You might remember my little Raspberry Pi project where I host OwnCloud, an open source cloud-storage product – I wrote about that here. Well, I finally got around to exposing it to the internet with port forwarding. I went into my router and configured it, thusly:
this means that if any traffic to comes to my router on port 22, will pass-through the router and go to the Pi, on my internal/local network on port 22. Same for 443. Port 22 is for SSH (for remote administration) and port 443 is for HTTPS.
Normally, you would (or you can) set the external ports to something non-standard. However, in the case of SSH – port-forwarding doesn’t work unless it’s on port 22 and I just wanted a regular https:// address, so I didn’t bother to change 443.
Anyhow, so I did that yesterday evening. Within 24 hours, I got 335 attempts to log into SSH. Mostly the attempts were for the “root” account. The source IP addresses were all from China and Vietnam. The requests came in all day, and they try a handful of passwords at a time (sometimes up to a couple dozen attempts, in one attack – then a break).
There are a few take-aways from this, I think:
- Use non-standard ports to make it a little more difficult for bots to figure out what services are exposed.
- Don’t allow root to use SSH. Instead, log into an unprivileged account and “su” to perform root tasks.
- Have VERY good passwords: at least 8 characters, upper and lower case, numbers, special characters, and no words. (see this post for ideas)
- Have a way to audit activity so that you can see failed (or even successful) attempts. I set up a daily job to return back failed authentication attempts, disk space, and any new accounts that have been created. I’ll do a separate blog post on that.
This is hosted on a private (non-business class) broadband connection. Imagine the attempted attacks that happen against production systems hosted from business hosting sites?
You can’t be over-paranoid, and you can’t be too careful!