Port22_Login_root_ScanBot Posted March 16, 2021 Share Posted March 16, 2021 (edited) Why is the Unraid default "root" user account always the target after a successful ssh2 port scanning holes entries? I would think an easy attempt to try the empty defaulted enter key would be easy enough? Facepalm, several every minute of failed password attempts from Asia isp. Hahaha...not so funny within hours after the purchase of pro key and downloading community apps and dockers. Edited March 17, 2021 by Port22_Login_root_ScanBot Quote Link to comment
trurl Posted March 16, 2021 Share Posted March 16, 2021 Don't put your server on the internet!!! Quote Link to comment
Port22_Login_root_ScanBot Posted March 16, 2021 Author Share Posted March 16, 2021 (edited) In less than twelve hours purchasing and installing Unraid Pro, more than 300+ successful "root" login [preauth] attempts using sshd, ssh2, telnet, [ pam_unix ] < that ignore Denyhost v 2.6 blocking. Does Unraid have any protection at all or is all the ports wide open for U(been)Raid? Let's put ARCH UNRAID back into this U(been)RAID Sshd 116.98.167.66 port 41236 on 173.25.218.106 port 22 rdomain 173.25.113.8 client.mchsi.com FOR root 171.240.196.230 ssh2 221.181.185.151 ssh2 221.181.185.19 ssh2 user=root 221.181.185.140 on 173.25.218.106 221.181.185.220 103.70.155.156 telnet 98.182.170.20 telnet 124.13.77.214 192.241.217.209 222.187.239.31 176.213.59.129 Edited March 16, 2021 by Port22_Login_root_ScanBot Com report Quote Link to comment
kizer Posted March 16, 2021 Share Posted March 16, 2021 Are you port forwarding to your unraid server? I've been running unraid since 2009 and I haven't had one successful attempt to login to my machine other than myself. I also find it very interesting that you using the user name of Port22_Login_root_ScanBot Quote Link to comment
Hoopster Posted March 16, 2021 Share Posted March 16, 2021 (edited) 1 hour ago, Port22_Login_root_ScanBot said: In less than twelve hours purchasing and installing Unraid Pro, more than 300+ successful "root" login [preauth] attempts using sshd, ssh2, telnet, [ pam_unix ] < that ignore Denyhost v 2.6 blocking. Do you have your server in a DMZ? Is port 22 open to the big bad world? Such login attempts from the outside world are the result of opening up unRAID on the Internet somehow. There are ways to securely access your server remotely without exposing common ports for direct access. WireGuard is built into unRAID OpenVPN docker container ZeroTier The new My Server unRAID plugin with SSL access Lets Encrypt reverse proxy 38 minutes ago, kizer said: I've been running unraid since 2009 and I haven't had one successful attempt to login to my machine other than myself. Same for me since 2011. As an OS appliance, unRAID is not intended to be directly exposed to the Internet. EDIT: and no unsuccessful login attempts other than me either Edited March 16, 2021 by Hoopster Quote Link to comment
Symen Posted March 16, 2021 Share Posted March 16, 2021 The "root" login will always be tried by bots when they find an ssh daemon. I had tons of failed logins to my server (not unraid) before I finally switched to a vpn configuration. I would strongly recommend you have a look at it if you want to access your server from outside your local network, it's pretty easy to setup. Quote Link to comment
Port22_Login_root_ScanBot Posted March 16, 2021 Author Share Posted March 16, 2021 I don't know, I just bought this and installed a few hours ago. I'm a bit behind the learning curve and found my dilly swinging in the wild. Only thing I had time to do is reduce the deny thresholds to 1 in denyhost. The one swinging the [ pam unix ]was getting through... Being new I couldn't even log into my router to see if the fire wall was up and I misplaced my switch info that is between Unraid and the router. I pulled the plug on the outside and looked at the system log... to find a big hot mess and 4 usb not connected go offline. The keyboard was stuck on machine gun fire preventing the mouse click to stop the array or safely shut down. Thanks for being here, what ever that pam unix is had me pegged appears using several vm incidences and hops. All for a fresh install with nothing on it, and a ton of failed password attempts...on a blank password, facepalm Quote Link to comment
StevenD Posted March 17, 2021 Share Posted March 17, 2021 1 hour ago, trurl said: Don't put your server on the internet!!! Why in the world do people have to keep being told this???? <sigh> Quote Link to comment
trurl Posted March 17, 2021 Share Posted March 17, 2021 WireGuard VPN is built in. Use it. 1 Quote Link to comment
Hoopster Posted March 17, 2021 Share Posted March 17, 2021 (edited) 18 hours ago, Port22_Login_root_ScanBot said: Being new I couldn't even log into my router to see if the fire wall was up and I misplaced my switch info that is between Unraid and the router. unRAID has no firewall itself and will depend on whatever protections you have at the router level. You need to make sure you have good firewall protection enabled in the router and that all ports are closed (except those you need to forward for specific purposes). Also make sure the unRAID server IP address has not been placed in the router DMZ, if it has one. A DMZ basically bypasses all firewall and routing rules and lets anything in it be exposed to the outside world. Run the GRC Shields Up scan from a computer on your LAN to see what your exposure through the router/firewall is currently. UPDATE: You should also run the common ports and all service ports scans to see which ports are currently open and responding to probes from the Internet. Edited March 17, 2021 by Hoopster Quote Link to comment
trurl Posted March 17, 2021 Share Posted March 17, 2021 1 hour ago, Hoopster said: combine the threads DONE Quote Link to comment
Port22_Login_root_ScanBot Posted March 17, 2021 Author Share Posted March 17, 2021 (edited) Thank you all, for all the interest in this post about the inherent lack of security, perhaps built into U(been)RAID. I did take note of the knowledge base the GRC Shields Up provides, myself coming from the legends of the old DOS shell ported into the operating system "not to be named". Well frustrated with the "now not to be named" OS, only uselessness to be used within a sandboxie VM. Time has come to embrace Linux and build upon the Basic retraining language skill-set Arch, Kali and Garuda truly offers... Wow I I have let my guard down and become lazily accustom to the GUI. https://www.localcdn.org/ https://www.localcdn.org/test/check ,<link is a fine tool as well that expands upon the GRC Shills UP. From the base U(been)RAID install fails in all the simplest security tests, leaving fresh installs dillies swinging in the wild unlike Garuda, Tails, Qubes built in attention to security baked in without extensive configuration recompiling. Edited March 17, 2021 by Port22_Login_root_ScanBot santax spell check Quote Link to comment
trurl Posted March 17, 2021 Share Posted March 17, 2021 Fresh installs are not on the internet. You have to take some action yourself to put your server on the internet. You put your server on the internet without checking whether or not that was a good idea or how to do it correctly. See the WireGuard link I gave above. 1 Quote Link to comment
Port22_Login_root_ScanBot Posted March 17, 2021 Author Share Posted March 17, 2021 (edited) The activity on my end has now been Redir3cted traffic to this post..."ITS A HOT POST" This is now a direct link past your forum firewalls... Thank you, I have had my hands full at the moment, I Am On The Blue Team! The successful breaches that get past U(been)RAID ignorance to use "root" as the unchangeable default. The outside attempts to breach the 55,000 open ports on my end... "The Router" [more on this a bit later >Media-Com Cable< ] Port scanning for the obvious admin, root, tech, admin1, ect. The more determined hackers that latch on a port and discover unraid default user name "root" get a present, as in a capture ">unraid very unsecured use of Firefox<"of information. then they leave me alone with this redirect to here... WHY is the ability to change taken away by U(been)RAID to "only use Firefox?" I would rather use >brave browser< or TOR directly Mar 17 09:22:48 Dell sshd[21859]: Connection from 81.161.63.103 port 9174 on 173.25.218.106 port 22 rdomain "" Check your server for 81.161.163.103 thats not me im the other one > port 9174 on 173.25.218.106 port 22 rdomain < Thanks trurl, the old usage, customer service tactic [deflection] away from the core issue, towards wireguard is useless. Why would I need to open up any more vectors of security breaches, U(been)RAID lack of security has done well enough without another, right? Back to [>MediaCom Cable<], IP facing gateway. In Dec FCC laid down a ruling allowing customers to hook up routers and cut the "rental fee" off the bill from any IP provider. No matter what manufacture of the router, the manufacturer provides the firmware to whatever IP provider. The cable router is hooked up with the "cm Mac" address. Whatever IP provider [provisions] the router with the info cleared by the linux code writers. Long story short MediaCom has blocked access ie(192.168.0.1) to even get back inside "my property" >the router< Lets get off the dumb as XXXX blame game right now! I AM ON THE BLUE TEAM< Edited March 17, 2021 by Port22_Login_root_ScanBot XXXX spelling error Quote Link to comment
Port22_Login_root_ScanBot Posted March 17, 2021 Author Share Posted March 17, 2021 (edited) Mar 17 09:22:48 Dell sshd[21859]: Connection from 81.161.63.103 port 9174 on 173.25.218.106 port 22 rdomain "is now posted" on the web, "use any search engine," (not by me). Mar 17 10:06:06 Dell sshd[30866]: Connection from 178.62.214.52 port 39540 on 173.25.218.106 port 22 rdomain "" Mar 17 10:06:06 Dell sshd[30866]: error: kex_exchange_identification: Connection closed by remote host Mar 17 10:06:06 Dell sshd[30866]: Connection closed by 178.62.214.52 port 39540 Observing the above Method of Operation above... U(been)RAID exclusivity to use FireFox gives the port scanning bots something useful...information. What is this information? Appears to be this "HOT POST" 178.62.214.52 Edited March 17, 2021 by Port22_Login_root_ScanBot Quote Link to comment
mgutt Posted March 17, 2021 Share Posted March 17, 2021 1 hour ago, Port22_Login_root_ScanBot said: ignorance to use "root" as the unchangeable default. Why is this a problem? Only because you know my forums username, you are not able to login. There is one magic thing missing, the password. Lets say you change the username to something else. What happens? The attacker tries a different one. By that you don't stop the attacks. They will happen all the time if you connect a device directly to the internet. They won't even stop if you close all ports. The only difference is, that they are not logged anymore. 1 hour ago, Port22_Login_root_ScanBot said: The outside attempts to breach the 55,000 open ports on my end... There are not "55k" open ports. Unraid is based on Linux and Linux does not have any open ports as long there is no service listening to it. This means the Unraid webserver listens to Port 80, so its open. If you enable SSH, which can be by the way disabled, SSH will listen to port 22. You don't want to use port 22 for SSH? Then change it: Finally its your decision to open ports, enable SSH and make it available through the internet. 1 hour ago, Port22_Login_root_ScanBot said: towards wireguard is useless. Why would I need to open up any more vectors of security breaches If you close port 22 (ssh) and open port 51820 (wireguard), you finally have exactly the same amount of open ports, but with a different service listening to it. By the way: An open port is not a security breach, its absolutely necessary for networking. 23 minutes ago, Port22_Login_root_ScanBot said: sshd[21859]: Connection from 81.161.63.103 port 9174 on 173.25.218.106 port 22 rdomain This does not mean that someone logged into your server. He only established a connection and your server waits for the correct password. If you don't want those attacks, why is your server directly connected to the internet? 1 Quote Link to comment
trurl Posted March 17, 2021 Share Posted March 17, 2021 31 minutes ago, Port22_Login_root_ScanBot said: Mar 17 09:22:48 Dell sshd[21859]: Connection from 81.161.63.103 port 9174 on 173.25.218.106 port 22 rdomain "is now posted" on the web, "use any search engine," (not by me). Similar things have been "posted on the web" in this very forum when people have foolishly put their server on the internet. Quote Link to comment
Port22_Login_root_ScanBot Posted March 17, 2021 Author Share Posted March 17, 2021 Thank you, we are correct, the port scanners in most probability will not stop this activity on the internet. What mitigations I have done, was to change the blank password to a real password. Yes you are correct the necessity for networking, the opening limited port access. Right now I'm not interested in that, in the context that all my ports are open. Yes I have attempted to firewall up and block ports. We are on the same page. To answer the question "If you don't want those attacks, why is your server directly connected to the internet?" Back to [>MediaCom Cable<], IP facing gateway. In Dec FCC laid down a ruling allowing customers to hook up routers and cut the "rental fee" off the bill from any IP provider. No matter what manufacture of the router, the manufacturer provides the firmware to whatever IP provider. The cable router is hooked up with the "cm Mac" address. Whatever IP provider [provisions] the router with the info cleared by the linux code writers. Long story short MediaCom has blocked access ie(192.168.0.1) to even get back inside "my property" >the router< I have already contacted mediacom about the core issue of why I am open to the internet [because i now do not have access into my router to see if the firewall is up and block ports] Quote Link to comment
JonathanM Posted March 17, 2021 Share Posted March 17, 2021 Are you using the browser built in to the GUI to browse the web? If so, stop. The only thing you should be using the built in browser for is to manage the server. Quote Link to comment
Hoopster Posted March 17, 2021 Share Posted March 17, 2021 5 hours ago, Port22_Login_root_ScanBot said: for all the interest in this post about the inherent lack of security Here are some facts about unRAID that will hopefully be helpful to you: 1 - unRAID is not a full-fledged Linux OS. It is a very stripped-down version of Slackware Linux and only contains the necessary pieces to run the unRAID NAS appliance 2 - unRAID has no firewall capability and has NEVER been advertised as a secure, Internet hardened operating system. It should not be exposed directly to the Internet 3 - unRAID cannot be exposed to the Internet via the default installation of the OS. As @trurl has pointed out to you, something in your router configuration has been done to expose your unRAID server to the Internet 4 - There are many secure ways of accessing your server over the Internet. WireGuard is one of several and happens to be built into unRAID. 5 - The "root" user allows local GUI and terminal access. It should always have a secure password. The GUI is not intended to be accessed directly via the Internet. 6 - There is not really the traditional users concept as exists in other OSes as they are not really necessary. You can control access to unRAID shares in a certain way via additional users/rights settings 7 - Port forwarding/opening ports (assuming it is done in the correct way) is not a huge exposure risk and is necessary for the WAN/LAN interactions need to allow secure remote access and services. Quote Link to comment
trurl Posted March 17, 2021 Share Posted March 17, 2021 5 minutes ago, Port22_Login_root_ScanBot said: Long story short MediaCom has blocked access ie(192.168.0.1) to even get back inside "my property" >the router< I have already contacted mediacom about the core issue of why I am open to the internet [because i now do not have access into my router to see if the firewall is up and block ports] How can your ISP keep you from accessing your router? You mean they won't let you access your router from outside your LAN? 9 minutes ago, Port22_Login_root_ScanBot said: allowing customers to hook up routers Seems like it might be better for some users if the ISP keeps them from putting their equipment on the internet. 😁 Quote Link to comment
Port22_Login_root_ScanBot Posted March 17, 2021 Author Share Posted March 17, 2021 (edited) Trurl is smelling the bacon of customers equipment and the additional rental fee equipment... we are on the same page, why I have found the source of the problem of finding >my dilly swinging in the wild< Again look below The router has been [provisioned] by the ISP for ease of hook up. what info is the gateway, DNS, ect. As most people wouldn't have a clue, so any call to customer service is them resetting the router and [provisioning] that information into the router to avoid being manually entered, right? Except the capt. overlooked obvious a few are capable of doing this on a server...right? Again to repeat myself, if it wasn't clear. Why would I be outside the LAN on the bare metal setup of a newly purchased UNRAID complicated by avoiding a new cable install that does not include the ISP equipment? To discover something about the equipment I am familiar with, not Media-Com "special [provisioning]" of the router that changed the base manufacture settings of the router and >192.168.0.1 is now not accessible, right?< All I can do right now is have a very strong root password on the U(been)RAID...and do a personnel drive by to hunt down an installer. To ascertain his work order procedure as customer service appears not to be willing to give customers access to the router! Yet they can reset it, right? What happens to the SSID for the wireless after a customer service reset of a router? back to what admin admin or admin password? What mitigations have >the blue team< done? Obliviously this router has an external off switch and off that vector of attack goes... By the way having "root" is still a poor choice for an administrator privileged account, where are the port scanners going? to the root? What did they find? Another security weakness in Firefox cached link saved in the grab and dash after the port scan provided some information Edited March 17, 2021 by Port22_Login_root_ScanBot Quote Link to comment
Port22_Login_root_ScanBot Posted March 17, 2021 Author Share Posted March 17, 2021 1 hour ago, jonathanm said: Are you using the browser built in to the GUI to browse the web? If so, stop. The only thing you should be using the built in browser for is to manage the server. Thank you, that is very important to know, as I was not aware of some more critical limitations. Right headless, ssh remote and external VMs. I was wondering why, there was no way to change the default browser. Being greyed out and always on for default, although in the CA there is a Brave browser there? Rack this one up for the newbie, this was the point of this UNRAID...Command behind the firewalls, DMZ and disposable VMs on the lines... Except didn't make it that far, my ISP Mediacom enemy behind the line stab in the back "special" [provisioning] on the router. Any one heard of this new layer to, Mediacom stupid S#!T to keep customers from using their own equipment? Thanks jonathanm 2 hours ago, mgutt said: Then change it: Finally its your decision to open ports, enable SSH and make it available through the internet. Thank you, mgutt Buttoning that 22 down in favor of wireguard Quote Link to comment
mgutt Posted March 17, 2021 Share Posted March 17, 2021 Maybe a temporary solution as long you can't influence what your router is doing: - open the WebTerminal (The >_ in the upper right corner) - execute this: iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -j REJECT It will enable the "firewall" which allows only local access to the server. Not sure if this breaks other things like DNS resolution?! Note: This is not permanent. It will be deleted on server reboot. If you want it permanent, add a script to the user scripts plugin or add it to your go file with the config file editor plugin. Quote Link to comment
limetech Posted March 25, 2021 Share Posted March 25, 2021 Can someone please create a "tldr" of what user Port22_Login_root_ScanBot is on about? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.