Hi there.
I had to reboot my server recently, and I received a `Possible Hack Attempt` notification from a plugin called `Fix Common Problems'.
Looking into this, I think I've found a bug/security issue. The server's SSH port should be configured to port `1122`. However while the system is booting up, SSH is started before the set configuration is read, leading to port 22 being exposed.
Now, I have port 22 forwarded to the server for a service running `Forgejo`, a code repository service. The reason port 22 is being used is to lessen client configuration, and to make it simpler for users.
The bug here is unRaid is loading SSH with default values for a time, and later restarting with the correct config. This creates a window for attackers to attempt to access the system through something that isn't meant to be exposed.
Steps to reproduce:
1. Set a different port for SSH through unjRaid's web UI.
2. Reboot the server.
3. There is now a windows of opportunity to attack the server via the default SSH port as it starts. Plugins extend this window.
Some of the Logs:
SSH being started with port 22:
SSH login attempts being made during this window of opportunity:
There's more than just those.
SSH being restarted with the correct configuration:
I'll also make a quick note it looks like smbd is having the same treatment, it's loaded with defaults, then restarted with the proper configs later. So it appears there might be several system services being started like this when they shouldn't.
Will make this as urgent, though I'll admit I'm not 100% if SSH will accept the correct password. This server runs a chat service, so uptime is import for me, and testing would interrupt that. Please adjust the urgency as needed if it's not as bad as I think it might be.
Recommended Comments
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.