Synology Inc. Online Community Forum

by **Deckard** » Sun Dec 09, 2007 12:29 am

With netstat, I just notice some attempts to ssh on my 207.
The IP address is 218.38.55.139. If I google it, I found this :
"218.38.55.139 in Hanaro Telecom Inc. (KR) (2007.12.5)
Malicious and huge ssh brute force attack (137 and more login attempts)."

Is there a way to specify a permanent block list ? Do I have to disable SSH ? How do I restart sshd ?
Thank you.

by **SydneyGuy** » Sun Dec 09, 2007 3:22 am

You should be able to block access from that address at your router. Have a look where you have the port forward setup. Most routers allow to specify access restrictions there. A better way to do it is to deny access to all except for the addresses that you will be connecting via SSH from.

by **bprins** » Sun Dec 09, 2007 11:16 am

I have the same issue. It would be much better if is possible to not allow "root" but only another useraccount to connect with SSH. I haven't found any useful info about this. Is it possible for Synology to add this as an security option.

Eventually someone will be able to brute force hack my root account.....

by **tjzeeman** » Sun Dec 09, 2007 12:05 pm

Deckard wrote:Is there a way to specify a permanent block list ? Do I have to disable SSH ? How do I restart sshd ?

To use blacklisting (or whitelisting) you can put IPs or hostnames in hosts.allow or hosts.deny in /etc. For more info, google on tcp wrappers.
Or you an edit the sshd config to allow or deny specific hosts or ranges.

In both cases, check the manual for the specifics of what you want. Mistakes can also make you lose access to the machine!

Restarting of sshd should be a simple /etc/init.d/sshd restart or something similar. I haven't tested this on the diskstation, but it works like that on other unix/linux installations.

by **tjzeeman** » Sun Dec 09, 2007 12:09 pm

bprins wrote:I have the same issue. It would be much better if is possible to not allow "root" but only another useraccount to connect with SSH. I haven't found any useful info about this. Is it possible for Synology to add this as an security option.

Eventually someone will be able to brute force hack my root account.....

There is a specific config option in ssh to allow/disallow root to login directly; PermitRootLogin or something like that. Disallowing means you have to login with another user and then use su or sudo.

Do test loging in with another user and su/sudo before making the above change or you may find yourself locked out of your DS!

by **Deckard** » Sun Dec 09, 2007 7:23 pm

tjzeeman wrote:Or you an edit the sshd config to allow or deny specific hosts or ranges.

I took a look to sshd_config manpage but I can't see anything talking about specific hosts deny

Thank you.

by **tjzeeman** » Sun Dec 09, 2007 10:28 pm

Deckard wrote:I took a look to sshd_config manpage but I can't see anything talking about specific hosts deny
Thank you.

Sorry, I mixed up the meaning of ListenAddress. :oops:

The other option with tcp wrappers is still valid though and protects more than just sshd.

by **martinsa** » Thu Dec 13, 2007 4:13 pm

To Deny a host, you need to put it in /etc/hosts.deny

To just block SSH access from a host, add an entry like this...

Code: Select all: sshd: 220.167.144.3

...this will stop any SSH connections from that host.

by **Laurence Benjamin** » Fri Dec 14, 2007 10:11 am

Hi,

Take a look at this "http://www.synology.com/enu/forum/viewtopic.php?t=5475". The best way to prevent tese kinds of attack is to change from the default ssh port and also, to use private/publick key pair authentication with a passphrase.

/Laurence

by **Deckard** » Fri Dec 14, 2007 10:26 am

Laurence Benjamin wrote:... The best way to prevent tese kinds of attack is to change from the default ssh port ...

That's exactly what I've finally done. Pretty quiet now

Thank you all.

by **mischaq** » Fri Feb 08, 2008 5:01 pm

what about this idea to prevent SSH brute force attacks: viewtopic.php?f=36&t=6770

by **congo** » Sat Jan 31, 2009 12:38 am

hello,

just for notice - i did experience that hosts.allow and hosts.deny doesnt work at all inside synology. Did anyone experience the same?

congo

by **jeffatrackaid** » Thu Jan 28, 2010 2:21 am

Does synology have access to IPtables? I use IPTables to rate limit incoming SSH connections which effectively blocks most brute force attacks.

http://www.rackaid.com/resources/how-to-block-ssh-brute-force-attacks/

by **congo** » Thu Jan 28, 2010 8:21 pm

well since the initial discussion, synology did implement a firewall-functionality. i havent used it though, but it seems to contain a standard ip-table. I earlier had a deny file for ssh as well, but it wasnt that much a success - on the other hand, i never gave it much time for testing.

by **deadelvis** » Wed Nov 17, 2010 1:09 am

congo wrote:hello,

just for notice - i did experience that hosts.allow and hosts.deny doesnt work at all inside synology. Did anyone experience the same?
congo

Yeah! Same here! Why is it in place but it doesn't work at all?

Synology Inc. Online Community Forum

SSH brute force attack

SSH brute force attack

Re: SSH brute force attack

Re: SSH brute force attack

Re: SSH brute force attack

Re: SSH brute force attack

Re: SSH brute force attack

Re: SSH brute force attack

Re: SSH brute force attack

Re: SSH brute force attack

Who is online