statecowboy Posted February 6, 2018 Share Posted February 6, 2018 (edited) Not sure how this could have happened, but it appears concerning. I SSH'd into my machine from work today to check something. Just a bit ago I ran fix common problems and was notified there was a possible hack attempt. Excerpt from logs attached (replaced domain name with "DOMAIN-NAME" and my work ip with "GOOD.IP"). Any ideas how this could have happened and how to prevent it from happening again? It does not appear that anyone got anywhere, I'm just concerned with how they started sniffing in the first place. syslog.txt EDIT - for what it's worth I am serving organizr from my server as well as plex and openvpn. I've set up fail2ban according to the linked guide below. https://technicalramblings.com/blog/fail2ban-with-organizr-and-let-sencrypt/ Edited February 6, 2018 by statecowboy Quote Link to comment
lovaan Posted February 6, 2018 Share Posted February 6, 2018 Is your server maybe in the DMZ on your network? I put mine on the DMZ last week because I wanted to test something that wasn't covered by my firewall/NAT. In the 3-4 hours it was there I received multiple login attempts from no less than 6 different IP addresses. This is a prime example of why having a secure password is essential. Quote Link to comment
statecowboy Posted February 6, 2018 Author Share Posted February 6, 2018 3 hours ago, lovaan said: Is your server maybe in the DMZ on your network? I put mine on the DMZ last week because I wanted to test something that wasn't covered by my firewall/NAT. In the 3-4 hours it was there I received multiple login attempts from no less than 6 different IP addresses. This is a prime example of why having a secure password is essential. No it was not. That said, I have been messing about with ports in the last week getting stuff set up. I've since locked everything down to what's required (and removed 22). My bigger concer was that SSH'ing into my machine somehow exposed something to the outside world. Quote Link to comment
statecowboy Posted February 16, 2018 Author Share Posted February 16, 2018 Hi guys - so I still get these warnings when I run fix common problems. It seems to have all started when I opened my port to SSH into my machine. That port has since been closed. The only ports opened now are for plex and for my webserver (80 and 443). My web server has fail2ban integrated in case someone tries to go that route. Is there anything else I need to do or can do to stop these? It's more of a nuisance now than anything. Or is this just part of having a server open to the internet (even though it's just plex and web hosts that are opened). Thanks Quote Link to comment
Squid Posted February 16, 2018 Share Posted February 16, 2018 2 minutes ago, statecowboy said: Hi guys - so I still get these warnings when I run fix common problems. If you didn't either Acknowledge the error or Reboot your server (ideal to clear out the syslog), everytime FCP does a rescan it will find the same issue and retrigger. I don't suggest however to ever hit Ignore on this one. Quote Link to comment
statecowboy Posted February 16, 2018 Author Share Posted February 16, 2018 (edited) 2 minutes ago, Squid said: If you didn't either Acknowledge the error or Reboot your server (ideal to clear out the syslog), everytime FCP does a rescan it will find the same issue and retrigger. I don't suggest however to ever hit Ignore on this one. Thanks Squid. I should have been more clear. When I first got these warnings I did restart the machine and they went away. However, these bots seem to keep coming back. I'm wondering if there's something else I need to be doing to prevent them from trying to get in. They all appear to be SSH or SSH2 connection attempts. Edit - the other port I have forwarded is for Open VPN as well (1194). So 80, 443, 32400, and 1194 are forwarded. Edited February 16, 2018 by statecowboy Quote Link to comment
statecowboy Posted February 16, 2018 Author Share Posted February 16, 2018 Sorry for the additional reply, but I am stumped on this. How can these bots possibly be hitting my machine on the ports it says they're trying when those arent even open? For what it's worth, I've stopped each docker one by one while watching my logs to see if these attempts stop and they do not. ErrorWarningSystemArrayLogin Feb 16 11:23:01 someflix-unraid sshd[98067]: error: maximum authentication attempts exceeded for root from 42.7.26.49 port 47619 ssh2 [preauth]Feb 16 11:23:01 someflix-unraid sshd[98067]: Disconnecting authenticating user root 42.7.26.49 port 47619: Too many authentication failures [preauth]Feb 16 11:23:01 someflix-unraid sshd[98063]: Failed password for root from 61.177.172.188 port 33667 ssh2Feb 16 11:23:01 someflix-unraid sshd[98063]: Failed password for root from 61.177.172.188 port 33667 ssh2Feb 16 11:23:03 someflix-unraid sshd[98063]: Failed password for root from 61.177.172.188 port 33667 ssh2Feb 16 11:23:04 someflix-unraid sshd[98063]: Received disconnect from 61.177.172.188 port 33667:11: [preauth]Feb 16 11:23:04 someflix-unraid sshd[98063]: Disconnected from authenticating user root 61.177.172.188 port 33667 [preauth] Quote Link to comment
Frank1940 Posted February 16, 2018 Share Posted February 16, 2018 You might be interested in this: https://www.abuseipdb.com/check/42.7.26.49?page=2 I would almost suspect that your router might have been comprised in some manner to allow the IP address trough its firewall. I found this info with a google of "Who is 42.7.26.49". You can do the same for the other IP address(es) that is(are) the syslog. Quote Link to comment
tdallen Posted February 16, 2018 Share Posted February 16, 2018 I agree with @Frank1940 that you should look more closely at your router. Can you turn on firewall logging? Quote Link to comment
JonathanM Posted February 16, 2018 Share Posted February 16, 2018 Also make sure you didn't forget to take the server IP out of the DMZ. Perhaps changing your unraid box to a different local IP and see if the attacks follow. Quote Link to comment
statecowboy Posted February 16, 2018 Author Share Posted February 16, 2018 1 hour ago, tdallen said: I agree with @Frank1940 that you should look more closely at your router. Can you turn on firewall logging? My router is just the google fiber network box. I am confident there are no DMZ assigned ports. I may give a different static IP a try, but damn that's gonna suck re-configuring everything. Quote Link to comment
statecowboy Posted February 16, 2018 Author Share Posted February 16, 2018 I think I may have found the problem. When I closed 22 after ssh'ing into the machine a couple of weeks ago, I dont think that change took got implemented. I used pentest tools to scan my server and it found 22 open. I restarted my network box (google fiber - which is also my router) and tried again and 22 was shown as closed. That's frustrating. Guess I'll just have to remember to restart my network box if I mess with ports going forward. Quote Link to comment
Frank1940 Posted February 16, 2018 Share Posted February 16, 2018 Me, I would be tempted to get a good router and use that Fiber optic box strictly as a Modem. I would bet you don't even have a good manual for it. By the way there is another good tool to use to scan your IP address from the Internet side of things. https://www.grc.com/x/ne.dll?bh0bkyd2 This the 'Shields up' scanner and is run by Gibson Research and has been around since the days of dial-up modems. Be sure to do an all ports scan and look at any ports that you find in the syslog between port 1024. 1 1 Quote Link to comment
statecowboy Posted February 16, 2018 Author Share Posted February 16, 2018 5 minutes ago, Frank1940 said: Me, I would be tempted to get a good router and use that Fiber optic box strictly as a Modem. I would bet you don't even have a good manual for it. By the way there is another good tool to use to scan your IP address from the Internet side of things. https://www.grc.com/x/ne.dll?bh0bkyd2 This the 'Shields up' scanner and is run by Gibson Research and has been around since the days of dial-up modems. Be sure to do an all ports scan and look at any ports that you find in the syslog between port 1024. Thanks for the tip. I've got a unifi AP and switch. I may just get myself a unifi gateway and replace the fiber network box. That's very disappointing that it was doing that and I have no way of knowing. Quote Link to comment
ljm42 Posted February 16, 2018 Share Posted February 16, 2018 Kudos to @Squid and FCP for highlighting the problem! Quote Link to comment
tdallen Posted February 17, 2018 Share Posted February 17, 2018 23 hours ago, statecowboy said: I may just get myself a unifi gateway and replace the fiber network box. If Google is similar to cable, you keep the current box but have it placed into bridge mode. You then insert your own router downstream from that box, and go from there. BTW, I am happy with my recently acquired USG. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.