User avatar
NickT
Posts: 271
Joined: Mon May 21, 2012 10:43 am
Location: UK

Testing security on my Pi, will it make me a target?

Tue Dec 06, 2016 10:08 am

I have followed several threads regarding security measures with some interest. I have made a few small changes and I am wondering if a test that I am contemplating will make me target in the future.

First some background: I am still using user 'pi' with a strong password. I have just one port forwarded to a Pi zero which is running Apache on a high but non-standard port number. The Pi has just php and html files in /var/www, which I want to be accessible from any of my friends' browsers on their remote computers. I have installed fail2ban on my Pi and have tested it successfully by trying ssh with a wrong password from a machine on my local network. I don't have port 22 forwarded through my router at the moment

I am now contemplating temporarily forwarding port 22 to my Pi, just to see if I do get attacks detected by fail2ban. When I changed ISP my IP address stayed the same for over 3 years, even though it was not guaranteed to be a static address, it behaved like one for those years. 2 months ago the IP address changed and my ISP's rep told me it was likely to change every 2 or 3 weeks. That has not happened, even though I have tried to provoke a change by turning the router off for a while. I think this IP address is likely to stay for a long period. ( I have got a cron job which takes care of keeping my dtdns symbolic address up to date in the event of a change).

My question is : will my opening up port 22 for ssh on my Pi with the semi-permanent IP address make that address a target for ne'er-do-wells and badbots in the future? Playing devil's advocate I can only think that lists of ip addresses with open ssh ports are shared amongst the hacker community

User avatar
B.Goode
Posts: 8271
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Testing security on my Pi, will it make me a target?

Tue Dec 06, 2016 10:20 am

NickT wrote: My question is : will my opening up port 22 for ssh on my Pi with the semi-permanent IP address make that address a target for ne'er-do-wells and badbots in the future?
Yes. 'The future' begins a few seconds after this exposure.
Playing devil's advocate I can only think that lists of ip addresses with open ssh ports are shared amongst the hacker community
Lists don't need to come into it. The 'Bad Boys' (and Girls) are constantly and actively scanning for such potential targets for exploitation.

wildfire
Posts: 528
Joined: Sat Sep 03, 2016 10:39 am
Location: Dundee, Scotland

Re: Testing security on my Pi, will it make me a target?

Tue Dec 06, 2016 12:08 pm

And change that username, even with a strong password you're already given the black hats half the information they need.
E8 85 A2 64 C9 64 81 94 64 81 95 64 89 84 89 96 A3
Still NF Shirls

User avatar
NickT
Posts: 271
Joined: Mon May 21, 2012 10:43 am
Location: UK

Re: Testing security on my Pi, will it make me a target?

Tue Dec 06, 2016 1:33 pm

Well, that was informative. I left port 22 open and logged one attempt and consequent ban in 3 hours. That one attempt only showed up after I had used the 'Shields Up' site to confirm that my ssh port was open. I've now stopped forwarding port 22 and stopped worrying about hackers completely. I no longer believe the 'they will find you in seconds' doom-mongers. It's more a case of 'they will find an open port every now and again and will try some brute force attempts for user pi'

hippy
Posts: 5794
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Testing security on my Pi, will it make me a target?

Tue Dec 06, 2016 1:47 pm

NickT wrote:I no longer believe the 'they will find you in seconds' doom-mongers.
It's more that they can rather than will. Sometimes I go days without any intrusion attempts, other times they seem to come in like a flood. It is luck of the draw whether one gets hit at any particular time.

User avatar
Ronaldlees
Posts: 294
Joined: Sat Apr 16, 2016 4:28 pm
Location: North Carolina, US
Contact: Website

Re: Testing security on my Pi, will it make me a target?

Tue Dec 06, 2016 6:24 pm

First, they have to know about your little server. Yes - some of the miscreants just probe random addresses, but it's more common for them to look for servers that are advertised in some way. So, if you have a web page on your little server that gets scanned by Google, or other search engines, then you've been advertised, and you'll then see more of the ssh attacks.

However; most attacks I've seen on my ports last only a few hours or days, fairly intermittently (but not always) - so they end up probing only a small number of password possibilities (maybe some number of hundreds if I don't have a max-failed-attempts rejection configuration on the SSHD). It's fairly rare that they hit me with DOS level (thousands) of attempts over a short period. They always check for empty, root, admin, password, martha, etc. You can look in your var/auth log to see what passwords they try.

So, if you're using your noggin, low probability of break-in. Not impossible though. More sophisticated attempts would involve an SSHD vulnerability. But, likely they would first find out about you via some advertisement that they found, of your address. But - there's exceptions to that too. Ya takes yer chances.

You can set up SSHD to disallow after X number of failed tries, etc. You can also put the SSHD server on an alternate port (and not necessarily on another server).
Last edited by Ronaldlees on Tue Dec 06, 2016 6:58 pm, edited 3 times in total.
I am the Umbrella man

User avatar
Ronaldlees
Posts: 294
Joined: Sat Apr 16, 2016 4:28 pm
Location: North Carolina, US
Contact: Website

Re: Testing security on my Pi, will it make me a target?

Tue Dec 06, 2016 6:30 pm

Sorry Hippy, I meant to quote NickT.

A little story might show how it goes. I had a residential IP based server that was unadvertised. Then, I put a post on another forum (hosted on another server (not local)) - which pointed to the residential IP (it linked to the residential page). I monitored both sites very thoroughly. There was a hit on the non-local web page that contained the link to the residential page, and it came from a Chinese IP. By this time Google had indexed the remote page, because I'd pointed to that page from yet another forum site message (not mine).

Within minutes I was being hit like with banshees from hell on my local SSHD.

So, now you know.
I am the Umbrella man

Return to “General discussion”