Aran Posted July 19, 2016 Share Posted July 19, 2016 Hi, i see strange login attampts in de log-file. Am i being attacked? Jul 19 16:39:15 powernas sshd[16643]: Failed password for root from 116.31.116.41 port 18158 ssh2 Jul 19 16:39:15 powernas sshd[16643]: Failed password for root from 116.31.116.41 port 18158 ssh2 Jul 19 16:39:16 powernas sshd[16643]: Failed password for root from 116.31.116.41 port 18158 ssh2 Jul 19 16:39:16 powernas sshd[16643]: Received disconnect from 116.31.116.41: 11: [preauth] Jul 19 16:39:16 powernas sshd[16643]: Disconnected from 116.31.116.41 [preauth] Jul 19 16:39:21 powernas sshd[16691]: Failed password for root from 116.31.116.41 port 32057 ssh2 Jul 19 16:39:22 powernas sshd[16691]: Failed password for root from 116.31.116.41 port 32057 ssh2 Jul 19 16:39:22 powernas sshd[16691]: Failed password for root from 116.31.116.41 port 32057 ssh2 Jul 19 16:39:24 powernas sshd[16691]: Received disconnect from 116.31.116.41: 11: [preauth] Jul 19 16:39:24 powernas sshd[16691]: Disconnected from 116.31.116.41 [preauth] Jul 19 16:39:35 powernas sshd[16766]: Failed password for root from 116.31.116.41 port 47588 ssh2 Jul 19 16:39:35 powernas sshd[16766]: Failed password for root from 116.31.116.41 port 47588 ssh2 Jul 19 16:39:36 powernas sshd[16766]: Failed password for root from 116.31.116.41 port 47588 ssh2 Jul 19 16:39:36 powernas sshd[16766]: Received disconnect from 116.31.116.41: 11: [preauth] Jul 19 16:39:36 powernas sshd[16766]: Disconnected from 116.31.116.41 [preauth] Jul 19 16:39:39 powernas sshd[16865]: Failed password for root from 116.31.116.41 port 27033 ssh2 Jul 19 16:39:42 powernas sshd[16865]: Failed password for root from 116.31.116.41 port 27033 ssh2 Jul 19 16:39:43 powernas sshd[16865]: Failed password for root from 116.31.116.41 port 27033 ssh2 Jul 19 16:39:43 powernas sshd[16865]: Received disconnect from 116.31.116.41: 11: [preauth] Jul 19 16:39:43 powernas sshd[16865]: Disconnected from 116.31.116.41 [preauth] Jul 19 16:39:47 powernas sshd[16918]: Failed password for root from 116.31.116.41 port 46565 ssh2 Jul 19 16:39:47 powernas sshd[16918]: Received disconnect from 116.31.116.41: 11: [preauth] Jul 19 16:39:47 powernas sshd[16918]: Disconnected from 116.31.116.41 [preauth] Jul 19 16:39:59 powernas telnetd[16616]: ttloop: peer died: EOF Jul 19 16:40:28 powernas telnetd[16669]: ttloop: peer died: EOF Jul 19 16:42:54 powernas in.telnetd[18576]: connect from 191.177.26.115 (191.177.26.115) 116.31.116.41 => Guangzhou, Guangdong (30), China 191.177.26.115 => Curitiba, Parana (18), Brazil How bad is this and what can i do about it? Quote Link to comment
saarg Posted July 19, 2016 Share Posted July 19, 2016 Do you have your server exposed directly to the internet? That is not a very good idea if you don't want to get hacked. Quote Link to comment
bubbaQ Posted July 19, 2016 Share Posted July 19, 2016 Yes. Put a cheap router with firewall between your LAN and the Internet. https://www.blocklist.de/en/view.html?ip=116.31.116.41&page=1 Quote Link to comment
Aran Posted July 19, 2016 Author Share Posted July 19, 2016 Do you have your server exposed directly to the internet? That is not a very good idea if you don't want to get hacked. Not that i know of. My dockers are pyload, dropbox, transmission and BTsync. None of them are accessible outside my local network. I use the router given by my ISP (Belgium) and they cannot be changed. Anyway, this might be the perfect excuse to build a pfsense box. Quote Link to comment
ijuarez Posted July 19, 2016 Share Posted July 19, 2016 Do you have your server exposed directly to the internet? That is not a very good idea if you don't want to get hacked. Not that i know of. My dockers are pyload, dropbox, transmission and BTsync. None of them are accessible outside my local network. I use the router given by my ISP (Belgium) and they cannot be changed. Anyway, this might be the perfect excuse to build a pfsense box. +++1 Quote Link to comment
unevent Posted July 19, 2016 Share Posted July 19, 2016 Do you have your server exposed directly to the internet? That is not a very good idea if you don't want to get hacked. Not that i know of. My dockers are pyload, dropbox, transmission and BTsync. None of them are accessible outside my local network. I use the router given by my ISP (Belgium) and they cannot be changed. Anyway, this might be the perfect excuse to build a pfsense box. +++1 Using openvpn plugin? Sent from my ASUS_Z00AD using Tapatalk Quote Link to comment
Aran Posted July 19, 2016 Author Share Posted July 19, 2016 Using openvpn plugin? Sent from my ASUS_Z00AD using Tapatalk Nope. But it's on my to-do list. I can indeed buy a cheap firewall but where is the fun in that.. Ok, so i'm on a new adventure: cheap hardware for pfsense... Quote Link to comment
Frank1940 Posted July 19, 2016 Share Posted July 19, 2016 You could use the following website open port tester to see how good a job your router is doing: https://www.grc.com/default.htm and click on the "NEW SHIELDS UP! TEST: UPnP Exposure Test!" button. I would recommend that you do the "All Service Ports" portion at a minimum! You are testing to see if your router is unnecessary exposing the fact that you are on the Internet. You really want your connection to be a 'sleuth' one. Sometimes, you can change some router settings and get your router to be in a sleuth mode. However, if you are opening up ports to connect to a nefarious service, somehow, the hacker has found out your IP address and port from that usage... Quote Link to comment
ijuarez Posted July 19, 2016 Share Posted July 19, 2016 I prefer a firewall than a plug-in, pfsense with openvpn much safer. too me Quote Link to comment
Aran Posted July 19, 2016 Author Share Posted July 19, 2016 You could use the following website open port tester to see how good a job your router is doing: https://www.grc.com/default.htm Output: Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community. Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.) Ping Echo: PASSED — Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests) from our server. But i'm a total amature when it comes to networking so i have no clue how to read the results Quote Link to comment
Frank1940 Posted July 19, 2016 Share Posted July 19, 2016 Output: Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community. But i'm a total amature when it comes to networking so i have no clue how to read the results Very basically, it is telling you that your router has some open ports that allow unrequested packets from the Internet through your router to the network inside your house. Your router active response also tells the prober that your IP address is 'live one' and thus is a target for exploitation. The open port just makes very easy once they find it! You need to check your Docker applications to see which ones connect to the Internet, which ports they open, and why they need to keep the port open. You could also have an application running on another PC which is also the culprit. Or it could even a piece of Malware running on one of your other computers... I believe that 'Shields up' will tell what ports are open and that knowledge should help you find the problem. (Google is your friend in researching the problem.) Quote Link to comment
unevent Posted July 19, 2016 Share Posted July 19, 2016 Using openvpn plugin? Sent from my ASUS_Z00AD using Tapatalk Nope. But it's on my to-do list. I can indeed buy a cheap firewall but where is the fun in that.. Ok, so i'm on a new adventure: cheap hardware for pfsense... openvpn plugin using commercial VPN provider was my point of asking about openVPN. The plugin opens the tunnel right in unRAID bypassing any security and using it with a commercial provider puts the security of your unRAID at the mercy of whatever the VPN provider decides to filter or not filter. It's great for a private VPN, however. I had similar experience with a port scan and login attempt when I used it then moved on to external means to do the VPN. A low power dual+ core embedded Celeron or AMD AM1 CPU would work well as a pfSense box. Not sure where you live, but if near a Microcenter you can get a quad core AMD AM1 Athlon 5350 for $40 with a $40 discount towards a compatible motherboard which can make it practically free for a motherboard. Quote Link to comment
Aran Posted July 20, 2016 Author Share Posted July 20, 2016 Very basically, it is telling you that your router has some open ports that allow unrequested packets from the Internet through your router to the network inside your house. Your router active response also tells the prober that your IP address is 'live one' and thus is a target for exploitation. The open port just makes very easy once they find it! You need to check your Docker applications to see which ones connect to the Internet, which ports they open, and why they need to keep the port open. You could also have an application running on another PC which is also the culprit. Or it could even a piece of Malware running on one of your other computers... I believe that 'Shields up' will tell what ports are open and that knowledge should help you find the problem. (Google is your friend in researching the problem.) Thanks! I will google that from here on. It's a bit off topic. I'm from Belgium so the prices are a bit different. AM1 platform is a good pick but they do not use intel nic's. My unraid server is shut down right now and i suppose i can't do anything about the security until i have my pfsense up and running? Quote Link to comment
CHBMB Posted July 20, 2016 Share Posted July 20, 2016 Very basically, it is telling you that your router has some open ports that allow unrequested packets from the Internet through your router to the network inside your house. Your router active response also tells the prober that your IP address is 'live one' and thus is a target for exploitation. The open port just makes very easy once they find it! You need to check your Docker applications to see which ones connect to the Internet, which ports they open, and why they need to keep the port open. You could also have an application running on another PC which is also the culprit. Or it could even a piece of Malware running on one of your other computers... I believe that 'Shields up' will tell what ports are open and that knowledge should help you find the problem. (Google is your friend in researching the problem.) Thanks! I will google that from here on. It's a bit off topic. I'm from Belgium so the prices are a bit different. AM1 platform is a good pick but they do not use intel nic's. My unraid server is shut down right now and i suppose i can't do anything about the security until i have my pfsense up and running? I'd be surprised if your default setting of the ISP provided kit is to allow all these ports to be open. Do you have a settings page for your modem +/- router if so then may be worth looking around and checking. Quote Link to comment
Aran Posted July 20, 2016 Author Share Posted July 20, 2016 Well, i don't know what to say... i logged in to my isp-account and discovered that ports between 7999 and 8080 where open! I can't remember changing any settings there... Strange. Meanwhile, the login attemps keep comming: Jul 20 12:06:09 powernas sshd[17199]: Received disconnect from 221.194.44.223: 11: [preauth] Jul 20 12:06:09 powernas sshd[17199]: Disconnected from 221.194.44.223 [preauth] Jul 20 12:06:19 powernas sshd[17203]: Connection closed by 116.31.116.42 [preauth] Jul 20 12:06:22 powernas sshd[17244]: Failed password for root from 116.31.116.42 port 22251 ssh2 Jul 20 12:06:22 powernas sshd[17244]: Failed password for root from 116.31.116.42 port 22251 ssh2 Jul 20 12:06:22 powernas sshd[17244]: Failed password for root from 116.31.116.42 port 22251 ssh2 Jul 20 12:06:23 powernas sshd[17244]: Received disconnect from 116.31.116.42: 11: [preauth] Jul 20 12:06:23 powernas sshd[17244]: Disconnected from 116.31.116.42 [preauth] Jul 20 12:06:28 powernas sshd[17264]: Failed password for root from 116.31.116.42 port 32005 ssh2 Jul 20 12:06:29 powernas sshd[17264]: Failed password for root from 116.31.116.42 port 32005 ssh2 Jul 20 12:06:29 powernas sshd[17264]: Failed password for root from 116.31.116.42 port 32005 ssh2 Jul 20 12:06:29 powernas sshd[17264]: Received disconnect from 116.31.116.42: 11: [preauth] Jul 20 12:06:29 powernas sshd[17264]: Disconnected from 116.31.116.42 [preauth] Jul 20 12:06:33 powernas sshd[17285]: Failed password for root from 116.31.116.42 port 50732 ssh2 Jul 20 12:06:33 powernas sshd[17285]: Failed password for root from 116.31.116.42 port 50732 ssh2 Jul 20 12:06:33 powernas sshd[17285]: Failed password for root from 116.31.116.42 port 50732 ssh2 Jul 20 12:06:34 powernas sshd[17285]: Received disconnect from 116.31.116.42: 11: [preauth] Jul 20 12:06:34 powernas sshd[17285]: Disconnected from 116.31.116.42 [preauth] Jul 20 12:06:41 powernas sshd[17310]: Failed password for root from 116.31.116.42 port 10820 ssh2 Jul 20 12:06:41 powernas sshd[17310]: Failed password for root from 116.31.116.42 port 10820 ssh2 Jul 20 12:06:42 powernas sshd[17310]: Failed password for root from 116.31.116.42 port 10820 ssh2 Jul 20 12:06:42 powernas sshd[17310]: Received disconnect from 116.31.116.42: 11: [preauth] Jul 20 12:06:42 powernas sshd[17310]: Disconnected from 116.31.116.42 [preauth] Jul 20 12:06:47 powernas sshd[17338]: Failed password for root from 116.31.116.42 port 34846 ssh2 Jul 20 12:06:47 powernas sshd[17338]: Failed password for root from 116.31.116.42 port 34846 ssh2 Jul 20 12:06:48 powernas sshd[17338]: Failed password for root from 116.31.116.42 port 34846 ssh2 Jul 20 12:06:48 powernas sshd[17338]: Received disconnect from 116.31.116.42: 11: [preauth] Jul 20 12:06:48 powernas sshd[17338]: Disconnected from 116.31.116.42 [preauth] Is it usefull/wise to shut down the telnet-service on my unraid for now? Quote Link to comment
ken-ji Posted July 20, 2016 Share Posted July 20, 2016 might be a good idea to check your router and see if the ip of the unraid server is mapped anywhere. because [*]you are likely natted and the only way something outside is hitting your unraid ip is if the router is mapping to it. consider posting your network setup, changing ips for your own safety. Quote Link to comment
Aran Posted July 20, 2016 Author Share Posted July 20, 2016 changing ips for your own safety. Good idea. I also changed my root password to something much stronger. Quote Link to comment
Frank1940 Posted July 20, 2016 Share Posted July 20, 2016 Very basically, it is telling you that your router has some open ports that allow unrequested packets from the Internet through your router to the network inside your house. Your router active response also tells the prober that your IP address is 'live one' and thus is a target for exploitation. The open port just makes very easy once they find it! You need to check your Docker applications to see which ones connect to the Internet, which ports they open, and why they need to keep the port open. You could also have an application running on another PC which is also the culprit. Or it could even a piece of Malware running on one of your other computers... I believe that 'Shields up' will tell what ports are open and that knowledge should help you find the problem. (Google is your friend in researching the problem.) Thanks! I will google that from here on. It's a bit off topic. I'm from Belgium so the prices are a bit different. AM1 platform is a good pick but they do not use intel nic's. My unraid server is shut down right now and i suppose i can't do anything about the security until i have my pfsense up and running? I'd be surprised if your default setting of the ISP provided kit is to allow all these ports to be open. Do you have a settings page for your modem +/- router if so then may be worth looking around and checking. And did you change the default password on that modem/router? You have to realize that most routers can be reached from either side (WAN or LAN). Thus if you don't change that password (and be sure to use a long complex password when you do), someone in China or Timbuktu has complete access to it by googling for the default password! You can google your model/router with its name and model number to find out its default password and LAN side IP address if you were not provided that info when it was installed. One more thing, in the USA, the IP provider rents the modem/router to the end user. I have exchanged mine several times over the years when it failed. If your situation is similar and your modem/router is older than five or six years, you might want to just exchange it for a new one that will provide greater security and more up-to-date firmware. (The manufacturers of these devices quit providing updated firmware to patch security holes within two years after they quit making them.) Remember that these guys could also be attacking your other PC's as well. You just happened to catch their activities on your server because you looked at its system log. Quote Link to comment
bubbaQ Posted July 20, 2016 Share Posted July 20, 2016 [quote author=Frank1940 link=topic=50466.msg484927#msg484927 Remember that these guys could also be attacking your other PC's as well. You just happened to catch their activities on your server because you looked at its system log. This cannot be overemphasized. You need to shut down those ports and any port forwarding in that router. Disable UPnP and disable access to the router's config interface by the WAN side. You can add a second router (although you may end up with double NAT, it is better than nothing) on your LAN side, just for the interim. Quote Link to comment
net2wire Posted July 20, 2016 Share Posted July 20, 2016 Do you have your server exposed directly to the internet? That is not a very good idea if you don't want to get hacked. Anyway, this might be the perfect excuse to build a pfsense box. +1 on the pfSense. Quote Link to comment
CHBMB Posted July 20, 2016 Share Posted July 20, 2016 I dunno about the pfsense box idea. Until the OP figures this out, then I wouldn't recommend building an advanced router device that you need to configure yourself. I still don't believe that an ISP would supply a router/modem that is allowing all these ports to be open. Quote Link to comment
bubbaQ Posted July 20, 2016 Share Posted July 20, 2016 I still don't believe that an ISP would supply a router/modem that is allowing all these ports to be open. They didn't. They supplied a router that was easily hacked from the WAN side (there are plenty to choose from), and someone got into it, opened those ports, and forwarded them to IPs inside the LAN. Quote Link to comment
net2wire Posted July 20, 2016 Share Posted July 20, 2016 Yeah that's a good point. Although we don't know the OP's level of expertise and enthusiasm towards tech, he did manage to get unRAID installed and configured and that alone is more complicated than let's say installing Smoothwall, IPCop or pfSense. Most new users I would guess spend at least a few dozen hours of reading and configuring to get unRAID going. unRAID on it's own is just a simple server and adding Dockers and Plugins might take a while to understand and refine and apparently he seems to understand that already. An "out of the box" pfSense install provides minimum firewall protection with no open ports and very little user interaction to get on the net except to login to webgui and complete setup and reload settings. Installing Snort, Squid, Squidguard, DNSBL involves similar learning curve as installing Apps on unRAID but with pfSense there's just a lot more than can be configured and refined to suit your network environment. Quote Link to comment
Aran Posted July 20, 2016 Author Share Posted July 20, 2016 I logged in to my router, closed those ports and changed the static ip of my unraid server. There are no login attempts so far. Not in unraid or my openmediavault, which i use to make backups. We cannot log in directly into the router by the way. We need to use the ISP's website. So if there's no internet,... well We also cannot use the router until we changed it's default password which is done when the ISP-technician installed it so that's not the problem. I'm indeed by far an expert in this networking/it-world but i'm not a total amateur either (same goes for my english btw ) and i'm confident about getting pfsense running properly after doing proper research and a lot of patience. Many thanks to everyone for helping me out. I learned a lot. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.