Return to Level1Techs.com

A Chinese computer is trying to SSH login to my home NAS server

#1

For days, my OpenWRT NAS server has been giving me this in the syslogs:

  • Sep 2 04:33:26 OpenWrt authpriv.info dropbear[24602]: Child connection from 124.160.194.27:38947
  • Sep 2 04:33:31 OpenWrt authpriv.warn dropbear[24602]: Login attempt for nonexistent user from 124.160.194.27:38947
  • Sep 2 04:33:31 OpenWrt authpriv.info dropbear[24602]: Exit before auth: Disconnect received

What do I do? It's very annoying and IP locators indicate it appears to be a Chinese IP. I don't understand WHY this has been happening but it's annoying.

0 Likes

#2

Do you need SSH connection from outside of your house? You could simply close the port if you do not need to.

0 Likes

#3

I need the SSH. I'm planning on using the machine for more than just a NAS and having access over the internet would be helpful.

0 Likes

#4

set up an auto ban (normally you can change these settings in your /etc/ssh/sshd.config)

just make it so 3 bad login attempts within 5 minutes will ban the ip for 24 hours.

 

disable login for "root" "admin" "administrator" or anything like that.

2 Likes

#5

OpenWRT uses Dropbear for SSH and it doesn't have the ability to do that. I'm severely disappointed as this seemed like the dream solution.

0 Likes

#6

I like the fact he's hitting non-existent user errors. He's probably trying root or admin and failing.

I would recommend using SSH key's instead of passwords and then let him bang away and waste a few weeks of his life for nothing. SSH keys are your best best when it comes to security of your connections and it's actually easier to log in with.

1 Like

#7

Agreed. I also agree with ztrain's solution because you might not have the key-file with you all the time.

0 Likes

#8

I advise you change it to a different external port. That way on the outside there will appear to be no SSH available. 

0 Likes

#9

oh, i should also mention that this is not a targeted attack against you... its a bot on a botnet in china that is just scanning random ipv4 addresses, and when it sees a defult ssh port open, it starts trying to dictionary attack root / admin users.

 

another psudo solution would be to switch your ssh port.

1 Like

#10

One method not mentioned here is blocking brute force attempts with iptables

You can limit new connection on port by time and count

0 Likes

closed #11

Thread was brought back after five years. Op has not posted since 2013. Thread is locked.

0 Likes