Systematic attacks on multiple services & ports (getting past NAT) on hobby server

ssh security nginx dynamic-dns ports

7,213

Solution 1

How can the attackers reach different ports on my LAN, not configured in NAT? UPnP …?

That is possible only if your server was compromised or external connections come over opened by UPnP ports. When you create forwarding rules, you may specify what port or range of ports will be forwarded to particular IP resided on the LAN side. You can also change (substitute) external port(s) to local ones with different values (external port 3456 forward to local port 22, for example) or set one-to-one forwarding (external 22 to internal 22). So the short answer – only the ports you opened on the firewall will be forwarded to particular IP on LAN.

If you set your server in DMZ zone that it means your server is fully exposed to the Internet with all ports; this way all ports are available for external connections.

Check also this list of vulnerable routers; if router itself was hacked, then it isn't your network anymore.

Is it possible to block / stop these blind attacks?

Take a look to the similar question and followed answer how to secure and reduce such scanning attempts.

Solution 2

The ports that you are seeing in logs are the source ports of the attacker, not the destination ones, so that does not mean that your system has those ports opened neither the attacker is reaching your system through them.

For example, guessing that you have opened port 22 for ssh, in logs you can see that the attacks for ssh service is coming for other port (56548).

7,213

Ruben Solvang

Updated on September 18, 2022

Comments

Ruben Solvang almost 2 years
- Fresh install of Fedora 25 Server
- Server behind a router with only a few NAT-rules
- Many SSH login attempts from hundreds of different IPs / ports (ever-changing)
- Recently attacks / exploits on nginx (running in a docker instance) shows up in the log, too.
A few examples from the log:
```
error: maximum authentication attempts exceeded for invalid user root from 88.14.203.97 port 56548 ssh2 [preauth]

error: Received disconnect from 52.221.236.126 port 62639:3: com.jcraft.jsch.JSchException: Auth fail [preauth]

[error] 6#6: *138 open() "/usr/share/nginx/html/nice ports,/Trinity.txt.bak" failed (2: No such file or directory), client: 77.77.211.78, server: localhost, request: "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0"
```
I went through the basic hardening measures at install, including only allowing SSH login with a certificate (no passwords, no root).

Questions
- How can the attackers reach different ports on my LAN, not configured in NAT? UPnP…?
- Is it possible to block / stop these blind attacks?
Additional and possibly relevant information

I use the Dynamic DNS service freedns.afraid.org with a newly registered domain name.
- Admin over 7 years
  
  You should implement fail2ban in your server: fail2ban.org/wiki/index.php/Main_Page
- Admin over 7 years
  
  That is one of the measures I plan to implement. My main question is: how do the attackts get past the NAT rules defined in my router? Or is that a trivial thing?
Ruben Solvang over 7 years

Thanks, this is useful information. Then I guess it would help to change the ssh port?
Zumo de Vidrio over 7 years

Not using default ports is a good practice, but it won't avoid that your server continues receiving attack attempts. You should apply some IP filter to incoming public ssh connections (or installing fail2ban as soon as possible).
Alex over 7 years

@G-Man Thanks for your correction, English isn't my native language, that's why my grammar isn't good :(