Port scanning gaining access into Unraid root user account.(SOLVE COAULA)


Recommended Posts

Why is the Unraid default "root" user account always the target after a successful ssh2 port scanning holes entries?

I would think an easy attempt to try the empty defaulted enter key would be easy enough?

Facepalm, several every minute of failed password attempts from Asia isp.

 

Hahaha...not so funny within hours after the purchase of pro key and downloading community apps and dockers.

 

 

Edited by Port22_Login_root_ScanBot
Link to comment

In less than twelve hours purchasing and installing Unraid Pro, more than 300+ successful "root" login [preauth] attempts using sshd, ssh2, telnet, [ pam_unix ] < that ignore Denyhost v 2.6 blocking.

 

Does Unraid have any protection at all or is all the ports wide open for U(been)Raid?

 

Let's put ARCH UNRAID back into this U(been)RAID

 

Sshd 116.98.167.66 port 41236 on 173.25.218.106 port 22 rdomain

173.25.113.8 client.mchsi.com FOR root

 

171.240.196.230 ssh2

221.181.185.151 ssh2

221.181.185.19 ssh2 user=root

221.181.185.140 on 173.25.218.106

221.181.185.220

 

103.70.155.156 telnet

98.182.170.20 telnet

124.13.77.214

192.241.217.209

222.187.239.31

176.213.59.129 

 

 

 

Edited by Port22_Login_root_ScanBot
Com report
Link to comment

Are you port forwarding to your unraid server? I've been running unraid since 2009 and I haven't had one successful attempt to login to my machine other than myself. 

 

I also find it very interesting that you using the user name of 

 

Port22_Login_root_ScanBot

 

 

Link to comment
1 hour ago, Port22_Login_root_ScanBot said:

In less than twelve hours purchasing and installing Unraid Pro, more than 300+ successful "root" login [preauth] attempts using sshd, ssh2, telnet, [ pam_unix ] < that ignore Denyhost v 2.6 blocking.

Do you have your server in a DMZ?  Is port 22 open to the big bad world?

 

Such login attempts from the outside world are the result of opening up unRAID on the Internet somehow.  There are ways to securely access your server remotely without exposing common ports for direct access.

 

WireGuard is built into unRAID

OpenVPN docker container

ZeroTier

The new My Server unRAID plugin with SSL access

Lets Encrypt reverse proxy

 

38 minutes ago, kizer said:

I've been running unraid since 2009 and I haven't had one successful attempt to login to my machine other than myself. 

Same for me since 2011.  As an OS appliance, unRAID is not intended to be directly exposed to the Internet.

 

EDIT: and no unsuccessful login attempts other than me either

Edited by Hoopster
Link to comment

The "root" login will always be tried by bots when they find an ssh daemon. I had tons of failed logins to my server (not unraid) before I finally switched to a vpn configuration.

I would strongly recommend you have a look at it if you want to access your server from outside your local network, it's pretty easy to setup.

Link to comment

I don't know, I just bought this and installed a few hours ago.

I'm a bit behind the learning curve and found my dilly swinging in the wild. Only thing I had time to do is reduce the deny thresholds to 1 in denyhost.

The one swinging the [ pam unix ]was getting through...

 

Being new I couldn't even log into my router to see if the fire wall was up and I misplaced my switch info that is between Unraid and the router.

 

I pulled the plug on the outside and looked at the system log... to find a big hot mess and 4 usb not connected go offline. The keyboard was stuck on machine gun fire preventing the mouse click to stop the array or safely shut down.

 

Thanks for being here, what ever that pam unix is had me pegged appears using several vm incidences and hops.

All for a fresh install with nothing on it, and a ton of failed password attempts...on a blank password, facepalm

Link to comment
18 hours ago, Port22_Login_root_ScanBot said:

Being new I couldn't even log into my router to see if the fire wall was up and I misplaced my switch info that is between Unraid and the router.

unRAID has no firewall itself and will depend on whatever protections you have at the router level.  You need to make sure you have good firewall protection enabled in the router and that all ports are closed (except those you need to forward for specific purposes).  Also make sure the unRAID server IP address has not been placed in the router DMZ, if it has one.  A DMZ basically bypasses all firewall and routing rules and lets anything in it be exposed to the outside world.

 

Run the GRC Shields Up scan from a computer on your LAN to see what your exposure through the router/firewall is currently.

 

UPDATE:  You should also run the common ports and all service ports scans to see which ports are currently open and responding to probes from the Internet.

Edited by Hoopster
Link to comment

 

Thank you all,

for all the interest in this post about the inherent lack of security, perhaps built into U(been)RAID.

I did take note of the knowledge base the GRC Shields Up provides, myself coming from the legends of the old DOS shell ported into the operating system "not to be named".

Well frustrated with the "now not to be named" OS, only uselessness to be used within a sandboxie VM. Time has come to embrace Linux and build upon the Basic retraining language skill-set Arch, Kali and Garuda truly offers... Wow I I have let my guard down and become lazily accustom to the GUI.

 

https://www.localcdn.org/

https://www.localcdn.org/test/check ,<link is a fine tool as well that expands upon the GRC Shills UP.

From the base U(been)RAID install fails in all the simplest security tests, leaving fresh installs dillies swinging in the wild unlike Garuda, Tails, Qubes built in attention to security baked in without extensive configuration recompiling.

 

 

 

Edited by Port22_Login_root_ScanBot
santax spell check
Link to comment

The activity on my end has now been Redir3cted traffic to this post..."ITS A HOT POST"

This is now a direct link past your forum firewalls...

 

Thank you, I have had my hands full at the moment, I Am On The Blue Team!

The successful breaches that get past U(been)RAID ignorance to use "root" as the unchangeable default.

The outside attempts to breach the 55,000 open ports on my end... "The Router" [more on this a bit later >Media-Com Cable< ]

Port scanning for the obvious admin, root, tech, admin1, ect. The more determined hackers that latch on a port and discover unraid default user name "root" get a present, as in a capture ">unraid very unsecured use of Firefox<"of information. then they leave me alone with this redirect to here...

WHY is the ability to change taken away by U(been)RAID to "only use Firefox?" I would rather use >brave browser< or TOR directly

 

Mar 17 09:22:48 Dell sshd[21859]: Connection from 81.161.63.103 port 9174 on 173.25.218.106 port 22 rdomain ""

 

Check your server for 81.161.163.103 thats not me im the other one > port 9174 on 173.25.218.106 port 22 rdomain <

 

Thanks trurl, the old usage, customer service tactic [deflection] away from the core issue, towards wireguard is useless.

Why would I need to open up any more vectors of security breaches, U(been)RAID lack of security has done well enough without another, right?

 

Back to [>MediaCom Cable<], IP facing gateway. In Dec FCC laid down a ruling allowing customers to hook up routers and cut the "rental fee" off the bill from any IP provider. No matter what manufacture of the router, the manufacturer provides the firmware to whatever IP provider. The cable router is hooked up with the "cm Mac" address. Whatever IP provider [provisions] the router with the info cleared by the linux code writers.

Long story short MediaCom has blocked access ie(192.168.0.1) to even get back inside "my property" >the router<

 

Lets get off the dumb as XXXX blame game right now!

I AM ON THE BLUE TEAM<

Edited by Port22_Login_root_ScanBot
XXXX spelling error
Link to comment

Mar 17 09:22:48 Dell sshd[21859]: Connection from 81.161.63.103 port 9174 on 173.25.218.106 port 22 rdomain

 

"is now posted" on the web, "use any search engine," (not by me).

 

Mar 17 10:06:06 Dell sshd[30866]: Connection from 178.62.214.52 port 39540 on 173.25.218.106 port 22 rdomain ""
Mar 17 10:06:06 Dell sshd[30866]: error: kex_exchange_identification: Connection closed by remote host
Mar 17 10:06:06 Dell sshd[30866]: Connection closed by 178.62.214.52 port 39540

 

Observing the above Method of Operation above...

U(been)RAID exclusivity to use FireFox gives the port scanning bots something useful...information.

What is this information? Appears to be this "HOT POST"

 

178.62.214.52

Edited by Port22_Login_root_ScanBot
Link to comment
1 hour ago, Port22_Login_root_ScanBot said:

ignorance to use "root" as the unchangeable default.

Why is this a problem? Only because you know my forums username, you are not able to login. There is one magic thing missing, the password. Lets say you change the username to something else. What happens? The attacker tries a different one. By that you don't stop the attacks. They will happen all the time if you connect a device directly to the internet. They won't even stop if you close all ports. The only difference is, that they are not logged anymore.

 

1 hour ago, Port22_Login_root_ScanBot said:

The outside attempts to breach the 55,000 open ports on my end...

There are not "55k" open ports. Unraid is based on Linux and Linux does not have any open ports as long there is no service listening to it. This means the Unraid webserver listens to Port 80, so its open. If you enable SSH, which can be by the way disabled, SSH will listen to port 22. You don't want to use port 22 for SSH? Then change it:

818242510_2021-03-1716_06_21.png.ae5573d4433e18b4f0f26f9822570ce7.png

 

Finally its your decision to open ports, enable SSH and make it available through the internet.

 

1 hour ago, Port22_Login_root_ScanBot said:

towards wireguard is useless.

Why would I need to open up any more vectors of security breaches

If you close port 22 (ssh) and open port 51820 (wireguard), you finally have exactly the same amount of open ports, but with a different service listening to it. By the way: An open port is not a security breach, its absolutely necessary for networking.

 

 

23 minutes ago, Port22_Login_root_ScanBot said:

sshd[21859]: Connection from 81.161.63.103 port 9174 on 173.25.218.106 port 22 rdomain

This does not mean that someone logged into your server. He only established a connection and your server waits for the correct password.

 

If you don't want those attacks, why is your server directly connected to the internet? 

  • Like 1
Link to comment
31 minutes ago, Port22_Login_root_ScanBot said:

Mar 17 09:22:48 Dell sshd[21859]: Connection from 81.161.63.103 port 9174 on 173.25.218.106 port 22 rdomain

 

"is now posted" on the web, "use any search engine," (not by me).

Similar things have been "posted on the web" in this very forum when people have foolishly put their server on the internet.

 

 

Link to comment

Thank you, we are correct, the port scanners in most probability will not stop this activity on the internet.

What mitigations I have done, was to change the blank password to a real password.

Yes you are correct the necessity for networking, the opening limited port access. Right now I'm not interested in that, in the context that all my ports are open. Yes I have attempted to firewall up and block ports. We are on the same page.

 

To answer the question "If you don't want those attacks, why is your server directly connected to the internet?"

Back to [>MediaCom Cable<], IP facing gateway. In Dec FCC laid down a ruling allowing customers to hook up routers and cut the "rental fee" off the bill from any IP provider. No matter what manufacture of the router, the manufacturer provides the firmware to whatever IP provider. The cable router is hooked up with the "cm Mac" address. Whatever IP provider [provisions] the router with the info cleared by the linux code writers.

Long story short MediaCom has blocked access ie(192.168.0.1) to even get back inside "my property" >the router<

 

I have already contacted mediacom about the core issue of why I am open to the internet [because i now do not have access into my router to see if the firewall is up and block ports]

Link to comment
5 hours ago, Port22_Login_root_ScanBot said:

for all the interest in this post about the inherent lack of security

Here are some facts about unRAID that will hopefully be helpful to you:

 

1 - unRAID is not a full-fledged Linux OS.  It is a very stripped-down version of Slackware Linux and only contains the necessary pieces to run the unRAID NAS appliance

2 - unRAID has no firewall capability and has NEVER been advertised as a secure, Internet hardened operating system.  It should not be exposed directly to the Internet

3 - unRAID cannot be exposed to the Internet via the default installation of the OS. As @trurl has pointed out to you, something in your router configuration has been done to expose your unRAID server to the Internet

4 - There are many secure ways of accessing your server over the Internet.  WireGuard is one of several and happens to be built into unRAID.

5 - The "root" user allows local GUI and terminal access. It should always have a secure password. The GUI is not intended to be accessed directly via the Internet.

6 - There is not really the traditional users concept as exists in other OSes as they are not really necessary.  You can control access to unRAID shares in a certain way via additional users/rights settings

7 - Port forwarding/opening ports (assuming it is done in the correct way) is not a huge exposure risk and is necessary for the WAN/LAN interactions need to allow secure remote access and services.

 

 

Link to comment
5 minutes ago, Port22_Login_root_ScanBot said:

Long story short MediaCom has blocked access ie(192.168.0.1) to even get back inside "my property" >the router<

 

I have already contacted mediacom about the core issue of why I am open to the internet [because i now do not have access into my router to see if the firewall is up and block ports]

How can your ISP keep you from accessing your router? You mean they won't let you access your router from outside your LAN?

 

9 minutes ago, Port22_Login_root_ScanBot said:

allowing customers to hook up routers

Seems like it might be better for some users if the ISP keeps them from putting their equipment on the internet. 😁

Link to comment

Trurl is smelling the bacon of customers equipment and the additional rental fee equipment... we are on the same page, why I have found the source of the problem of finding >my dilly swinging in the wild< Again look below

The router has been [provisioned] by the ISP for ease of hook up. what info is the gateway, DNS, ect.

As most people wouldn't have a clue, so any call to customer service is them resetting the router and [provisioning] that information into the router to avoid being manually entered, right? Except the capt. overlooked obvious a few are capable of doing this on a server...right? Again to repeat myself, if it wasn't clear.

Why would I be outside the LAN on the bare metal setup of a newly purchased UNRAID complicated by avoiding a new cable install that does not include the ISP equipment? To discover something about the equipment I am familiar with, not Media-Com "special [provisioning]" of the router that changed the base manufacture settings of the router and >192.168.0.1 is now not accessible, right?<

 

All I can do right now is have a very strong root password on the U(been)RAID...and do a personnel drive by to hunt down an installer.

To ascertain his work order procedure as customer service appears not to be willing to give customers access to the router! Yet they can reset it, right? What happens to the SSID for the wireless after a customer service reset of a router? back to what admin admin or admin password? What mitigations have >the blue team< done? Obliviously this router has an external off switch and off that vector of attack goes...

 

By the way having "root" is still a poor choice for an administrator privileged account, where are the port scanners going? to the root?

What did they find? Another security weakness in Firefox cached link saved in the grab and dash after the port scan provided some information

 

Edited by Port22_Login_root_ScanBot
Link to comment
1 hour ago, jonathanm said:

Are you using the browser built in to the GUI to browse the web? If so, stop.

 

The only thing you should be using the built in browser for is to manage the server.

Thank you, that is very important to know, as I was not aware of some more critical limitations. Right headless, ssh remote and external VMs.

I was wondering why, there was no way to change the default browser. Being greyed out and always on for default, although in the CA there is a Brave browser there?

Rack this one up for the newbie, this was the point of this UNRAID...Command behind the firewalls, DMZ and disposable VMs on the lines... Except didn't make it that far, my ISP Mediacom enemy behind the line stab in the back "special" [provisioning] on the router.

Any one heard of this new layer to, Mediacom stupid S#!T to keep customers from using their own equipment?

Thanks jonathanm

 

 

2 hours ago, mgutt said:

Then change it:

818242510_2021-03-1716_06_21.png.ae5573d4433e18b4f0f26f9822570ce7.png

 

Finally its your decision to open ports, enable SSH and make it available through the internet.

Thank you, mgutt

Buttoning that 22 down in favor of wireguard

Link to comment

Maybe a temporary solution as long you can't influence what your router is doing:

- open the WebTerminal  (The >_ in the upper right corner)

- execute this:

iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -j REJECT

 

It will enable the "firewall" which allows only local access to the server. Not sure if this breaks other things like DNS resolution?!

 

Note: This is not permanent. It will be deleted on server reboot. If you want it permanent, add a script to the user scripts plugin or add it to your go file with the config file editor plugin.

Link to comment
  • Port22_Login_root_ScanBot changed the title to Port scanning gaining access into Unraid root user account.(SOLVE COAULA)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.