PCAnywhere login attempts/attack

Folks,

I just noticed a Chinese IP range (222.177.23.112) coming in on my port 22 accessing my MyBookLive. I caught it right away (by luck) and forwarded all access from 222.x.x.x to an invalid local IP address. At that point the attempts stopped pretty quickly. I was a bit concerned by this and thought I would see if others might have seen such activity! I do have FeaturePacks installed from highlevelbits.free.fr. 

Ron, KK1L

Of course!

*ANY* time you expose a port on your router to an internal service, there will be exploit attempts on it.

Get used to it, and make darn sure your security stance is rock solid…

Yeah that’s right Tony. Digging deeper I see that pretty clearly. They are likely ssh access attempts (not PCAnywhere which does not make sense against a unix varient) using a variety of default uid/pw combos. Nothing open to ssh are simple pw protected on my network. Wallwatcher is showing me all kinds of prowling activity on that port…mostly the NAS and my SIP router. I am not sure why the WRT54GL is not attempted so much.

Nonetheless going back to business as usual mode. No access granted

Why have you put your MBL onto the Router’s DMZ?

About feature packs. If you ever find you have to install an official MyBook Live firmware update you could end up with a bricked MBL.  As long as youy’re aware.  :wink:

Ron_KK1L wrote:

Folks,

 

I just noticed a Chinese IP range (222.177.23.112) coming in on my port 22 accessing my MyBookLive. I caught it right away (by luck) and forwarded all access from 222.x.x.x to an invalid local IP address. At that point the attempts stopped pretty quickly. I was a bit concerned by this and thought I would see if others might have seen such activity! I do have FeaturePacks installed from highlevelbits.free.fr

 

Ron, KK1L

Hi Myron.

The NAS is not in the DMZ, but 22 forwarded. I could change the incoming port to something different to prevent that I guess. As long as I know the port it is all that matters :slight_smile: Only my SIP router is in the DMZ (the VoIP folks can get at it easily and QoS is not an issue). That is not absolutely neccesary and I might go back to forwarding the right ports and putting it on the GS116E switch with 802.1P to manage it.

I have ssh open on the NAS and just recovered from a bricked GUI by doing a firmware update. You were a principle in that thread (…Cannot access the dashboard…)