So, I’ve been accessing my NSLU2 via SSH for quite a while now (open SSH server) using putty, and I’ve made my SSH server available via the internet by mapping the SSH port (22) in my ADSL router through to the SSH port on the NSLU2.
This opens up all kinds of possibilities. I can access my NSLU2 from anywhere in the world via the internet, and also, I can use SSH tunnels to access my Windows PC via remote desktop if its turned on.
To install OpenSSH, I used the guide found here: http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess
I also followed the guide to set up the SSH server for public key access – anyone who wants to log into my NSLU via the internet will need the private key file that matches the public key provided during SSH logon. The one change I did make – I didn’t allow root to access via SSH, I setup another user on the box and gave that user SSH access. Once I’m logged in as that user, I either ‘su’ to root, or use ‘sudo’ (available via ipkg) to run anything that requires root access.
I can’t stress how important this is if you are going to put your NSLU2 on the internet. Within a few hours of my NSLU2 being on the internet there had already been a number of brute force hack attempts to gain entry to the server via SSH. Since they didn’t have a key, they couldn’t get in, but it doesn’t stop most of them from trying as its likely to be a script they are running to connect via SSH with password/users from a dictionary file.
You can spot the hack attempts easily in the /var/log/messages file. They look something like:
Apr 10 16:07:41 NASSERVER auth.info sshd[3012]: Invalid user newsroom from 216.167.162.253
Apr 10 16:07:46 NASSERVER auth.info sshd[3016]: Invalid user magazine from 216.167.162.253
Apr 10 16:07:51 NASSERVER auth.info sshd[3020]: Invalid user research from 216.167.162.253
Apr 10 16:07:55 NASSERVER auth.info sshd[3024]: Invalid user cjohnson from 216.167.162.253
Apr 10 16:08:00 NASSERVER auth.info sshd[3028]: Invalid user export from 216.167.162.253
Of course, they can be trying for quite a while so inorder to deal with these sort of hack attempts, I’d recommend installation of the denyhosts package through ipkg. Deny Hosts monitors the /var/log/messages file, and after a configurable number of failed attempts to login, it will take the IP address and add it to the hosts.deny file, preventing the user from further accessing the system.
The hosts.deny file on the latest unslung can be found in /opt/etc/hosts.deny
So far the IP addresses that have been blocked (to name and shame) are as follows:
| IP Address | Host Name |
| 212.55.199.242 | svrnat.stepx.ch |
| 190.144.35.210 | 190.144.35.210 |
| 80.203.202.130 | 130.80-203-202.nextgentel.com |
| 193.151.12.36 | jabber.alba.ua |
| 59.120.182.211 | fsd.com.tw |
| 209.104.200.6 | 200-104-209.galaxyvisions.com |
| 66.48.73.107 | 66.48.73.107 |
| 219.239.105.51 | 219.239.105.51 |
| 208.71.208.190 | 208.71.208.190 |
| 89.41.197.113 | pc197113.static.is.airbites.ro |
| 69.60.115.14 | cantsitstill.com.115.60.69.in-addr.arpa |
| 88.176.20.140 | vil93-12-88-176-20-140.fbx.proxad.net |
| 219.93.25.93 | 219.93.25.93 |
| 216.133.192.20 | npu20.npu.edu |
| 203.94.8.149 | 203.94.8.149 |
| 220.68.74.168 | 220.68.74.168 |
| 203.199.212.36 | illchn-static-203.199.212.36.vsnl.net.in |
| 202.143.136.2 | 202.143.136.2 |
| 121.180.100.15 | 121.180.100.15 |
| 59.144.174.187 | dsl-del-static-187.174.144.59.airtelbroadband.in |
| 61.34.78.200 | 61.34.78.200 |
| 213.251.184.171 | ks35220.kimsufi.com |
| 85.14.168.78 | 85.14.168.78 |
| 202.134.91.60 | static-ip-60-91-134-202.rev.dyxnet.com |
| 195.38.107.55 | aquila.euroexpert.tvnet.hu |
| 83.14.125.114 | eav114.internetdsl.tpnet.pl |
| 87.106.210.109 | s15285217.onlinehome-server.info |
| 210.212.176.20 | 210.212.176.20 |
| 76.76.15.121 | unknown.carohosting.net |
| 216.167.162.253 | nts-253.162-167-216.nts-online.net |
If you do manage to lock yourself out of the NSLU via SSH for whatever reason, you’ll need to login to the web interface, enable telnet access, and then remove your IP address from the hosts.deny file.
I connect to my NSLU2 using putty, and set up quite a few tunnelled ports to access the HTTP servers/etc that aren’t exposed to the internet, e.g.
| Port | Application |
| 9000 | Twonkyvision |
| 631 | CUPS (Printer server) |
| 80 | NSLU2 Admin Interface |
| 2370 | CTorrent Web Interface |
To name a few. To access my Windows PC via an SSH tunnel, I setup a tunnel on port 3389 to my Windows PC’s ip address on the same port. This then means that once I’m logged into the NSLU2, I can remote desktop to my PC.
please explain …
i believe this is coming from your ip
(event log from my system follows)
May 14 20:18:46 c-76-17-147-69 sshd[25520]: Invalid user scanner from 76.76.15.121
May 15 01:18:46 c-76-17-147-69 sshd[25521]: input_userauth_request: invalid user scanner
May 14 20:18:46 c-76-17-147-69 sshd[25520]: pam_unix(sshd:auth): check pass; user unknown
May 14 20:18:46 c-76-17-147-69 sshd[25520]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=76.76.15.121
May 14 20:18:46 c-76-17-147-69 sshd[25520]: pam_succeed_if(sshd:auth): error retrieving information about user scanner
May 14 20:18:48 c-76-17-147-69 sshd[25520]: Failed password for invalid user scanner from 76.76.15.121 port 42391 ssh2
May 15 01:18:48 c-76-17-147-69 sshd[25521]: Received disconnect from 76.76.15.121: 11: Bye Bye
May 14 20:18:48 c-76-17-147-69 sshd[25522]: Address 76.76.15.121 maps to unknown.carohosting.net, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
ta !
Actually, you might want to recheck your facts before you make any accusations.
My IP is not 76.76.15.121.
The aforementioned IP address is an American based IP address much like your own, and I am from the UK. As you’ll see from my post, they have also tried to access my server. A traceroute request helps to identify the server:
and a whois request reports the following:I hope that clears up your confusion.
Hi. I turned on the ssh connection on my slug to the outside world before i went to work today. *gulp* Thanks to your blog i’m feeling a bit less scared about it! wasn’t sure where the security logs where – I now know. And i’ve just installed denyhosts. Thanks.
Many thanks for the comments. If you haven’t already done so, I’d recommend setting up the public/private key login to guarantee nobody can get in without the right private key.
I’ve managed to lock myself out of my slug before using denyhosts a couple of times! Remember if you do, you can always enable the telnet connection to get back in, and remove yourself from the hosts.deny file (found in /opt/etc/hosts.deny)