Possible Hack Attempt

[statecowboy]

Not sure how this could have happened, but it appears concerning.  I SSH'd into my machine from work today to check something.  Just a bit ago I ran fix common problems and was notified there was a possible hack attempt.  Excerpt from logs attached (replaced domain name with "DOMAIN-NAME" and my work ip with "GOOD.IP").  Any ideas how this could have happened and how to prevent it from happening again?  It does not appear that anyone got anywhere, I'm just concerned with how they started sniffing in the first place.

 

 

syslog.txt

 

EDIT - for what it's worth I am serving organizr from my server as well as plex and openvpn.  I've set up fail2ban according to the linked guide below.

https://technicalramblings.com/blog/fail2ban-with-organizr-and-let-sencrypt/

Edited February 6, 2018 by statecowboy

[lovaan]

Is your server maybe in the DMZ on your network? I put mine on the DMZ last week because I wanted to test something that wasn't covered by my firewall/NAT. In the 3-4 hours it was there I received multiple login attempts from no less than 6 different IP addresses. This is a prime example of why having a secure password is essential. 

[statecowboy]

3 hours ago, lovaan said:

Is your server maybe in the DMZ on your network? I put mine on the DMZ last week because I wanted to test something that wasn't covered by my firewall/NAT. In the 3-4 hours it was there I received multiple login attempts from no less than 6 different IP addresses. This is a prime example of why having a secure password is essential. 

No it was not.  That said, I have been messing about with ports in the last week getting stuff set up.  I've since locked everything down to what's required (and removed 22).  My bigger concer was that SSH'ing into my machine somehow exposed something to the outside world. 

[statecowboy]

Hi guys - so I still get these warnings when I run fix common problems.  It seems to have all started when I opened my port to SSH into my machine.  That port has since been closed.  The only ports opened now are for plex and for my webserver (80 and 443).  My web server has fail2ban integrated in case someone tries to go that route.  

 

Is there anything else I need to do or can do to stop these?  It's more of a nuisance now than anything.  Or is this just part of having a server open to the internet (even though it's just plex and web hosts that are opened).

 

Thanks

[Squid]

2 minutes ago, statecowboy said:

Hi guys - so I still get these warnings when I run fix common problems.

If you didn't either Acknowledge the error or Reboot your server (ideal to clear out the syslog), everytime FCP does a rescan it will find the same issue and retrigger.   I don't suggest however to ever hit Ignore on this one.

[statecowboy]

2 minutes ago, Squid said:

If you didn't either Acknowledge the error or Reboot your server (ideal to clear out the syslog), everytime FCP does a rescan it will find the same issue and retrigger.   I don't suggest however to ever hit Ignore on this one.

Thanks Squid.  I should have been more clear.  When I first got these warnings I did restart the machine and they went away.  However, these bots seem to keep coming back.  I'm wondering if there's something else I need to be doing to prevent them from trying to get in.  They all appear to be SSH or SSH2 connection attempts.

 

Edit - the other port I have forwarded is for Open VPN as well (1194).  So 80, 443, 32400, and 1194 are forwarded.

Edited February 16, 2018 by statecowboy

[statecowboy]

Sorry for the additional reply, but I am stumped on this.  How can these bots possibly be hitting my machine on the ports it says they're trying when those arent even open?  For what it's worth, I've stopped each docker one by one while watching my logs to see if these attempts stop and they do not.

 

ErrorWarningSystemArrayLogin

Feb 16 11:23:01 someflix-unraid sshd[98067]: error: maximum authentication attempts exceeded for root from 42.7.26.49 port 47619 ssh2 [preauth]
Feb 16 11:23:01 someflix-unraid sshd[98067]: Disconnecting authenticating user root 42.7.26.49 port 47619: Too many authentication failures [preauth]
Feb 16 11:23:01 someflix-unraid sshd[98063]: Failed password for root from 61.177.172.188 port 33667 ssh2
Feb 16 11:23:01 someflix-unraid sshd[98063]: Failed password for root from 61.177.172.188 port 33667 ssh2
Feb 16 11:23:03 someflix-unraid sshd[98063]: Failed password for root from 61.177.172.188 port 33667 ssh2
Feb 16 11:23:04 someflix-unraid sshd[98063]: Received disconnect from 61.177.172.188 port 33667:11: [preauth]
Feb 16 11:23:04 someflix-unraid sshd[98063]: Disconnected from authenticating user root 61.177.172.188 port 33667 [preauth]

[Frank1940]

You might be interested in this:

 

        https://www.abuseipdb.com/check/42.7.26.49?page=2

 

I would almost suspect that your router might have been comprised in some manner to allow the IP address trough its firewall.  I found this info with a google of "Who is 42.7.26.49".  You can do the same for the other IP address(es) that is(are) the syslog. 

[tdallen]

I agree with @Frank1940 that you should look more closely at your router.  Can you turn on firewall logging?

[JonathanM]

Also make sure you didn't forget to take the server IP out of the DMZ.

 

Perhaps changing your unraid box to a different local IP and see if the attacks follow.

[statecowboy]

1 hour ago, tdallen said:

I agree with @Frank1940 that you should look more closely at your router.  Can you turn on firewall logging?

My router is just the google fiber network box.  I am confident there are no DMZ assigned ports.  I may give a different static IP a try, but damn that's gonna suck re-configuring everything.  

[statecowboy]

I think I may have found the problem.  When I closed 22 after ssh'ing into the machine a couple of weeks ago, I dont think that change took got implemented.  I used pentest tools to scan my server and it found 22 open.  I restarted my network box (google fiber - which is also my router) and tried again and 22 was shown as closed.  That's frustrating.  Guess I'll just have to remember to restart my network box if I mess with ports going forward.

[Frank1940]

Me, I would be tempted to get a good router and use that Fiber optic box strictly as a Modem.  I would bet you don't even have a good manual for it.  By the way there is another good tool to use to scan your IP address from the Internet side of things.  

 

      https://www.grc.com/x/ne.dll?bh0bkyd2

 

This the 'Shields up' scanner and is run by Gibson Research and has been around since the days of dial-up modems.  Be sure to do an all ports scan and look at any ports that you find in the syslog between port 1024.  

[statecowboy]

5 minutes ago, Frank1940 said:

Me, I would be tempted to get a good router and use that Fiber optic box strictly as a Modem.  I would bet you don't even have a good manual for it.  By the way there is another good tool to use to scan your IP address from the Internet side of things.  

 

      https://www.grc.com/x/ne.dll?bh0bkyd2

 

This the 'Shields up' scanner and is run by Gibson Research and has been around since the days of dial-up modems.  Be sure to do an all ports scan and look at any ports that you find in the syslog between port 1024.  

Thanks for the tip.  I've got a unifi AP and switch.  I may just get myself a unifi gateway and replace the fiber network box.  That's very disappointing that it was doing that and I have no way of knowing.

[ljm42]

Kudos to @Squid and FCP for highlighting the problem!

[tdallen]

23 hours ago, statecowboy said:

I may just get myself a unifi gateway and replace the fiber network box.

If Google is similar to cable, you keep the current box but have it placed into bridge mode.  You then insert your own router downstream from that box, and go from there.  BTW, I am happy with my recently acquired USG.