2
  • Fresh install of Fedora 25 Server
  • Server behind a router with only a few NAT-rules
  • Many SSH login attempts from hundreds of different IPs / ports (ever-changing)
  • Recently attacks / exploits on nginx (running in a docker instance) shows up in the log, too.

A few examples from the log:

error: maximum authentication attempts exceeded for invalid user root from 88.14.203.97 port 56548 ssh2 [preauth]

error: Received disconnect from 52.221.236.126 port 62639:3: com.jcraft.jsch.JSchException: Auth fail [preauth]

[error] 6#6: *138 open() "/usr/share/nginx/html/nice ports,/Trinity.txt.bak" failed (2: No such file or directory), client: 77.77.211.78, server: localhost, request: "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0"

I went through the basic hardening measures at install, including only allowing SSH login with a certificate (no passwords, no root).

Questions

  • How can the attackers reach different ports on my LAN, not configured in NAT? UPnP…?
  • Is it possible to block / stop these blind attacks?

Additional and possibly relevant information

I use the Dynamic DNS service freedns.afraid.org with a newly registered domain name.

Improve this question
2
  • You should implement fail2ban in your server: fail2ban.org/wiki/index.php/Main_Page
    – Zumo de Vidrio
    Commented Jan 12, 2017 at 10:42
  • That is one of the measures I plan to implement. My main question is: how do the attackts get past the NAT rules defined in my router? Or is that a trivial thing?
    – Ruben Solvang
    Commented Jan 12, 2017 at 10:46

2 Answers 2

Reset to default
3

How can the attackers reach different ports on my LAN, not configured in NAT? UPnP …?

That is possible only if your server was compromised or external connections come over opened by UPnP ports. When you create forwarding rules, you may specify what port or range of ports will be forwarded to particular IP resided on the LAN side. You can also change (substitute) external port(s) to local ones with different values (external port 3456 forward to local port 22, for example) or set one-to-one forwarding (external 22 to internal 22). So the short answer – only the ports you opened on the firewall will be forwarded to particular IP on LAN.

If you set your server in DMZ zone that it means your server is fully exposed to the Internet with all ports; this way all ports are available for external connections.

Check also this list of vulnerable routers; if router itself was hacked, then it isn't your network anymore.

Is it possible to block / stop these blind attacks?

Take a look to the similar question and followed answer how to secure and reduce such scanning attempts.

Improve this answer
1
  • @G-Man Thanks for your correction, English isn't my native language, that's why my grammar isn't good :(
    – Alex
    Commented Jan 20, 2017 at 23:14
1

The ports that you are seeing in logs are the source ports of the attacker, not the destination ones, so that does not mean that your system has those ports opened neither the attacker is reaching your system through them.

For example, guessing that you have opened port 22 for ssh, in logs you can see that the attacks for ssh service is coming for other port (56548).

Improve this answer
2
  • Thanks, this is useful information. Then I guess it would help to change the ssh port?
    – Ruben Solvang
    Commented Jan 12, 2017 at 11:49
  • Not using default ports is a good practice, but it won't avoid that your server continues receiving attack attempts. You should apply some IP filter to incoming public ssh connections (or installing fail2ban as soon as possible).
    – Zumo de Vidrio
    Commented Jan 12, 2017 at 12:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .