Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Possible Hack Attempt

Featured Replies

Not sure how this could have happened, but it appears concerning.  I SSH'd into my machine from work today to check something.  Just a bit ago I ran fix common problems and was notified there was a possible hack attempt.  Excerpt from logs attached (replaced domain name with "DOMAIN-NAME" and my work ip with "GOOD.IP").  Any ideas how this could have happened and how to prevent it from happening again?  It does not appear that anyone got anywhere, I'm just concerned with how they started sniffing in the first place.

 

 

syslog.txt

 

EDIT - for what it's worth I am serving organizr from my server as well as plex and openvpn.  I've set up fail2ban according to the linked guide below.

https://technicalramblings.com/blog/fail2ban-with-organizr-and-let-sencrypt/

Edited by statecowboy

Is your server maybe in the DMZ on your network? I put mine on the DMZ last week because I wanted to test something that wasn't covered by my firewall/NAT. In the 3-4 hours it was there I received multiple login attempts from no less than 6 different IP addresses. This is a prime example of why having a secure password is essential. 

  • Author
3 hours ago, lovaan said:

Is your server maybe in the DMZ on your network? I put mine on the DMZ last week because I wanted to test something that wasn't covered by my firewall/NAT. In the 3-4 hours it was there I received multiple login attempts from no less than 6 different IP addresses. This is a prime example of why having a secure password is essential. 

No it was not.  That said, I have been messing about with ports in the last week getting stuff set up.  I've since locked everything down to what's required (and removed 22).  My bigger concer was that SSH'ing into my machine somehow exposed something to the outside world. 

  • 2 weeks later...
  • Author

Hi guys - so I still get these warnings when I run fix common problems.  It seems to have all started when I opened my port to SSH into my machine.  That port has since been closed.  The only ports opened now are for plex and for my webserver (80 and 443).  My web server has fail2ban integrated in case someone tries to go that route.  

 

Is there anything else I need to do or can do to stop these?  It's more of a nuisance now than anything.  Or is this just part of having a server open to the internet (even though it's just plex and web hosts that are opened).

 

Thanks

2 minutes ago, statecowboy said:

Hi guys - so I still get these warnings when I run fix common problems.

If you didn't either Acknowledge the error or Reboot your server (ideal to clear out the syslog), everytime FCP does a rescan it will find the same issue and retrigger.   I don't suggest however to ever hit Ignore on this one.

  • Author
2 minutes ago, Squid said:

If you didn't either Acknowledge the error or Reboot your server (ideal to clear out the syslog), everytime FCP does a rescan it will find the same issue and retrigger.   I don't suggest however to ever hit Ignore on this one.

Thanks Squid.  I should have been more clear.  When I first got these warnings I did restart the machine and they went away.  However, these bots seem to keep coming back.  I'm wondering if there's something else I need to be doing to prevent them from trying to get in.  They all appear to be SSH or SSH2 connection attempts.

 

Edit - the other port I have forwarded is for Open VPN as well (1194).  So 80, 443, 32400, and 1194 are forwarded.

Edited by statecowboy

  • Author

Sorry for the additional reply, but I am stumped on this.  How can these bots possibly be hitting my machine on the ports it says they're trying when those arent even open?  For what it's worth, I've stopped each docker one by one while watching my logs to see if these attempts stop and they do not.

 

ErrorWarningSystemArrayLogin


Feb 16 11:23:01 someflix-unraid sshd[98067]: error: maximum authentication attempts exceeded for root from 42.7.26.49 port 47619 ssh2 [preauth]
Feb 16 11:23:01 someflix-unraid sshd[98067]: Disconnecting authenticating user root 42.7.26.49 port 47619: Too many authentication failures [preauth]
Feb 16 11:23:01 someflix-unraid sshd[98063]: Failed password for root from 61.177.172.188 port 33667 ssh2
Feb 16 11:23:01 someflix-unraid sshd[98063]: Failed password for root from 61.177.172.188 port 33667 ssh2
Feb 16 11:23:03 someflix-unraid sshd[98063]: Failed password for root from 61.177.172.188 port 33667 ssh2
Feb 16 11:23:04 someflix-unraid sshd[98063]: Received disconnect from 61.177.172.188 port 33667:11: [preauth]
Feb 16 11:23:04 someflix-unraid sshd[98063]: Disconnected from authenticating user root 61.177.172.188 port 33667 [preauth]

  • Community Expert

You might be interested in this:

 

        https://www.abuseipdb.com/check/42.7.26.49?page=2

 

I would almost suspect that your router might have been comprised in some manner to allow the IP address trough its firewall.  I found this info with a google of "Who is 42.7.26.49".  You can do the same for the other IP address(es) that is(are) the syslog. 

I agree with @Frank1940 that you should look more closely at your router.  Can you turn on firewall logging?

Also make sure you didn't forget to take the server IP out of the DMZ.

 

Perhaps changing your unraid box to a different local IP and see if the attacks follow.

  • Author
1 hour ago, tdallen said:

I agree with @Frank1940 that you should look more closely at your router.  Can you turn on firewall logging?

My router is just the google fiber network box.  I am confident there are no DMZ assigned ports.  I may give a different static IP a try, but damn that's gonna suck re-configuring everything.  

  • Author

I think I may have found the problem.  When I closed 22 after ssh'ing into the machine a couple of weeks ago, I dont think that change took got implemented.  I used pentest tools to scan my server and it found 22 open.  I restarted my network box (google fiber - which is also my router) and tried again and 22 was shown as closed.  That's frustrating.  Guess I'll just have to remember to restart my network box if I mess with ports going forward.

  • Community Expert

Me, I would be tempted to get a good router and use that Fiber optic box strictly as a Modem.  I would bet you don't even have a good manual for it.  By the way there is another good tool to use to scan your IP address from the Internet side of things.  

 

      https://www.grc.com/x/ne.dll?bh0bkyd2

 

This the 'Shields up' scanner and is run by Gibson Research and has been around since the days of dial-up modems.  Be sure to do an all ports scan and look at any ports that you find in the syslog between port 1024.  

  • Author
5 minutes ago, Frank1940 said:

Me, I would be tempted to get a good router and use that Fiber optic box strictly as a Modem.  I would bet you don't even have a good manual for it.  By the way there is another good tool to use to scan your IP address from the Internet side of things.  

 

      https://www.grc.com/x/ne.dll?bh0bkyd2

 

This the 'Shields up' scanner and is run by Gibson Research and has been around since the days of dial-up modems.  Be sure to do an all ports scan and look at any ports that you find in the syslog between port 1024.  

Thanks for the tip.  I've got a unifi AP and switch.  I may just get myself a unifi gateway and replace the fiber network box.  That's very disappointing that it was doing that and I have no way of knowing.

23 hours ago, statecowboy said:

I may just get myself a unifi gateway and replace the fiber network box.

If Google is similar to cable, you keep the current box but have it placed into bridge mode.  You then insert your own router downstream from that box, and go from there.  BTW, I am happy with my recently acquired USG.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.