Author Topic: Approved method for getting ssh off port 22? Chinese hackers found me.  (Read 8594 times)

Offline watou

  • Hero Member
  • *****
  • Posts: 870
  • Karma: +43/-12
Hi all, I am wondering if MiCasaVerde has an approved approach for obscuring ssh access into the Vera3, like simply having the sshd listen on port 221 instead of port 22, or add an iptables rule to ban their IP for a time after N connection attempts, etc.  I could of course figure it out myself, but I have been warned against making unapproved router changes, lest I lose my ability to receive support.

The problem is that people in China are repeatedly attempting to crack my ssh password, since it's just sitting there listening on port 22.  While I don't think they are likely to succeed in cracking the password, it irritates me that I'm such an open target for their brute-force attempts, and they continue to try, using my resources, filling the system log, etc.

Has anyone been down this road before?  I'm on UI5.  Thanks!

Offline guessed

  • Master Member
  • *******
  • Posts: 5294
  • Karma: +90/-22
  • Release compat is not a bolted-on afterthought
Re: Approved method for getting ssh off port 22? Chinese hackers found me.
« Reply #1 on: September 13, 2012, 10:19:16 am »
Moving the port won't stop it, folks usually use a Port scanner. I've seen two approaches, one is simply to make it harder by using Certs instead of passwords, the other involved using an out of band mechanism to (temporarily) open in inbound port.... Most of the time it would simply be closed.

I use both with AWS, for example.

Offline lolodomo

  • Master Member
  • *******
  • Posts: 3484
  • Karma: +74/-10
Re: Approved method for getting ssh off port 22? Chinese hackers found me.
« Reply #2 on: September 13, 2012, 10:47:32 am »
If your Vera is on your local network, behind a router and you have not forwarded port on the router, hackers should not be able to ssh your Vera.

Do I miss something ?

Offline garrettwp

  • Beta Testers
  • Master Member
  • *****
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Approved method for getting ssh off port 22? Chinese hackers found me.
« Reply #3 on: September 13, 2012, 10:56:48 am »
He most likely has port 22 open to the world. I would not open an ssh port with out some hardening.

In General:

1. Different port than the default
2. SSH keys only and disable password authentication
3. Some sort of banning software like fail2ban (scans logs for repeated failed attempts and blocks the ip address)
4. The list goes on.

Why do you have port 22 open to the outside world?

- Garrett

Offline watou

  • Hero Member
  • *****
  • Posts: 870
  • Karma: +43/-12
Re: Approved method for getting ssh off port 22? Chinese hackers found me.
« Reply #4 on: September 13, 2012, 11:12:58 am »
Thanks so much for your thoughts!

garretwp: This was the default configuration of my Vera3 -- dropbear listening on port 22 on both LAN and WAN.  I expect to be at great distance from this device for long periods in the future, so having ssh access to the device may be important.  If I was a homebody, I would turn off WAN access right now and be done with it.  But since I'm not supposed to poke around the OpenWrt web interface without voiding my access to MCV support, I need "approved" guidance.  BTW, I love you Android app -- very cool!

guessed: My goal isn't to shut it down completely, since if I leave access open to ssh at all, I expect that there will be at least occasional attempts.  My goal is to take the big target off my back so that the attempts are at least rare or prove to be fruitless to the hackers (as with iptables rules that refuse connection after N tries over T time).  My constraint is to stem the tide within the bounds of what MiCasaVerde has deemed acceptable to other Vera users in the past, if any. 

Has anyone tweaked ssh access in a way that the MiCasaVerde support folks found acceptable?

lolodomo: My Vera3 *is* my Internet router.  It was marketed to me as being able to fulfill this role, and I am trying to make it work for me that way.  I have a fine old Linksys E2000 I could use instead, relegating the Vera3 to the internal LAN, but I want less equipment on the job, not more. :)

Again, thanks for your input!

Offline Video321

  • Sr. Newbie
  • *
  • Posts: 33
  • Karma: +0/-0
Re: Approved method for getting ssh off port 22? Chinese hackers found me.
« Reply #5 on: September 20, 2012, 09:52:40 am »
My Vera3 *is* my Internet router.  It was marketed to me as being able to fulfill this role, and I am trying to make it work for me that way.  I have a fine old Linksys E2000 I could use instead, relegating the Vera3 to the internal LAN, but I want less equipment on the job, not more. :)
Personally... I'd reconsider that approach. But then again, I value security over convienence and I don't allow my Vera to establish a tunnel either. I use SSH (key/password) on my router to access my LAN from the outside.

Offline watou

  • Hero Member
  • *****
  • Posts: 870
  • Karma: +43/-12
Re: Approved method for getting ssh off port 22? Chinese hackers found me.
« Reply #6 on: September 20, 2012, 10:28:31 am »
Personally... I'd reconsider that approach. But then again, I value security over convienence and I don't allow my Vera to establish a tunnel either. I use SSH (key/password) on my router to access my LAN from the outside.
I understand and respect your approach, but I want to maximize the value of this $300 device by having it fill its advertised role as an Internet router as well as Z-Wave controller.  So my "mission" is to make it at least as secure as the $20 refurb Linksys I would be using instead.  Do you know of any list of valid security concerns with the Vera 3 that would not be generally known?  If they could be identified and rectified, then that would define success.  Otherwise, why did I buy the Vera 3 and not the Vera Lite?  Again, thanks!

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3258
  • Karma: +191/-9
Re: Approved method for getting ssh off port 22? Chinese hackers found me.
« Reply #7 on: September 21, 2012, 03:02:26 am »
If I were to use Vera as my Internet gateway (hypothetically) then I'd definitely turn off password authentication and rely solely on key-based authentication.  Here's how.

1. Generate a private/public keypair on your computer (ssh-keygen, PuTTY, whatever).
2. Put your public key in your clipboard.
3. Connect to Vera as root via SSH (using your root password for the last time).
4. Create or edit the file /etc/dropbear/authorized_keys and paste your clipboard into it (all on one line). You can add other SSH public keys, one per line.
5. chmod 600 /etc/dropbear/authorized_keys
6. /etc/init.d/dropbear restart
7. TEST connecting to Vera from your computer.  If it asks for your password, you're doing it wrong.  Only when you are sure it works, proceed.
8. Edit the existing file /etc/config/dropbear and change the PasswordAuth entries.  Change the port too if you want to.
Code: [Select]
config dropbear
option PasswordAuth 'off'
option RootPasswordAuth 'off'
option Port         '22'
9. /etc/init.d/dropbear restart
10. Don't log out yet!  Leave this window open in case you have to back out your changes.
11. Open another window on your computer and TEST it.  Connecting as root should log in without a password.  Any other user (or without your private key) it should say:
Code: [Select]
Permission denied (publickey).
Edit: I should add that you're screwed if you lose your private key (e.g., your desktop computer dies).  So keep your private key backed up somewhere safe.
« Last Edit: September 21, 2012, 03:10:28 am by futzle »

Offline watou

  • Hero Member
  • *****
  • Posts: 870
  • Karma: +43/-12
Re: Approved method for getting ssh off port 22? Chinese hackers found me.
« Reply #8 on: September 26, 2012, 10:44:54 am »
futzle, this is incredibly helpful.  Thank you very much!

UPDATE: Copy/paste error.  Sorry about that.

Unfortunately I get stuck on step 7, as in, it asks me for a password.  I run ssh-keygen with no args on Mac OSX 10.6, creating ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.  I left the passphrase blank on generating the key pair.  I pasted the contents of the public key file into a newly created /etc/dropbear/authorized_keys on the Vera 3, all on one line, chmod'd it so only I could read/write it, and restarted dropbear.  Then I tried to ssh root@192.168.81.1 but it asked for a password.

Was I supposed to supply arguments to ssh-keygen?


Again, thank you for providing a guide to eliminate prompting for an ssh password.  When this is working, it will definitely allay my fears.  Regards, watou
« Last Edit: September 26, 2012, 06:25:55 pm by watou »