0

I had my freenas box set up using no-ip to forward ssh requests to my machine so that I could get to it from work, friends house, parents, etc. A couple days ago i noticed a large in crease in attempted logins and figured my box was probably getting bruteforced since it was accessible from the net on port 22 and well to be honest the security is pretty lax because there's really nothing important on the server at all. So I turned off my no-ip since I really wasn't using it that much anyway but to my surprise a couple days later after turning off my forwarding to port 22 I'm still seeing thousands of requests per day to my box.

My question is if I've turned off the forwarding to my machine how are people still finding a way to get to my box and attempt to SSH into it. Is this an easy thing to do people that do this all the time?

Sorry I'm a bit of a server and security noob I'm just worried that I still have something open that's allowing people to find my machine.

ThrowsException
  • 103
  • 1
  • 4
  • 2
    `how are people still finding a way to get to my box and attempt to SSH into it. Is this an easy thing to do people that do this all the time?` Yes it's easy and happens all the time. But also, any script that found it from your no-ip address isn't going to forget where it is just because you took the link away. – TessellatingHeckler Jul 16 '14 at 13:10
  • 2
    `Is this an easy thing to do people that do this all the time?` Yes, welcome to the Internet - where every IP receives hacking attempts hundreds or thousands of times per day. If you're not ready to deal with that, keep your devices off the Internet. – Chris S Jul 16 '14 at 13:47
  • 1
    Thanks guys. Understood that the forward I used to have set up that once someone has that IP I'm basically screwed. Doing some more reading I see that this is pretty common on servers with ssh turned on. – ThrowsException Jul 16 '14 at 13:51

2 Answers2

3

Network bots are usually scanning public IP's and checking if various well known ports are open to bombard them. It doesn't care if you have DNS set up to point to your IP or not, after all the server is accessible via IP if you either:

  • Set up a public IP for your PC
  • Forwarded port 22 to your server.

I may note that it is a good practice to secure your user accounts with authentication key instead of password, so they are not guessable by brute-force attacks. Read more on SSH with authentication key instead of password

Janis Veinbergs
  • 1,545
  • 4
  • 23
  • 34
  • Thanks for the reply. After some more reading I'm a little more learned now on how easy these types of attacks are to do and that they happen pretty much to every server accessible on port 22. – ThrowsException Jul 16 '14 at 13:54
-2

If the connection is still active (xxx.xxx.xxx.xxx -> your pc )... the packects still know the route to your pc. Disable the network card for 1 minute.

If you still have attacks, then those attacks are comming from your home network.

Cucu
  • 37
  • 3