Odd Connections from China?



  • Not sure if this should go into the firewall section, please move if so.

    Getting the following messages from the sshd process:

    fatal: Unable to negotiate with 116.31.116.6 port 29141: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

    Now, I know this is because the ssh client is using weaker, ssh key exchange algorithms mentioned https://forum.pfsense.org/index.php?topic=115736.0.

    I traced the IP to China (I am not in china) and it appears to be constantly hitting it several times a minute on different ports…wondering if this is a process built into pfsense, or if I should be blocking this IP?

    Suggestions on course of action?

    Thanks


  • LAYER 8 Global Moderator

    Its not hitting different ports that would be the source port.

    So why do you have ssh open to the public?  Yeah running ssh open to the public is going to attract all kinds of unwanted noise trying to bruteforce your ssh server that they can see.

    If you need to have ssh open to the public, I would limit it to only the IPs your going to be coming from.  Or if you can not do that use something like the pfblocker package to block access from the unwanted countries like China, Ukraine, Russia - pfblocker has a top 20 listing of countries that send out lots of garbage.

    Another way to lower the log noise would be to run ssh on different port, this is not actual security but it does limit the amount of noise you will see in your logs.  I would also suggest you only use public key auth vs allowing for passwords, etc.

    From a security standpoint your prob better off vpn into pfsense, and then from there you could ssh or hit the webgui, etc.

    edit: I don't even have ssh open and you can see it gets hit quite a bit from all over.  This is just for today so far.




  • Thanks for the advice….I have disabled SSH, and am in process of setting up pfblockerNG.

    Thanks again!


  • LAYER 8 Global Moderator

    I wouldn't disable it.. Don't you use it?  I ssh into my pfsense box prob every other day or so.  But if you don't need it on the wan, it shouldn't be allowed on the wan.  What are you wan rules?  I edited my above post to include all the noise to 22 on the wan (from internet) as you can see from all over the place.

    That is not even counting all the hits to 23 (telnet) which is another noise generating port ;)  As you can see hit my limit of 500 and those are all dated the 5th of oct (today)…

    What are you wan rules, do you have a lot of port forwards.  The default wan is block all.. So use of pfblocker doesn't get you anything if your not port forwarding or allowing anything to your pfsense wan.  It really only comes into play inbound to pfsense when you have port forwards or open rules on your wan that you want to block specific netblocks from accessing while allowing others.  Like maybe you want to limit access to your VPN to only IPs from the US, since you don't have any users of your VPN from anywhere else on the planet, etc.




  • I didn't explain myself with regards to ssh, didn't turn it off, just removed from the wan rules.

    The only WAN rules I have is the ones created by pfblocker, the RDP rule mentioned above, and a rule that I did not create that filters Any IP/Any Port to the pfsense LAN address port 80 with a description of NAT 8000 to HTTPS…



  • John,  what would you need to ssh into the box that you ccouldn't do via vpn?  just curious.



  • @xman111:

    John,  what would you need to ssh into the box that you ccouldn't do via vpn?  just curious.

    VPN is overkill if all you want is a terminal connection to your pfSense system from the outside. SSH can be very secure but you need to disable password logins, use key authentication instead and optionally move the external listening port to a non-standard port.



  • @kpa:

    VPN is overkill if all you want is a terminal connection to your pfSense system from the outside. SSH can be very secure but you need to disable password logins, use key authentication instead and optionally move the external listening port to a non-standard port.

    You might be right..  you know- right up until someone with a password cracker cracks your password and you get fired for violating your companies security policy..

    VPN's are easy and just good sense.



  • @chpalmer:

    @kpa:

    VPN is overkill if all you want is a terminal connection to your pfSense system from the outside. SSH can be very secure but you need to disable password logins, use key authentication instead and optionally move the external listening port to a non-standard port.

    You might be right..  you know- right up until someone with a password cracker cracks your password and you get fired for violating your companies security policy..

    VPN's are easy and just good sense.

    He did say to disable password based logins via SSH.


  • LAYER 8 Global Moderator

    I really don't get why you don't just vpn, its sure not overkill.  And allows you do other stuff other than just ssh in.  I can vpn in from my phone, my desk at work via a proxy.. Click I have the vpn connection.

    As I stated before if your going to allow ssh on the wan.  I would look it down to only the region of the world your going to be coming from, and yes turn off password auth.  If possible lock it down to your actual IPs or netblocks you will be coming from for remote admin.  This is quite easy if your admin your own remote sites from say hq or your house, etc.

    If you leave it open your going to not only get firewall noise of a hit, but log noise of them trying to log in even if you have just public key.  If you want to reduce that noise then change the port - but this might be a limit to where you can access it from if they are not allowing for your non standard port outbound.

    One of the nice things I like with openvpn is running it on 443 tcp which pretty much always open if there is internet access where your at.


Log in to reply