Feeds

back to article Gaping network port with easy-to-guess password? You ARE the 79%

High-profile, sophisticated hackers stealing industrial secrets tend to hog the headlines but opportunistic hackers searching for routine vulnerabilities can create a world of hurt for victims, often small businesses. Verizon’s Data Breach Investigations Report found that 79 per cent of attacks during 2011 were classified as ‘ …

COMMENTS

This topic is closed for new posts.
Silver badge

Shouldn't be difficult to block

About a year ago, my router logs showed a spate of 'sniffing' on the ports of my domestic FTP server; coming from IP addresses listed as being in China. The FTP server username and password are _not_ the equipment default values.

After a couple of days, the sniffing stopped - nothing to see here, move along; I suppose.

1
0
Anonymous Coward

Re: Shouldn't be difficult to block

Regardless, anyone between you and your FTP server can see your username and password. Switch to SFTP/FTPS or use a VPN or something.

3
0
Bronze badge

Re: Shouldn't be difficult to block

^ What she said. And have a look at fail2ban.

0
0
Silver badge

A colleague of mine at first logged all (failed) attempts at getting through his router, but gave up full logging because the log file started to grow alarmingly fast. Generally attempts by script kiddies at that point in time, plus some more concerted efforts to break in (usually eastern Europe or Far East). And yes, neither his nor my home router's settings are the factory defaults, only the bare minimum of ports are open to allow internet access. And then there is still no reason for complacency.

2
0
Silver badge

I dot have ANY ports open on my router inbound for SYN at all...Oh I do have one, but that's locked to a single remote IP address.

Of course the bots are hammering on the door of all the web serves I maintain.. That simply 'happens'

3
0

Getting down to practicalities

Excuse my ignorance, not a networking expert, but does anyone actually produce a tool that queries a systems services and applications so that only the ports required are open and the rest firewalled (even if you just get a report and have to firewall manually on P.C and router)? If ports for opportunistic attacks are open (MS RDP), then ask the question of the user whether they actually use the service.

1
0

Re: Getting down to practicalities

Port scanners like nessus or nmap will tell you what ports are open on a host. You can then use that information to close any open ports.

2
0
Silver badge

The 'Shields Up' website is useful for giving a quick idea of your general vulnerability - along with a few suggestions. Slightly disappointingly, they do seem to assume everyone is running Windows!

6
0
Silver badge

Get attacks at SSH all the time...

but I've got a non-standard port, the router redirects to my server where the only allowed user for SSH login has a VERY non-standard username and 20 digit 'difficult' password and I still check the logs. Almost all attackers go for the standard ports.

1
0

Re: Get attacks at SSH all the time...

I don't have any ports open normally.

I have a server script that polls an email account, and I can email a few special passcodes to that, one of which tells it to open a non-standard port for ssh for half an hour. The passcode is date-sensitive, and the whole package pgp encoded before emailing. It emails me on a wholly separate system before opening the port.

Other messages to that email account tell it to start recording TV shows. 20 years back it had a minature printer, and could leave mini-telex messages for Hardcastle the skirtwearer, before we started using text messages.

4
0
Bronze badge
Thumb Up

Re: Get attacks at SSH all the time...

Sweeet! Forgive me but I might have to nick that idea, I can think of a lot of useful things I could do with something like that... ;-)

1
0
Bronze badge

Re: Get attacks at SSH all the time...

Don't open ports for any services. Use OpenVPN or some other VPN instead.

1
2

Re: Get attacks at SSH all the time...

I know its not as secure (maybe) but I use port knocking.

Described simply:

You have a number of closed ports that the port knocking daemon is watching. You ping (or send a specially formed packet) to a number of ports in the right order.

The port knocking daemon watches the firewall logs for your "knocks" against closed ports, and runs a command to open the SSH/VPN/VNC/RDP port on your firewall.

obviously you need to be careful which ports you choose (random, not sequential) but it does give a method for keeping ports closed until you need them.

2
0
Silver badge

Re: Get attacks at SSH all the time...

Well I salute your solutions. I leave it open for a number of reasons but mostly recently proxying from our holiday home in Switzerland to watch iplayer. I did toy with setting a flag file on my web-site (on my ISPs server) and having (my) server scripts check that for a variety of reasons ( I have a PIC microcontroller that's controlled from my server that can do remote measurements like the house temp and remote switch on/off of kit) but so far non-standard port/username and really horrible password + up-to-date SSHD seems fine.

0
0
Silver badge

Re: Get attacks at SSH all the time...

"Don't open ports for any services. Use OpenVPN or some other VPN instead."

Not an area I've done anything with other than setting up remote access via a vpn to my wife's school's computer but surely I'd need to have an open port to access my server via OpenVPN.

2
0
Linux

Re: Get attacks at SSH all the time...

open the address in a browser (mime) bet it still shows ssh server ...:) no matter what port it is open on.

sshguard is a better idea.

0
0
Silver badge

Re: Get attacks at SSH all the time...

Well using Firefox it shows nothing at all but add the actual port number it responds : - SSH-2.0-OpenSSH_5.8

Ditto with Konqueror

0
0
Silver badge

Re: Get attacks at SSH all the time...

Just to mention the ONLY port that is forwarded from the router is the unusual SSH so it shouldn't respond. All others are closed

0
0
Silver badge
Trollface

That's all well and good, but here's what I think the real question is:

Given that we know most hacks are opportunistic on standard ports,

given that most home users aren't professional it techs,

and finally given that Verizon are one of the biggest suppliers of routers to these same home users,

Has Verizon stopped issuing routers with open ports configured to the standard defaults they know are being hacked?

Icon because I'm pretty sure I know the answer.

5
0
This topic is closed for new posts.