Solved - People trying to break in the SSH

Today after a few days not messing with my Omnia, i decided to take a look. Suddenly i could not enter LuCi. I decided to try Foris…also that did not work. I though maybe it is because of cach…deleted my browsers cache still nothing.

Then i tried to connect to the ssh that did work. I tried another browser still could not connect.

Then tried to look at the logs to see some clue what was going on…i saw this …:confused:

2016-11-27T19:19:08+01:00 info sshd[2131]: Failed password for root from 221.229.172.114 port 47531 ssh2
2016-11-27T19:19:08+01:00 info sshd[2133]: Failed password for root from 221.229.172.114 port 49189 ssh2
2016-11-27T19:19:08+01:00 info sshd[2135]: Failed password for root from 221.229.172.114 port 52755 ssh2
2016-11-27T19:19:09+01:00 info sshd[2131]: Failed password for root from 221.229.172.114 port 47531 ssh2
2016-11-27T19:19:09+01:00 info sshd[2133]: Failed password for root from 221.229.172.114 port 49189 ssh2
2016-11-27T19:19:09+01:00 info sshd[2135]: Failed password for root from 221.229.172.114 port 52755 ssh2
2016-11-27T19:19:09+01:00 info sshd[2131]: Failed password for root from 221.229.172.114 port 47531 ssh2
2016-11-27T19:19:09+01:00 info sshd[2135]: Failed password for root from 221.229.172.114 port 52755 ssh2
2016-11-27T19:19:09+01:00 info sshd[2133]: Failed password for root from 221.229.172.114 port 49189 ssh2
2016-11-27T19:19:09+01:00 info sshd[2131]: Received disconnect from 221.229.172.114 port 47531:11:  [preauth]
2016-11-27T19:19:09+01:00 info sshd[2131]: Disconnected from 221.229.172.114 port 47531 [preauth]
2016-11-27T19:19:09+01:00 info sshd[2135]: Received disconnect from 221.229.172.114 port 52755:11:  [preauth]
2016-11-27T19:19:09+01:00 info sshd[2135]: Disconnected from 221.229.172.114 port 52755 [preauth]
2016-11-27T19:19:09+01:00 info sshd[2133]: Received disconnect from 221.229.172.114 port 49189:11:  [preauth]
2016-11-27T19:19:09+01:00 info sshd[2133]: Disconnected from 221.229.172.114 port 49189 [preauth]
2016-11-27T19:19:10+01:00 info sshd[2137]: Failed password for root from 221.229.172.114 port 60529 ssh2
2016-11-27T19:19:10+01:00 info sshd[2137]: Failed password for root from 221.229.172.114 port 60529 ssh2
2016-11-27T20:19:11+01:00 info sshd[]: Last message 'Failed password for ' repeated 1 times, supressed by syslog-ng on K-Router
2016-11-27T19:19:11+01:00 info sshd[2137]: Received disconnect from 221.229.172.114 port 60529:11:  [preauth]
2016-11-27T19:19:11+01:00 info sshd[2137]: Disconnected from 221.229.172.114 port 60529 [preauth]
2016-11-27T19:19:12+01:00 info sshd[2290]: Failed password for root from 221.229.172.114 port 23846 ssh2
2016-11-27T19:19:13+01:00 info sshd[2290]: Failed password for root from 221.229.172.114 port 23846 ssh2
2016-11-27T20:19:14+01:00 info sshd[]: Last message 'Failed password for ' repeated 1 times, supressed by syslog-ng on K-Router
2016-11-27T19:19:14+01:00 info sshd[2290]: Received disconnect from 221.229.172.114 port 23846:11:  [preauth]
2016-11-27T19:19:14+01:00 info sshd[2290]: Disconnected from 221.229.172.114 port 23846 [preauth]

Is this normal? Can i do something about it?

Solution to my situation: I had used DMZ to my Omnia, which opens all door to the outside world. DO NOT USE DMZ!!

Scary shit :fearful:

But I am by no means a security expert…

I belief @Etz is all about system hardening though. So you could try and PM him - he’s very helpful (if you return the respect by doing your homework!).

What i forgot was, that they are still trying.

Sadly i cannot access LuCi to look at some of the thing. So right now only terminal available. I was thinking maybe if there was a possibility to ban ip’s after certain amount of retries although i know that they will find another ip to use.

Or maybe after certain retries to warn me(user) of a possible attack by email or something.

Maybe fail2ban is an option, that is one of the things I use on my normal Linux-boxes (not sure how it would end-up when used on OpenWRT though - and whether it is even available…)?

The biggest problem is, LuCi and Foris are not accessible. If that wasn’t the problem a lot of things were much easier.

EDIT2: lighttpd error.log

2016-11-27 20:19:01: (log.c.194) server started
2016-11-27 20:19:01: (mod_rrdtool.c.389) rrdtool.binary has to be set
2016-11-27 20:19:01: (server.c.1030) Configuration of plugins failed. Going down.

Right that is “a lot” of information =_=!.

You should not offer SSH or Luci/Foris (ports 80 and 443) to Internet/WAN. Check that you have the firewall correctly configured.

I suspect some bad boys from China have crashed your web server. In the current situation (we don’t know if they have broken into your Omnia) I would recommend to disconnect Omnia from the network, take a backup from it and then do full hardware reset to factory installation.

1 Like

Yeah i did that.

BTW, a question. I do want to connect my things etc. Instead of using port-forward etc…just have a openVPN connection? Then if i want to my stuff…first have a openVPN connection and then i can i guess acces all my stuff through the internet.

Is this the best way or is there a better way then the approach i just described?

First you should never ever expose SSH to WAN, unless you use private key auth, also it would be quite wise to use non-standard port for it if you really have to open it to the wide world and implement some tarpiting and brute force protection
Secondly, by the looks of it, I don’t think they managed to get in yet.

Could you disconnect WAN and reboot it, to see if it gives you an web interface back?

I have for example set up an OpenVPN connection and it is only Service exposed in my home to Internet.
Also it runs on non-standard port and has some protection mechanisms which will ban ip after 3 failed connection retries.

Technically SSH is encrypted so, if you use key auth it should be rather safe, it is used for tunneling sometimes anyways. :wink:

Thanks for the reply.

I already did a hard-reset when i got back on the forum i saw that @white also had suggested doing that. What i also asked white about.

Me—>Internet–>Omnia–>internal network

OpenVPN======Internet=====>Omnia

Is this a better approach to get to my stuff? Also should i turn on upnp? Because i did enabled it before.

Second approach is far more better than your first one and you can leave uPnP running if you need it (If you have somekind of Gaming Console).

Oke, help me out with figuring out if i theoretically am doing things right XD.

Right now AND during those guys attacks i had in my other router(internet-router) DMZ to forward all the ports to the Omnia. Maybe it was because of this, those guys suddenly showed interest.

If i turn this off would i still be able to approach my Omnia (openVPN)? (UPNP is on, on the “internet-router”).

EDIT2: After hard-reset…those guys were still add it.

2016-11-27T20:27:19+01:00 info sshd[4279]: Failed password for root from 221.229.172.114 port 57991 ssh2
2016-11-27T21:27:20+01:00 info sshd[]: Last message 'Failed password for ' repeated 1 times, supressed by syslog-ng on turris
2016-11-27T20:27:20+01:00 info sshd[4281]: Failed password for root from 221.229.172.114 port 58729 ssh2
2016-11-27T20:27:20+01:00 info sshd[4283]: Failed password for root from 221.229.172.114 port 60903 ssh2
2016-11-27T20:27:20+01:00 info sshd[4279]: Failed password for root from 221.229.172.114 port 57991 ssh2
2016-11-27T20:27:20+01:00 info sshd[4281]: Failed password for root from 221.229.172.114 port 58729 ssh2
2016-11-27T20:27:20+01:00 info sshd[4283]: Failed password for root from 221.229.172.114 port 60903 ssh2
2016-11-27T20:27:20+01:00 info sshd[4279]: Received disconnect from 221.229.172.114 port 57991:11:  [preauth]
2016-11-27T20:27:20+01:00 info sshd[4279]: Disconnected from 221.229.172.114 port 57991 [preauth]
2016-11-27T20:27:21+01:00 info sshd[4281]: Failed password for root from 221.229.172.114 port 58729 ssh2
2016-11-27T20:27:21+01:00 info sshd[4331]: Failed password for root from 221.229.172.114 port 11146 ssh2
2016-11-27T20:27:21+01:00 info sshd[4283]: Failed password for root from 221.229.172.114 port 60903 ssh2
2016-11-27T20:27:21+01:00 info sshd[4331]: Failed password for root from 221.229.172.114 port 11146 ssh2
2016-11-27T20:27:21+01:00 info sshd[4281]: Received disconnect from 221.229.172.114 port 58729:11:  [preauth]
2016-11-27T20:27:21+01:00 info sshd[4281]: Disconnected from 221.229.172.114 port 58729 [preauth]
2016-11-27T20:27:21+01:00 info sshd[4283]: Received disconnect from 221.229.172.114 port 60903:11:  [preauth]
2016-11-27T20:27:21+01:00 info sshd[4283]: Disconnected from 221.229.172.114 port 60903 [preauth]
2016-11-27T20:27:21+01:00 info sshd[4331]: Failed password for root from 221.229.172.114 port 11146 ssh2
2016-11-27T20:27:22+01:00 info sshd[4331]: Received disconnect from 221.229.172.114 port 11146:11:  [preauth]
2016-11-27T20:27:22+01:00 info sshd[4331]: Disconnected from 221.229.172.114 port 11146 [preauth]
2016-11-27T20:27:22+01:00 info sshd[4419]: Failed password for root from 221.229.172.114 port 21672 ssh2
2016-11-27T21:27:23+01:00 info sshd[]: Last message 'Failed password for ' repeated 2 times, supressed by syslog-ng on turris
2016-11-27T20:27:23+01:00 info sshd[4419]: Received disconnect from 221.229.172.114 port 21672:11:  [preauth]
2016-11-27T20:27:23+01:00 info sshd[4419]: Disconnected from 221.229.172.114 port 21672 [preauth]

Forward OpenVPN port to Omnia and thats it :wink:
Running DMZ is generally a bad idea…unless you run firewall with strict rules on that DMZ host, which you obviusly did not?

NAT is not an firewall, remember :wink:

If they are still knocking on the door, just block that whole IP range (221.228.0.0/14), unless you plan to travel to China soon.
Still wondering, why is your SSH exposed after hard reset? It should not be open to WAN side ind efault configuration…

Can’t i not just use DMZ and have the full control on the Omnia? Indeed i know that NAT is not a firewall.

I mean technically even if i use DMZ to the Omnia and have not opened any port (portforwarding) then they can’t do anything right? All is closed up, or am i saying something that is incorrect?

Nope, DMZ meanst that pretty much everything is open, like it would be connected directly to internet.
Thats the beaty and the curse of DMZ, you don’t have to forward anything…it is wide open.

ooh. So that explains it then i guess right? Was the NAT then a sort of a “firewall” after all then? Or because i had no NAT they could just approach everything like you said…maybe that is it.

NAT translates your public IP to Private LAN IP and thats it, it does not do anything else and forwards everything by default if DMZ setting is applied, it pretty much means 1:1 mapping and it forwards anything to that host IP you specified in DMZ settings.

Also you should isolate your DMZ from rest of your local network for obvious reasons, as if that host has been taken over, your all network would be open to attacker.

Here is failry good and simple explanation: http://security.stackexchange.com/questions/3667/what-is-the-real-function-and-use-of-a-dmz-on-a-network

I have been using DMZ for a few years even on my other router. I understood i totally wrong.

I am feeling like an idiot…

http://www.troll.me/images/full-retard/you-went-full-retard-never-go-full-retard-thumb.jpg

1 Like

I think, more or less…you just were lucky so far… :stuck_out_tongue:

Or you just never checked the logs before… :smiley: :smiley:

This is going to make things a bit more “complicated”…or well not complicated…but yeah.

I have these things running on my own NAS that i always want to be able to approach.

  • Torrent client
  • NZB-client
  • eBook-server
  • Emb Media server
  • Webmin
  • Webserver
  • Nextcloud

Is there a “webbased openVPN” solution? So not necessarily to always have your laptop or some personal stuff with you.

In the past i only needed a internet-browser because everything was accessible. Or i could still do it, only this time i need to forward each port or just a range of ports and put those applications all within that range?