Back in January of 2016 I was having problems with our home WiFi router, and decided to go out and purchase a Netgear Nighthawk. The Nighthawk is an awesome router.
So I setup the Nighthawk, enabled logging and email alerts, created my WiFi configuration and away I went. I had a few servers that I was running from my home office so I port forwarded them. I went against my intuition, which is using obscurity as a layer of security, because of some recent articles I had read online that really said not to do it and there was no point. So, trying to use “best practices” I forwarded the default ports.
Reviewing logs was something I did regularly for work, but it wasn’t something I did at home. Trying to learn more about Info-sec, I had started diligently reviewing my logs. Shortly after I noticed a large number of unknown IP addresses repeatedly and sequentially trying to access my SSH server. I jumped onto my server via SSH to check my auth log and sure enough, tons of brute force attempts. With no lockout or security there, they were able to try thousands of credentials in seconds. Lucky for me I had been hardening servers for a few yeas now, so I knew to disable root access, didn’t use default usernames and have very long passwords so they would have had to try for years to break in, if they could (at least through brute forcing SSH).
Being on the info-sec journey that I am, I decided this was a great opportunity to get a taste of defending systems from a real attacker. I quickly installed fail2ban, which is a simple IDPS program for SSH. Fail2ban monitors your auth log, and can ban IP’s for a specific time after a certain number of attempts. Originally I set it up conservatively at 10 login attempts bans an IP for an hour, and waited…
It was working! I was banning IP’s for an hour, and it was knocking them out… and then they started coming back. The attacker was learning, discovered my 10 attempt / 1 hour lockout and started rotating between 23 different IP addresses from every major country you could think of. Russia, China, Japan, US (Amazon AWS of course). I increased the lockout to 5 attempts and a ban of 5 hours, but they didn’t stop. A little frustrated, I increased the timeout again, this time to 3 attempts within 2 hours with a lockout of 24 hours.Everything stopped. I thought I finally had them.
At this point I was feeling pretty good about myself, getting to flex my defensive muscles and all. I had put down my adversary and learned a bit along the way. Things stayed quiet for a while. I’m not sure how long, maybe a week or so, before they hit me again. Hard.
Now I knew they were adapting their attack on me because they thought I was an interesting target. The harder I fought back, the more interesting I was to them. I just didn’t know how interesting I was making it, until a few weeks later when I looked at my system logs. I was shocked. Hundreds of brute force attempts to login to my router, from INSIDE my own network. I traced the IP address back through the DHCP log to get the MAC address, and I didn’t recognize it as one of my own (Inventory management!). So I watched them through log files, trying to figure out where it was coming from. I thought someone was getting in through my wireless setup. Every day, from 5PM until 6:30PM they hit my router. I propped up an instance of kismet on a laptop I had and let it run, waiting to see how they where coming in. I thought I was going to catch their wireless signal and then attempt to triangulate it when I had more information.
Plot twist, they were coming in on the wired network? Turns out I had a guest windows PC with two network cards in it, and I had only inventoried the wireless one.
It actually made me feel better, knowing they had infected a computer and we’re inside the network, instead of coming in through the wireless network. I was using WPA2 with a 15+ character password, which should have been above the skill level of your average attacker (or So I thought). Not to mention they’d have to be in range of my wifi.
I’d had enough fun for now, so I cleaned the computer, closed the ports, altered the routers mac, and rebooted the modem so we could get a new IP address and quietly slip away from the attackers.
I stopped playing because I didn’t think I was skilled enough to keep up, but I had so much fun that I knew it had a grip on me. I had already begun to fall down the infosec hole, and there was no way to stop it now.