kjarri Posted January 6, 2017 Share Posted January 6, 2017 Hello I am pretty new to unraid but I like to fool around with it, see what I can do. I have had no big issues, only a couple of minor bugs here and there but I was able to solve them one by one. The story starts today when I added a hard drive to my system. About an hour after I get a notification about a overheating problem on my hard drives. I thought it was because of the clearing process so I did not panic. Then when I got back I decidied to check the logs. There where millions of failed login attempts from ip adresses I did not know like: Jan 6 19:50:38 heimanas sshd[4431]: Failed password for root from 116.31.116.41 port 52195 ssh2 Jan 6 19:50:38 heimanas in.telnetd[4501]: connect from 39.36.242.27 (39.36.242.27) Jan 6 19:50:38 heimanas sshd[4431]: Received disconnect from 116.31.116.41 port 52195:11: [preauth] Jan 6 19:50:38 heimanas sshd[4431]: Disconnected from 116.31.116.41 port 52195 [preauth] And also from a website that seemed to be comcast: Jan 6 19:52:23 heimanas login[5940]: invalid password for 'UNKNOWN' on '/dev/pts/3' from '173-10-58-34-Michigan.hfc.comcastbusiness.net So I blocked every port forward or anything simmular and I have had no incidents so far. I was wondering if there is anything I should do, report the IP adresses to some blacklist database or something or what to do to prevent this. I'll attach a part of the syslog, it was too large to upload. Thank you syslog.txt Quote Link to comment
trurl Posted January 7, 2017 Share Posted January 7, 2017 I was wondering if there is anything I should do... Something you should NOT do is put your server on the internet. Bots are ubiquitous and persistent. Quote Link to comment
aptalca Posted January 7, 2017 Share Posted January 7, 2017 Set up openvpn (docker) on your server on a random port and make sure that is the only port that is exposed to the Internet. Also make sure that your server is not set as dmz on your router, which exposes all the ports to the Internet Quote Link to comment
peter_sm Posted January 7, 2017 Share Posted January 7, 2017 You can also try the OpenVPN server plugin, now with version 2.4! Quote Link to comment
METDeath Posted January 8, 2017 Share Posted January 8, 2017 The only ports I have exposed to the internet are my random VPN port and a non-standard port for Plex. The rest? Don't even respond to requests. Quote Link to comment
NeoDude Posted January 8, 2017 Share Posted January 8, 2017 Yep, you need to minimise what is open to the internet. I use OpenVPN for most things, the only other ports I have forwarded are for Teamspeak and a Randomised Plex port. Quote Link to comment
c3 Posted January 8, 2017 Share Posted January 8, 2017 Any port open on the internet will be scanned, and probed. If it is a well known port, it will be continuously attacked. Changing the port for things like ftp, ssh, telnet, even http and https, will not avoid the attacks. The open port is found by scanning and service easily detected. You can try it yourself, telnet hostname 22, first thing you get is what service is running. your "attacker" is running Ubuntu exposed on the internet, probably hacked and used as a bot. telnet 116.31.116.41 22 Trying 116.31.116.41... Connected to 116.31.116.41. Escape character is '^]'. SSH-2.0-OpenSSH_6.9p1 Ubuntu-2 Connection closed by foreign host. 173-10-58-34-Michigan.hfc.comcastbusiness.net is running a web server, likely compromised and again used as a bot. curl 173-10-58-34-Michigan.hfc.comcastbusiness.net <!DOCTYPE HTML> <html> <head> <title>IVSWeb 2.0 - Welcome</title> <link rel="stylesheet" href="css/login.css"> <script type="text/javascript" src="js/clientinfo.js"></script> <script type="text/javascript"> var os = clientinfocontext.GetOSInfo(); if(os=='Windows'){ window.location.href = "/old/index.htm?mxy="+Math.random(); }else{ window.location.href = "/new/index.jsp"; } </script> </head> <body> </body> </html> These services running on a different port are trivial to detect and automatically attack. Fail2ban is useful to detect and block attackers. Quote Link to comment
Squid Posted January 8, 2017 Share Posted January 8, 2017 The Fix Common Problems plugin during its scheduled scans (daily) also specifically looks for attacks and will notify you of them. 1 Quote Link to comment
trurl Posted January 8, 2017 Share Posted January 8, 2017 ...your "attacker" is running Ubuntu exposed on the internet, probably hacked and used as a bot. ... 173-10-58-34-Michigan.hfc.comcastbusiness.net is running a web server, likely compromised and again used as a bot. ... These services running on a different port are trivial to detect and automatically attack. Exactly. Ubiquitous and persistent. Requiring absolutely no effort from any human. Quote Link to comment
fonzie Posted January 8, 2017 Share Posted January 8, 2017 So I have quite a few dockers running on unRAID with ports open to the net (NZBget, Couchpotato, Sonarr, Emby)...are you saying this is putting my unRAID at risk? What do others do in this situation? Quote Link to comment
Squid Posted January 8, 2017 Share Posted January 8, 2017 Having applications that access the internet (CP, nzbget, sonarr) is not an issue, unless you have opened the ports they use to access them up in the router. Opening any port in your router is a potential security hazard under any/all OS in the world as you are then relying upon the security of the application itself. If you need to access apps / resources on your server then use a VPN. Its the most secure way of doing things. Quote Link to comment
Helmonder Posted January 8, 2017 Share Posted January 8, 2017 So I have quite a few dockers running on unRAID with ports open to the net (NZBget, Couchpotato, Sonarr, Emby)...are you saying this is putting my unRAID at risk? What do others do in this situation? All of those do not need open ports on your router to do their work... Every application you use is able to use the internet.. The issues exists when you open up ports on your router, you only do that if you want to access those applications from outside of your home. Eg: Having sabnzbd/sickrage/transmission/deluge/couchpotato download stuff for you is ok Controlling these applications from your workplace (for example) is not ok.. And the risk is not small, you really should -not- do this.. It is not a matter IF you will get hacked, but when.. (and we're not thinking years) If you need to access your applications from outside your home set up some kind of vpn solution.. That is what allmost everyone does. Quote Link to comment
SSD Posted January 8, 2017 Share Posted January 8, 2017 How about something like TeamViewer? No router updates are required, yet you are accessing your network from outside. Quote Link to comment
JonathanM Posted January 8, 2017 Share Posted January 8, 2017 How about something like TeamViewer? No router updates are required, yet you are accessing your network from outside. If you don't want to take the time learn how to run a VPN, then a commercial remote access product to a desktop or VM is the most secure way to get in to your LAN from the outside world. Quote Link to comment
trurl Posted January 8, 2017 Share Posted January 8, 2017 How about something like TeamViewer? No router updates are required, yet you are accessing your network from outside. This is what I do. I did have VPN setup and working, but ultimately my wife and I mostly just connect to our Windows machines for everything we want to do remotely. And our work networks wouldn't allow us to VPN to our home network anyway. Quote Link to comment
fonzie Posted January 8, 2017 Share Posted January 8, 2017 It seems like I've been exposed for a while because I have indeed opened ports on my router to access these apps from outside my network. I guess it's time to read up on setting up a VPN for all of these. Quote Link to comment
SSD Posted January 8, 2017 Share Posted January 8, 2017 How about something like TeamViewer? No router updates are required, yet you are accessing your network from outside. If you don't want to take the time learn how to run a VPN, then a commercial remote access product to a desktop or VM is the most secure way to get in to your LAN from the outside world. My understanding is that TeamViewer results in all requests originating from the personal workstations (just like a request from a browser, SB, or any other normal web accessing application). You might call it a "Got Anything For Me" request. When TV wants to talk to the system, it replies to that message, and the workstation does what the message says and then issues a new "Got Anything For Me" request. In this way, the workstation is always making requests and getting responses, and never the receiver of unsolicited outside requests. I'm sure it is more complex than that, but this is my simplistic understanding of the principle. And I think it is a good way to go, given the ease of use. Once I get to my Windows workstation remotely, I can access anything in my network from that machine. But I can't access my media directly. I have not enabled Plex remote access, but assume it works similarly to TV. Can anyone confirm? Quote Link to comment
Helmonder Posted January 8, 2017 Share Posted January 8, 2017 Yup ;-) It can be worse... There have been people who have opened up the unraid web interface itself to the internet.. Quote Link to comment
Squid Posted January 8, 2017 Share Posted January 8, 2017 But I can't access my media directly. I have not enabled Plex remote access, but assume it works similarly to TV. Can anyone confirm? You shouldn't have that problem accessing the PlexUI, since its the machine that TeamViewer is connected to that is actually accessing the UI, not the remote machine. But, I really wouldn't be using TeamViewer to watch media as it sucks for that. Quote Link to comment
SSD Posted January 8, 2017 Share Posted January 8, 2017 But I can't access my media directly. I have not enabled Plex remote access, but assume it works similarly to TV. Can anyone confirm? You shouldn't have that problem accessing the PlexUI, since its the machine that TeamViewer is connected to that is actually accessing the UI, not the remote machine. But, I really wouldn't be using TeamViewer to watch media as it sucks for that. Agreed. Viewing media over TV doesn't work well at all. And operating TV on tablets and smartphones is not at all convenient. Hence my question about Plex remote access. Is it as secure as something like TV? THIS LINK is a description of the configuration you need to make. Here is an excerpt: Easily connecting a Server to Plex relies on your router correctly supporting: NAT-PMP or UPnP These features are common on modern routers but may be disabled by default. If your router doesn't support either of these features, you will likely need to set up a manual Port Forward. I do not think that port forwarding is secure. Do the use of NAT-PMO or UPnP provide the necessary security? Quote Link to comment
gubbgnutten Posted January 8, 2017 Share Posted January 8, 2017 I do not think that port forwarding is secure. Do the use of NAT-PMO or UPnP provide the necessary security? No, they just allow applications to set up port forwarding all by themselves... Quote Link to comment
fonzie Posted January 8, 2017 Share Posted January 8, 2017 I am a bit unclear as to how to set up the VPN to be secure. My current setup: For every docker I have installed that I want to access outside the network I have a port forwarded on my router. (example: NZBget, Couchpotato, Sonarr, Nextcloud, Emby, Zoneminder). I use duckdns docker to create an easy to remember url. When I need access to NZBget I will type: www.myurl.duckdns.org:{nzbgetport} then I type my username and password to log in. (all of my dockers have usernames and passwords) Questions: 1. How do I add the VPN protection to all of my dockers? (I see a few dockers in the Community Applications) 2. Can I set up my own VPN protection and not use a 3rd party provider? I currently route my deluge traffic through IPVanish with DelugeVPN docker but the speeds are noticeably slower than my connection. I would like NZBget to have security but not at the expense of such drastic slow down. 3. Is there a way to have access to these dockers outside my network securely without having my speed compromised by slow VPN providers? (I don't want to pay for a faster one) 4. I use Nzb360 app on my android phone, will I still be able to use it once all of these dockers have been secured through the VPN option? *I apologize if some of my questions may be unclear as I admit I fully don't understand the entire VPN setup just yet edit: I found this video link that cleared up a lot of questions in case someone else was as confused as I was. I still have a few questions, but I'm going to follow this video first and see how for along I get before getting stuck again Quote Link to comment
CHBMB Posted January 9, 2017 Share Posted January 9, 2017 Put everything behind a reverse proxy with SSL and fail2ban using the letsencrypt docker container and use nzb360 to connect to that. Or setup a VPN and when you want to connect to nzb360, first connect to your VPN, then fire up nzb360. Think of a VPN as logging into your wifi at home, but instead of a password you need a key and a password. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.