acceso LAN desde los registros del enrutador remoto

1

Tengo un servidor Ubuntu en mi red con SSH abierto, puerto 22, UFW habilitado para eso. El SSH está protegido con mi contraseña y creé otro usuario para mi conexión SSH.

Hoy noté estos registros.

Hay algunas direcciones IP que intentan conectarse a mi red ... Aunque no las conozco. Esta IP, por ejemplo: 121.18.238.22 es de China, "whois" dice: Red de la provincia Baeh de China Unicom Hebei

Lamentablemente hay un registro que dice que finalmente descubrieron mi contraseña y luego tuve que prohibir la IP con ufw.

Ahora estoy usando Fail2Ban para evitar este tipo de ataques.

[LAN access from remote] from 183.37.22.227:58298 to 192.168.0.7:22, Monday, July 04,2016 10:09:53
[admin login] from source 192.168.0.4, Monday, July 04,2016 10:08:22
[LAN access from remote] from 192.168.0.4:63385 to 192.168.0.7:80, Monday, July 04,2016 10:03:02
[admin login] from source 192.168.0.4, Monday, July 04,2016 10:02:47
[LAN access from remote] from 169.229.3.91:40301 to 192.168.0.7:80, Monday, July 04,2016 10:00:52
[LAN access from remote] from 169.229.3.91:38487 to 192.168.0.7:80, Monday, July 04,2016 10:00:52
[LAN access from remote] from 121.18.238.22:38685 to 192.168.0.7:22, Monday, July 04,2016 10:00:07
[LAN access from remote] from 121.18.238.22:54199 to 192.168.0.7:22, Monday, July 04,2016 09:59:57
[LAN access from remote] from 121.18.238.22:45582 to 192.168.0.7:22, Monday, July 04,2016 09:59:47
[LAN access from remote] from 121.18.238.22:33867 to 192.168.0.7:22, Monday, July 04,2016 09:59:37
[LAN access from remote] from 121.18.238.22:48962 to 192.168.0.7:22, Monday, July 04,2016 09:59:25
[LAN access from remote] from 121.18.238.22:42182 to 192.168.0.7:22, Monday, July 04,2016 09:59:15
[LAN access from remote] from 121.18.238.22:35939 to 192.168.0.7:22, Monday, July 04,2016 09:59:05
[LAN access from remote] from 121.18.238.22:50380 to 192.168.0.7:22, Monday, July 04,2016 09:58:53
[LAN access from remote] from 121.18.238.22:41018 to 192.168.0.7:22, Monday, July 04,2016 09:58:42
[LAN access from remote] from 121.18.238.22:56730 to 192.168.0.7:22, Monday, July 04,2016 09:58:30
[LAN access from remote] from 121.18.238.22:48769 to 192.168.0.7:22, Monday, July 04,2016 09:58:19
[DoS Attack: RST Scan] from source: 121.18.238.22, port 40454, Monday, July 04,2016 09:58:10
[LAN access from remote] from 121.18.238.22:43529 to 192.168.0.7:22, Monday, July 04,2016 09:58:08
[LAN access from remote] from 121.18.238.22:40454 to 192.168.0.7:22, Monday, July 04,2016 09:58:00
[LAN access from remote] from 121.18.238.22:56935 to 192.168.0.7:22, Monday, July 04,2016 09:57:48
[LAN access from remote] from 121.18.238.22:46752 to 192.168.0.7:22, Monday, July 04,2016 09:57:37
[LAN access from remote] from 121.18.238.22:35769 to 192.168.0.7:22, Monday, July 04,2016 09:57:26
[LAN access from remote] from 121.18.238.22:60140 to 192.168.0.7:22, Monday, July 04,2016 09:57:18
[LAN access from remote] from 121.18.238.22:53270 to 192.168.0.7:22, Monday, July 04,2016 09:57:09
[LAN access from remote] from 121.18.238.22:40038 to 192.168.0.7:22, Monday, July 04,2016 09:56:58
[LAN access from remote] from 121.18.238.22:32905 to 192.168.0.7:22, Monday, July 04,2016 09:56:49
[LAN access from remote] from 121.18.238.22:57638 to 192.168.0.7:22, Monday, July 04,2016 09:56:40
[LAN access from remote] from 192.168.0.4:63336 to 192.168.0.7:80, Monday, July 04,2016 09:56:26
[LAN access from remote] from 121.18.238.22:52719 to 192.168.0.7:22, Monday, July 04,2016 09:56:24
[LAN access from remote] from 121.18.238.22:48129 to 192.168.0.7:22, Monday, July 04,2016 09:56:13
[LAN access from remote] from 121.18.238.22:42942 to 192.168.0.7:22, Monday, July 04,2016 09:56:05
[LAN access from remote] from 192.168.0.4:63333 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 192.168.0.4:63332 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 192.168.0.4:63331 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 192.168.0.4:63330 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 121.18.238.22:60581 to 192.168.0.7:22, Monday, July 04,2016 09:55:57
[DoS Attack: ACK Scan] from source: 172.217.19.78, port 443, Monday, July 04,2016 09:54:40
[DoS Attack: ACK Scan] from source: 172.217.19.78, port 443, Monday, July 04,2016 09:54:28
[DoS Attack: ACK Scan] from source: 138.108.96.100, port 80, Monday, July 04,2016 09:54:25
[LAN access from remote] from 5.90.72.134:2356 to 192.168.0.7:1723, Monday, July 04,2016 09:54:15
[LAN access from remote] from 192.168.0.2:63287 to 192.168.0.7:1723, Monday, July 04,2016 09:54:01
[LAN access from remote] from 121.18.238.9:59422 to 192.168.0.7:22, Monday, July 04,2016 09:51:33
[LAN access from remote] from 121.18.238.9:49290 to 192.168.0.7:22, Monday, July 04,2016 09:51:24
[LAN access from remote] from 121.18.238.9:38058 to 192.168.0.7:22, Monday, July 04,2016 09:51:14
[LAN access from remote] from 121.18.238.9:58639 to 192.168.0.7:22, Monday, July 04,2016 09:51:05
[LAN access from remote] from 121.18.238.9:51981 to 192.168.0.7:22, Monday, July 04,2016 09:50:57
[LAN access from remote] from 121.18.238.9:40686 to 192.168.0.7:22, Monday, July 04,2016 09:50:47
[LAN access from remote] from 121.18.238.9:33384 to 192.168.0.7:22, Monday, July 04,2016 09:50:39
[LAN access from remote] from 221.194.44.227:34213 to 192.168.0.7:22, Monday, July 04,2016 09:50:31
[LAN access from remote] from 121.18.238.9:53152 to 192.168.0.7:22, Monday, July 04,2016 09:50:30
[LAN access from remote] from 221.194.44.227:56795 to 192.168.0.7:22, Monday, July 04,2016 09:50:23
[LAN access from remote] from 121.18.238.9:42253 to 192.168.0.7:22, Monday, July 04,2016 09:50:22
[LAN access from remote] from 221.194.44.227:52907 to 192.168.0.7:22, Monday, July 04,2016 09:50:13
[LAN access from remote] from 121.18.238.9:33132 to 192.168.0.7:22, Monday, July 04,2016 09:50:12
[LAN access from remote] from 121.18.238.9:54038 to 192.168.0.7:22, Monday, July 04,2016 09:50:04
[LAN access from remote] from 221.194.44.227:43711 to 192.168.0.7:22, Monday, July 04,2016 09:50:03
[LAN access from remote] from 121.18.238.9:45113 to 192.168.0.7:22, Monday, July 04,2016 09:49:56
[LAN access from remote] from 221.194.44.227:40385 to 192.168.0.7:22, Monday, July 04,2016 09:49:53
[LAN access from remote] from 121.18.238.9:39202 to 192.168.0.7:22, Monday, July 04,2016 09:49:47
[LAN access from remote] from 221.194.44.227:57962 to 192.168.0.7:22, Monday, July 04,2016 09:49:42
[LAN access from remote] from 121.18.238.9:52268 to 192.168.0.7:22, Monday, July 04,2016 09:49:37
[LAN access from remote] from 221.194.44.227:42415 to 192.168.0.7:22, Monday, July 04,2016 09:49:29
[LAN access from remote] from 121.18.238.9:42971 to 192.168.0.7:22, Monday, July 04,2016 09:49:29
[LAN access from remote] from 121.18.238.9:37777 to 192.168.0.7:22, Monday, July 04,2016 09:49:21
[LAN access from remote] from 221.194.44.227:40557 to 192.168.0.7:22, Monday, July 04,2016 09:49:21
[LAN access from remote] from 121.18.238.9:59635 to 192.168.0.7:22, Monday, July 04,2016 09:49:14
[LAN access from remote] from 121.18.238.9:59576 to 192.168.0.7:22, Monday, July 04,2016 09:49:13
[LAN access from remote] from 221.194.44.227:36473 to 192.168.0.7:22, Monday, July 04,2016 09:49:12
[LAN access from remote] from 121.18.238.9:49344 to 192.168.0.7:22, Monday, July 04,2016 09:49:05
[LAN access from remote] from 121.18.238.9:49097 to 192.168.0.7:22, Monday, July 04,2016 09:49:05
[LAN access from remote] from 221.194.44.227:58954 to 192.168.0.7:22, Monday, July 04,2016 09:49:02
[LAN access from remote] from 121.18.238.9:33639 to 192.168.0.7:22, Monday, July 04,2016 09:48:55
[LAN access from remote] from 121.18.238.9:33629 to 192.168.0.7:22, Monday, July 04,2016 09:48:55
[LAN access from remote] from 221.194.44.227:55456 to 192.168.0.7:22, Monday, July 04,2016 09:48:53
[LAN access from remote] from 121.18.238.9:49028 to 192.168.0.7:22, Monday, July 04,2016 09:48:46
[LAN access from remote] from 121.18.238.9:48956 to 192.168.0.7:22, Monday, July 04,2016 09:48:46
[LAN access from remote] from 221.194.44.227:49145 to 192.168.0.7:22, Monday, July 04,2016 09:48:41
[LAN access from remote] from 121.18.238.9:33426 to 192.168.0.7:22, Monday, July 04,2016 09:48:36
[LAN access from remote] from 121.18.238.9:33393 to 192.168.0.7:22, Monday, July 04,2016 09:48:36
[LAN access from remote] from 221.194.44.227:43452 to 192.168.0.7:22, Monday, July 04,2016 09:48:31
[LAN access from remote] from 121.18.238.9:46965 to 192.168.0.7:22, Monday, July 04,2016 09:48:27
[LAN access from remote] from 121.18.238.9:46881 to 192.168.0.7:22, Monday, July 04,2016 09:48:27
[LAN access from remote] from 221.194.44.227:37404 to 192.168.0.7:22, Monday, July 04,2016 09:48:22
[LAN access from remote] from 121.18.238.9:58887 to 192.168.0.7:22, Monday, July 04,2016 09:48:17
[LAN access from remote] from 121.18.238.9:58799 to 192.168.0.7:22, Monday, July 04,2016 09:48:17
[LAN access from remote] from 221.194.44.227:34731 to 192.168.0.7:22, Monday, July 04,2016 09:48:13
[LAN access from remote] from 121.18.238.9:47059 to 192.168.0.7:22, Monday, July 04,2016 09:48:07
[LAN access from remote] from 121.18.238.9:44687 to 192.168.0.7:22, Monday, July 04,2016 09:48:07
[LAN access from remote] from 221.194.44.227:57545 to 192.168.0.7:22, Monday, July 04,2016 09:48:04
[LAN access from remote] from 121.18.238.9:37208 to 192.168.0.7:22, Monday, July 04,2016 09:47:59
[LAN access from remote] from 221.194.44.227:49639 to 192.168.0.7:22, Monday, July 04,2016 09:47:54
[LAN access from remote] from 121.18.238.9:52557 to 192.168.0.7:22, Monday, July 04,2016 09:47:49
[LAN access from remote] from 221.194.44.227:43237 to 192.168.0.7:22, Monday, July 04,2016 09:47:45
[LAN access from remote] from 121.18.238.9:41335 to 192.168.0.7:22, Monday, July 04,2016 09:47:40
[LAN access from remote] from 221.194.44.227:34902 to 192.168.0.7:22, Monday, July 04,2016 09:47:35
[LAN access from remote] from 121.18.238.9:52772 to 192.168.0.7:22, Monday, July 04,2016 09:47:30
[LAN access from remote] from 221.194.44.227:54658 to 192.168.0.7:22, Monday, July 04,2016 09:47:26
[LAN access from remote] from 121.18.238.9:41885 to 192.168.0.7:22, Monday, July 04,2016 09:47:21
[LAN access from remote] from 221.194.44.227:46651 to 192.168.0.7:22, Monday, July 04,2016 09:47:16
[LAN access from remote] from 121.18.238.9:57163 to 192.168.0.7:22, Monday, July 04,2016 09:47:11
[LAN access from remote] from 221.194.44.227:44183 to 192.168.0.7:22, Monday, July 04,2016 09:47:07
[LAN access from remote] from 121.18.238.9:46415 to 192.168.0.7:22, Monday, July 04,2016 09:47:02
[LAN access from remote] from 121.18.238.9:58226 to 192.168.0.7:22, Monday, July 04,2016 09:46:52
[LAN access from remote] from 221.194.44.227:36430 to 192.168.0.7:22, Monday, July 04,2016 09:46:47
[LAN access from remote] from 121.18.238.9:49359 to 192.168.0.7:22, Monday, July 04,2016 09:46:43

Actualización # 2

Han atacado con éxito mi máquina.

Decidí cambiar a la autenticación RSA basada en el archivo clave, pero han instalado una puerta trasera en mi computadora (y no sabía que mi Antivirus no la había bloqueado)

Las claves RSA se almacenan en un contenedor encriptado, pero la puerta trasera ha interceptado mi contraseña y luego robó la clave privada RSA.

Han creado una VPN en mi servidor Ubuntu.

Tuve que bloquear cualquier conexión del enrutador y ahora estoy eliminando la VPN.

    
pregunta Albert 04.07.2016 - 12:20
fuente

1 respuesta

1

Si whois the IP puede encontrar que es probable que alguien esté tratando de forzar sus credenciales SSH. Simplemente establezca una contraseña segura o, por preferencia, requiera un par de llaves para la autenticación.

Hay otros pasos que brindarán mayor protección .

También estoy teniendo ataques en mi Synology NAS. Nada de lo que preocuparse si tiene su configuración correcta. Debe configurar un máximo de 5 intentos desde la misma IP para limitar también el impacto de este tipo de ataque. Probablemente no sea un verdadero ataque de DOS, ya que obtendrías muchos más paquetes y lo notarías por tu velocidad de internet.

Puede revisar sus registros de SSH para ver si estos intentos son seguidos por una autenticación exitosa. Si realmente tiene curiosidad acerca de sus incentivos, puede configurar un honeypot y monitorear su comportamiento. Pero eso es mucho más avanzado. Me encantaría ver qué hacen estas personas una vez que ingresan. Por lo tanto, si alguien ha realizado un experimento así, hágamelo saber.

    
respondido por el Silver 04.07.2016 - 12:44
fuente

Lea otras preguntas en las etiquetas