Saturday, September 15, 2012

Somebody's Knockin' on the Door

Recently, I set up a Synology DS-112j Diskstation NAS (Network Addressable Storage Device) box at our 2nd home in Hawaii to store remote backups from the very similar DS-112 Diskstation that's on my main home network in California. In order to get backups to work I had to open some ports on the Hawaii modem/router's firewall; one of them is port 22 which is used for SSH (SSL-based secure shell) logins and encrypted file transfer.

The Diskstation has an Auto-Block feature that will "black-list" any IP address that attempts to connect to it "x" number of times in "y" minutes; I configured it to block any IP that tries 10 times in 5 minutes. In just three days, I had six addresses blocked. Details are below; I did "whois" lookups on all of them to see who they belong to:

Host [117.79.91.252] has been blocked at [Tue Sep 4 10:03:02 2012]: Beijing Sanxin Shidai Co.Ltd

Host [190.145.23.98] has been blocked at [Mon Sep 3 20:58:44 2012]: Telmex Colombia S.A.

Host [203.217.144.17] has been blocked at [Mon Sep 3 09:52:59 2012]: RVRNET-IN (Hyderabad)

Host [119.226.139.254] has been blocked at [Mon Sep 3 03:39:38 2012]: SIFYNET (India)

Host [61.136.171.198] has been blocked at [Sun Sep 2 19:17:00 2012]: CHINANET Hubei province network

Host [74.50.27.101] has been blocked at [Sun Sep 2 16:00:14 2012]: ADDD2NET-DOT-COM -- Anaheim, CA

What I believe we're seeing here is automated software scanning WAN IP addresses for common open ports (FTP, SSH, etc.), and upon finding one, the software does password "dictionary"-based login attempts (i.e. using very large lists of common passwords). What do they do once they "get in"? I have no specific idea, but I would assume that they then use LAN-targeted software to scan for other computers on the LAN, shared drives, personal/financial data, etc. and then they suck up whatever they can find. And then, they probably sell it. OR they attempt to install malware on machines that are not running firewalls and/or anti-malware software (such as Microsoft Security Essentials, which is what I use since it's free and pretty good).

Fortunately I use very robust passwords on all of my routers, NAS devices, etc. but I have to admit it's still a bit unnerving to have these guys banging on my NAS's door 24/7. So I'm really liking the Auto-Block feature!

At any rate, I think the implications are clear -- keep your router(s) locked down to only have open ports that are required for whatever you need to get done. You can do an external port scan of your home network using this page -- it has various kinds of scans, and you can get an idea of the "surface area" of your home network's exposure to the internet.

No comments:

Post a Comment