New Linux malware brute forces SSH

Replace the :80 with :443 in the ssh command,
or add an additional tunnel for the 443 port.

2 Likes

Ah that did the trick! Thanks again!

Now that it works, what is the difference between using 192.168.1.1:443 IP address and 127.0.0.1:443 ? for uci set uhttpd.main.listen_ ?

In terms of security / advantages ?

I guess it means the IP address is not used / revealed to access web page of Luci ? That's the main advantage ?

If it only listens to localhost/127.0.0.1, you can't access it from outside the router, since it's not listening to any externally accessible IPs.

Hence the need of the port forward/tunnel through ssh.

1 Like

in theory the "advantage" is that 127.0.0.1 only lives on the router itself and accessible only on the router. so you need to run the client accessing the web server (uhttpd) on the router itself. the trick here is that you create an SSH tunnel, so from your laptop the traffic is sent through the SSH session and it looks like the web browser is on the router too, so web server accepts the connection.

but this give no real security benefit imho. because:

  • connecting from wan you are by default protected,
  • if you are the admin connecting from lan it is a pita to create a cheap vpn like connection, when you can disable/enable uhttpd and/or change the configuration as you wish,
  • if you are not the admin and connecting from lan, you don't / should not know the root password anyhow,
  • if you are not connecting from lan but from another internal network (e.g. guest) you should rather use the firewall to only allow predefined router access (input traffic)
1 Like

I thought I'd try

uci set uhttpd.main.listen_http=‘localhost:80’
uci set uhttpd.main.listen_https=‘localhost:443’
uci commit uhttpd
service uhttpd restart

But it doesn't work. The active SSH window has messages popping up shows "connect failed: Connection refused" each time I try to access https://localhost:8080

But this works fine:

uci set uhttpd.main.listen_http='127.0.0.1:80'
uci set uhttpd.main.listen_https='127.0.0.1:443'
uci commit uhttpd
service uhttpd restart

In general use SSH keys please and disable WAN access if you don't need it.

Also if you want to make local services accessible without port forwards or VPN, Tor may be an option.
There is even a tor-hs package which makes this easy! https://github.com/openwrt/packages/pull/11659

do Tailscale and zero-tier provide same benefits?

For SSH with Https

ssh root@192.168.1.1 -L 8080:localhost:443

and go to the following address while leaving SSH window open

https://localhost:8080/

1 Like

That was established 1 hour ago.

1 Like

Those are VPNs, so yes. The only port exposed to the WAN is the VPN's encrypted interface.

1 Like

It was 4 different posts. I tested it and posted it in one post for future reference. :stuck_out_tongue_winking_eye:

1 Like

to get it right, the botnet is trying to brute force the hash?
So if that is long enough you are quite safe as long as you don't use a lazy password like admin12346.
Add auto-block / blacklist and the most is done.

for those who need SSH without VPN, that can help: Port Knocking - MikroTik Wiki