RossEm Posted December 19, 2019 Share Posted December 19, 2019 (edited) Hello everyone! I got blocked by my isp and came to an conclusion it was the unraid server. When we turned the machine off we didnt got a message. As soon when we turned it back on the message started comming back. Any ideas? VM's: N/A Dockers: Nextcloud, MariaDB, LetsEncrypt plugins: SSH Sorry if my english is bad. it isnt my first language 🙂 Edited December 19, 2019 by RossEm Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 Do you mean this is some sort of automated process that immediately sends you a message and blocks you when you run Unraid? Are you putting your server directly on the internet? (DON'T DO THAT!) Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 What message? Sadly I don't have a screenshot. It was a message that there were spam mails comming out of my IP. Contacted the abuse team. It was a virus they said. What ISP? KPN What country? The netherlands What Details? just said in what message What Diagnostics? Dont have any within the system Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 1 minute ago, trurl said: Do you mean this is some sort of automated process that immediately sends you a message and blocks you when you run Unraid? Are you putting your server directly on the internet? (DON'T DO THAT!) the support team send a message when they get a notifacation on their systems. and what do you mean are you putting your system on the internet. I do run nextcloud? Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 2 minutes ago, RossEm said: What Diagnostics? Dont have any within the system He gave you a link that explained how to get the diagnostics. Here, I will tell you directly how. Go to Tools - Diagnostics and attach the complete diagnostics zip file to your NEXT post. Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 (edited) 1 minute ago, trurl said: He gave you a link that explained how to get the diagnostics. Here, I will tell you directly how. Go to Tools - Diagnostics and attach the complete diagnostics zip file to your NEXT post. is it possible that i can connect to the unraid server without it on the internet. Dont want to lose my internet again 😕 Edited December 19, 2019 by RossEm Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 If you have a keyboard and monitor you can also work from the command line to get the diagnostics, as explained in that link already given. Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 2 minutes ago, RossEm said: is it possible that i can connect to the unraid server without it on the internet. Dont want to lose it 😕 Is this a trial license? Do you know the difference between your network and the internet? Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 No this is a paid version and yes my network is local and internet worldwide Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 sorry it took so long had to eat. famvmil-diagnostics-20191219-1751.zip Quote Link to comment
Squid Posted December 19, 2019 Share Posted December 19, 2019 Start the array and post a new set of diagnostics Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 i think a harddrive isnt plugged in. GUI mode isnt working either Quote Link to comment
Squid Posted December 19, 2019 Share Posted December 19, 2019 30 minutes ago, RossEm said: and what do you mean are you putting your system on the internet He means that you've put your server into your router's DMZ or forwarded SSH ports to it for access from anywhere in the world. The *implication* by having the SSH plugin installed is that you've done this. Whether or not an OS is hardened against attacks or not, you really shouldn't do the above unless you know exactly what you're doing. On the other hand, port forwarding for NextCloud is ok. Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 (edited) 3 minutes ago, Squid said: He means that you've put your server into your router's DMZ or forwarded SSH ports to it for access from anywhere in the world. The *implication* by having the SSH plugin installed is that you've done this. Whether or not an OS is hardened against attacks or not, you really shouldn't do the above unless you know exactly what you're doing. On the other hand, port forwarding for NextCloud is ok. i do have portforwarded my UnRaid (port 22, port 180/80, port 1443/443) purly so i clould access al my files over the internet. Now i run nextcloud and the idea is kinda unnesessairy. And whats a DMZ? Edited December 19, 2019 by RossEm Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 Just now, RossEm said: i do have portforwarded my UnRaid. purly so i clould access al my files over the internet. Now i run nextcloud and the idea is kinda unnesessairy. And whats a DMZ? So you have put your server on the internet. No wonder your ISP is blocking you and it's a good thing. If we could have gotten system logs from you from while that was going on no doubt we would have seen IP addresses from all over the world trying to hack into your server. The world is full of bots that constantly look for things to hack into and try relentlessly to do so, completely without human intervention. Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 I do have an timestamp of when a message came. Is there a log save thingy? Quote Link to comment
Squid Posted December 19, 2019 Share Posted December 19, 2019 Yeah well the minute you open up port 22, every single script kiddie is going to be attempting to hack you (all automated scans of every IP in the world). You'll probably notice in your syslog thousands of attempted hacks. Get rid of that forwarding. You really shouldn't forward to 80 / 443 unless you're using a VPN server. Quote Link to comment
soja Posted December 19, 2019 Share Posted December 19, 2019 (edited) 3 minutes ago, RossEm said: I do have an timestamp of when a message came. Is there a log save thingy? If your ISP has logs of your IP address sending email spam it is likely your system/a vm/a docker container was compromised and someone installed software on it. From the things you have posted so far I see nothing out of the ordinary but I can't say for sure without a set of diagnostics while the problem is happening. EDIT: Unless you forwarded 25 as well and have a no authentication smtp server on the internet. Edited December 19, 2019 by soja Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 (edited) I'll send a link to the abuse team to this post. And see what say i should do. And what's wrong with opening port 443 and 80? And should i reinstall UnRaid? Edited December 19, 2019 by RossEm Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 2 minutes ago, RossEm said: see what say i should do. You should 6 minutes ago, Squid said: Get rid of that forwarding. Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 Should i reinstall UnRaid? Quote Link to comment
soja Posted December 19, 2019 Share Posted December 19, 2019 (edited) 5 minutes ago, RossEm said: I'll send a link to the abuse team to this post. And see what say i should do. And what's wrong with opening port 443 and 80? And should i reinstall UnRaid? Try booting unraid with all of your docker containers turned off. Connect it to the internet and see if you get flagged again. If their abuse team can provide more information it would be helpful. Information like: Source port(25 for plain old smtp) Abuse type(email spam, brute force, are they just flagging you for having 22 open to the internet?) If you don't get flagged with your containers turned off turn them on one by one and see which one causes the issue. Edited December 19, 2019 by soja Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 those docker containers are quite nessecairy for me. Quote Link to comment
soja Posted December 19, 2019 Share Posted December 19, 2019 Just now, RossEm said: those docker containers are quite nessecairy for me. This would just be temporary for troubleshooting purposes Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 Just close the ports and see if the problem goes away Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.