Home/Support/Support Forum/being hacked
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

being hacked

0 votes
These are the first Digi WR21's I have set up that have a public IP. They are being hit pretty regularly any time I turn them on by sources outside the US:
13:38:48, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 46.172.71.249:7872
13:38:44, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 46.172.71.249:46748
13:38:40, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 46.172.71.249:12232
13:38:38, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 46.172.71.249:9130
12:47:43, 11 Jan 2010,GP socket connected: xxx.xxx.xxx.xxx:22 -> 223.25.233.38:50955

Is there a ruleset that I can turn on or customize to block all connections from outside the US?
asked Apr 6, 2016 in Digi TransPort Cellular by curtis.stapleton New to the Community (0 points)

Please log in or register to answer this question.

4 Answers

0 votes
The following knowledge base article should take care of this:

http://knowledge.digi.com/articles/Knowledge_Base_Article/HOW-TO-Configure-the-Digi-TransPort-Firewall-to-Allow-Alternate-SSH-and-Other-Management-Ports-for-External-Access
answered Apr 6, 2016 by userid0 Veteran of the Digi Community (2,156 points)
0 votes
This is something that you really should call into support for help with. The phone number is 952-912-3444 / 877-912-3444
answered Apr 6, 2016 by mvut Veteran of the Digi Community (11,300 points)
0 votes
If you are using Fixed ipaddress for your Managment location I would look at using the firewall to allow by exception

# remote managment rule to all ports from NOC address
pass in break end on ppp1 from x.x.x.x to addr-ppp 1

# block all to PPP interface must have rules above
# to cover vpn and all other wanted traffic
block in break end on PPP1 from any to addr-ppp 1

or

# specific blocks
block in break end from any to any port=22
block in break end from any to any port=23
block in break end from any to any port=80
block in break end from any to any port=443
block in break end from any to any port=8022
block in break end from any to any port=8023
block in break end from any to any port=8080
block in break end from any to any port=8443


if you use the firewall you should be only allowing specific traffic into the router.

other thing to think about is changing to a private address on the cellular network and using managment over RemoteManager or over a vpn built from the router

regards
James
answered Apr 7, 2016 by James.Wilson Veteran of the Digi Community (1,225 points)
James,
Can you show me an example of allowing specific traffic into the router?
so to allow a specific address to sat http you can use this rule

pass break end on PPP1 from 10.10.10.10 to addr-ppp 1 port=80 inspect-state

this allow the traffic to the PPP interface and also allow the return traffic back to the address

regards

James
0 votes
I would use a bit of security by obscurity here.
Steps:
1. Move your ssh port to 22222 from 22. The bots look for 22, if its on 22222 and YOU know that, you just tell you ssh client to connect on 22222 rather than 22,
2. Open this port in the fw:
pass in break end proto tcp from any to any port=22222 flags S!A inspect-state
3. Turn on the fw.

Problem solved, the probes will stop.

Cheers,
John
answered Aug 30, 2016 by jserink New to the Community (44 points)
...