I think someone tried to hack me


Recommended Posts

Hello

 

I am pretty new to unraid but I like to fool around with it, see what I can do. I have had no big issues, only a couple of minor bugs here and there but I was able to solve them one by one.

 

The story starts today when I added a hard drive to my system. About an hour after I get a notification about a overheating problem on my hard drives. I thought it was because of the clearing process so I did not panic. Then when I got back I decidied to check the logs. There where millions of failed login attempts from ip adresses I did not know like:

 

Jan  6 19:50:38 heimanas sshd[4431]: Failed password for root from 116.31.116.41 port 52195 ssh2

Jan  6 19:50:38 heimanas in.telnetd[4501]: connect from 39.36.242.27 (39.36.242.27)

Jan  6 19:50:38 heimanas sshd[4431]: Received disconnect from 116.31.116.41 port 52195:11:  [preauth]

Jan  6 19:50:38 heimanas sshd[4431]: Disconnected from 116.31.116.41 port 52195 [preauth]

 

And also from a website that seemed to be comcast:

 

Jan  6 19:52:23 heimanas login[5940]: invalid password for 'UNKNOWN'  on '/dev/pts/3' from '173-10-58-34-Michigan.hfc.comcastbusiness.net

 

So I blocked every port forward or anything simmular and I have had no incidents so far. I was wondering if there is anything I should do, report the IP adresses to some blacklist database or something or what to do to prevent this. I'll attach a part of the syslog, it was too large to upload.

Thank you

syslog.txt

Link to comment

Any port open on the internet will be scanned, and probed. If it is a well known port, it will be continuously attacked. Changing the port for things like ftp, ssh, telnet, even http and https, will not avoid the attacks. The open port is found by scanning and service easily detected. You can try it yourself, telnet hostname 22, first thing you get is what service is running.

 

your "attacker" is running Ubuntu exposed on the internet, probably hacked and used as a bot.

 

telnet 116.31.116.41  22
Trying 116.31.116.41...
Connected to 116.31.116.41.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.9p1 Ubuntu-2

Connection closed by foreign host.

 

173-10-58-34-Michigan.hfc.comcastbusiness.net is running a web server, likely compromised and again used as a bot.

 

curl 173-10-58-34-Michigan.hfc.comcastbusiness.net
<!DOCTYPE HTML>
<html>
    <head>
        <title>IVSWeb 2.0 - Welcome</title>
        <link rel="stylesheet" href="css/login.css">
        <script type="text/javascript" src="js/clientinfo.js"></script>
        <script type="text/javascript">
            var os = clientinfocontext.GetOSInfo();
            if(os=='Windows'){
                window.location.href = "/old/index.htm?mxy="+Math.random();
            }else{
                window.location.href = "/new/index.jsp";
            }
        </script>
    </head>
    <body>
    </body>
</html>

 

These services running on a different port are trivial to detect and automatically attack.

 

Fail2ban is useful to detect and block attackers.

Link to comment

...your "attacker" is running Ubuntu exposed on the internet, probably hacked and used as a bot.

...

173-10-58-34-Michigan.hfc.comcastbusiness.net is running a web server, likely compromised and again used as a bot.

...

These services running on a different port are trivial to detect and automatically attack.

Exactly. Ubiquitous and persistent. Requiring absolutely no effort from any human.
Link to comment

Having applications that access the internet (CP, nzbget, sonarr) is not an issue, unless you have opened the ports they use to access them up in the router.

 

Opening any port in your router is a potential security hazard under any/all OS in the world as you are then relying upon the security of the application itself.  If you need to access apps / resources on your server then use a VPN.  Its the most secure way of doing things.

Link to comment

So I have quite a few dockers running on unRAID with ports open to the net (NZBget, Couchpotato, Sonarr, Emby)...are you saying this is putting my unRAID at risk?  What do others do in this situation?

 

All of those do not need open ports on your router to do their work... Every application you use is able to use the internet.. The issues exists when you open up ports on your router, you only do that if you want to access those applications from outside of your home.

 

Eg:

Having sabnzbd/sickrage/transmission/deluge/couchpotato download stuff for you is ok

Controlling these applications from your workplace (for example) is not ok..

 

And the risk is not small, you really should -not- do this.. It is not a matter IF you will get hacked, but when.. (and we're not  thinking years)

 

If you need to access your applications from outside your home set up some kind of vpn solution.. That is what allmost everyone does.

 

Link to comment

How about something like TeamViewer? No router updates are required, yet you are accessing your network from outside.

This is what I do. I did have VPN setup and working, but ultimately my wife and I mostly just connect to our Windows machines for everything we want to do remotely. And our work networks wouldn't allow us to VPN to our home network anyway.
Link to comment

How about something like TeamViewer? No router updates are required, yet you are accessing your network from outside.

If you don't want to take the time learn how to run a VPN, then a commercial remote access product to a desktop or VM is the most secure way to get in to your LAN from the outside world.

 

My understanding is that TeamViewer results in all requests originating from the personal workstations (just like a request from a browser, SB, or any other normal web accessing application). You might call it a "Got Anything For Me" request. When TV wants to talk to the system, it replies to that message, and the workstation does what the message says and then issues a new "Got Anything For Me" request. In this way, the workstation is always making requests and getting responses, and never the receiver of unsolicited outside requests. I'm sure it is more complex than that, but this is my simplistic understanding of the principle. And I think it is a good way to go, given the ease of use. Once I get to my Windows workstation remotely, I can access anything in my network from that machine.

 

But I can't access my media directly.  I have not enabled Plex remote access, but assume it works similarly to TV. Can anyone confirm?

Link to comment

But I can't access my media directly.  I have not enabled Plex remote access, but assume it works similarly to TV. Can anyone confirm?

You shouldn't have that problem accessing the PlexUI, since its the machine that TeamViewer is connected to that is actually accessing the UI, not the remote machine.

 

But, I really wouldn't be using TeamViewer to watch media as it sucks for that.

Link to comment

But I can't access my media directly.  I have not enabled Plex remote access, but assume it works similarly to TV. Can anyone confirm?

You shouldn't have that problem accessing the PlexUI, since its the machine that TeamViewer is connected to that is actually accessing the UI, not the remote machine.

 

But, I really wouldn't be using TeamViewer to watch media as it sucks for that.

 

Agreed. Viewing media over TV doesn't work well at all. And operating TV on tablets and smartphones is not at all convenient.

 

Hence my question about Plex remote access. Is it as secure as something like TV?

 

THIS LINK is a description of the configuration you need to make. Here is an excerpt:

 

Easily connecting a Server to Plex relies on your router correctly supporting:

 

    NAT-PMP or

    UPnP

 

These features are common on modern routers but may be disabled by default. If your router doesn't support either of these features, you will likely need to set up a manual Port Forward.

 

I do not think that port forwarding is secure. Do the use of NAT-PMO or UPnP provide the necessary security?

Link to comment

I am a bit unclear as to how to set up the VPN to be secure.

 

My current setup: For every docker I have installed that I want to access outside the network I have a port forwarded on my router. (example: NZBget, Couchpotato, Sonarr, Nextcloud, Emby, Zoneminder).  I use duckdns docker to create an easy to remember url. 

 

When I need access to NZBget I will type:

 

www.myurl.duckdns.org:{nzbgetport}

 

then I type my username and password to log in.

 

(all of my dockers have usernames and passwords)

 

Questions:

1. How do I add the VPN protection to all of my dockers? (I see a few dockers in the Community Applications)

2. Can I set up my own VPN protection and not use a 3rd party provider? I currently route my deluge traffic through IPVanish with DelugeVPN docker but the speeds are noticeably slower than my connection.  I would like NZBget to have security but not at the expense of such drastic slow down.

3. Is there a way to have access to these dockers outside my network securely without having my speed compromised by slow VPN providers? (I don't want to pay for a faster one)

4. I use Nzb360 app on my android phone, will I still be able to use it once all of these dockers have been secured through the VPN option?

 

*I apologize if some of my questions may be unclear as I admit I fully don't understand the entire VPN setup just yet

 

edit: I found this video link that cleared up a lot of questions in case someone else was as confused as I was.

 

 

I still have a few questions, but I'm going to follow this video first and see how for along I get before getting stuck again

 

 

 

 

Link to comment

Put everything behind a reverse proxy with SSL and fail2ban using the letsencrypt docker container and use nzb360 to connect to that.

 

Or setup a VPN and when you want to connect to nzb360, first connect to your VPN, then fire up nzb360.

 

Think of a VPN as logging into your wifi at home, but instead of a password you need a key and a password.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.