freenas sshd[32265]: Failed password for root from 208.96.60.210 port 53834 ssh2
Dec 18 23:06:17 freenas sshd[32267]: Failed password for root from 208.96.60.210 port 53907 ssh2
Dec 18 23:06:17 freenas sshd[32271]: Failed password for root from 208.96.60.210 port 54382 ssh2
Dec 18 23:06:17 freenas sshd[32268]: Failed password for root from 208.96.60.210 port 53905 ssh2



Dec 18 22:59:20 freenas sshd[31090]: Failed password for invalid user shelluser from 117.243.250.249 port 37843 ssh2
Dec 18 22:59:44 freenas sshd[31111]: Failed password for invalid user shelluser from 117.243.250.249 port 58377 ssh2
Dec 18 22:48:57 freenas sshd[29659]: Invalid user maxion from 117.243.250.249
Dec 18 22:49:21 freenas sshd[29679]: Invalid user snc from 117.243.250.249
Dec 18 23:05:49 freenas sshd[31923]: Failed password for invalid user 1 from 208.96.60.210 port 46772 ssh2

Thanks

 

[phoenix]

Is this server behind a NAT router and/or firewall (it really should be) or are you implying it's visible on the internet? If it's on a a public IP (it shouldn't be, IMO) then use something like fail2ban (I believe there's a version for freeBSD or if it's on a LAN then block port 22 and use a VPN to access the server.

 

[Milhouse]

Either way I'd disable password access completely and switch to public/private key authentication.

 

[Stenull]

After reading this thread i wanted to try out public/private key authentication. I use putty to connect with ssh to my nas.
I have read this nice how-to and made me some keys.
Now im trying to setup putty to connect with my freenas using my pub key. But when reading about it, it seems that i need to generate keys from puttygen and import to my freenas??
anyhow now confusion is at peak level, is there a nice howto somewhere?

EDIT:
Solved it:
1. In windows, generated keypair with puttygen.
2. In freenas, added public key string to authorized_keys in my .ssh folder.
3. In putty brows Configuration -> Connection -> SSH -> Auth. And under "Authentication parameters" pointed to my private key i made in puttygen.
Now it connects without password :)
Hope it helps some...

 

[con3636]

After reading this thread i wanted to try out public/private key authentication. I use putty to connect with ssh to my nas.
I have read this nice how-to and made me some keys.
Now im trying to setup putty to connect with my freenas using my pub key. But when reading about it, it seems that i need to generate keys from puttygen and import to my freenas??
anyhow now confusion is at peak level, is there a nice howto somewhere?

EDIT:
Solved it:
1. In windows, generated keypair with puttygen.
2. In freenas, added public key string to authorized_keys in my .ssh folder.
3. In putty brows Configuration -> Connection -> SSH -> Auth. And under "Authentication parameters" pointed to my private key i made in puttygen.
Now it connects without password :)
Hope it helps some...

Any intermediate steps? I'm trying to do the same but my keys aren't working. The private key goes to FreeNAS in the SSH settings right? I'm afraid I may have messed up the syntax for authorized_keys or something. Also did you need to paste your public key in the appropriate field for the specific user on freeNAS? Any help? Thanks!

 

[Stenull]

Any intermediate steps? I'm trying to do the same but my keys aren't working. The private key goes to FreeNAS in the SSH settings right? I'm afraid I may have messed up the syntax for authorized_keys or something. Also did you need to paste your public key in the appropriate field for the specific user on freeNAS? Any help? Thanks!

Step 2 would be the same as in WebGUI to go to
Account -> Users -> "Your user"
and paste your public key under "SSH Public Key".

 

[con3636]

Thanks Stenull, I finally have it all working, I had some folder rights messed up and giving each user their own folder in a dedicated folder in /mnt worked!