December 19, 20196 yr Author okay now im confused should i wait for a reply of the Abuse Team, Just run it or disable dockers
December 19, 20196 yr Just now, RossEm said: okay now im confused should i wait for a reply of the Abuse Team, Just run it or disable dockers I apologize, there are two different troubleshooting suggestions here. Disabling your port forwarding for 22 is a good first step.
December 19, 20196 yr Author okay i will run this after what the abuse team sends back to me. Edited December 19, 20196 yr by RossEm
December 19, 20196 yr Community Expert See this thread for the sort of thing we're talking about: https://forums.unraid.net/topic/86061-unraid-dropping-wan-connections That user thought they had found their problem before we had a chance to respond. So they were going to keep doing what they were doing. They never came back to find out what we had to say about what was happening and what they were doing wrong, so probably they are still getting hacked.
December 19, 20196 yr Author Ight thank you. I did send an email to the abuse team. Removed port 22. That’s all. I will wait for further instructions for them. Did you find any of them connections in my diagnostics?
December 19, 20196 yr 6 minutes ago, RossEm said: Did you find any of them connections in my diagnostics? You should uninstall the ssh plugin. This installs putty on your server, but this isn't really needed, because you won't use the server to set up ssh connections to other systems.
December 19, 20196 yr Community Expert 34 minutes ago, RossEm said: Did you find any of them connections in my diagnostics? The diagnostics you gave us only include a few seconds after reboot, and without the array started. You have to setup Syslog Server if you want to keep syslogs from earlier. https://forums.unraid.net/topic/46802-faq-for-unraid-v6/?do=findComment&comment=781601
December 19, 20196 yr Author I’ve might got some useful info from when this happend (not the most recent time) received: from mail.abusix.invalid (ip.............adsl-surfen.hetnet.nl[MYIP]) by example.me(Haraka/2.8.25) with ESMTPA id 1E07A68A-DE36-4357-AC9D-4A3B86C1CC95.72 envelope-from <[email protected]> (authenticated bits=0); Mon, 25 Nov 2019 08:37:56 +0100
December 19, 20196 yr Yeah that looks like something on your network is sending out mail. The question is where from?
December 19, 20196 yr 1 minute ago, RossEm said: It’s from the UnRaid I can tell you that much. I saw you have the community-applications plugin installed. Did you install anything email related from that? A SMTP server perhaps?
December 19, 20196 yr Author Just now, soja said: I saw you have the community-applications plugin installed. Did you install anything email related from that? A SMTP server perhaps? maybe I don’t remember well it could be as I wanted to install my own.
December 19, 20196 yr 1 minute ago, RossEm said: maybe I don’t remember well it could be as I wanted to install my own. Do you have a list of all ports currently forwarded to your unraid box? Does it have a public IP usually? Is port 25 among those forwarded?
December 19, 20196 yr Author I mentioned in above messages. first: 22, 80/180, 443/1443 now: 80/180, 443/1443 and what do you mean with public ip
December 19, 20196 yr Is your Unraid system fully up and running now? If yes, please post new diagnostics.
December 19, 20196 yr Author No it isn’t I’m posting an update when it is waiting for the abuse team to write me back Edited December 19, 20196 yr by RossEm
December 19, 20196 yr 22 minutes ago, RossEm said: I mentioned in above messages. first: 22, 80/180, 443/1443 now: 80/180, 443/1443 and what do you mean with public ip Ok I just wanted to make sure we knew ALL forwarded ports, thank you and sorry for asking you to do it twice. A public IP is an address that is not within these ranges: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses Typical private IP addresses look like: 10.1.10.55 172.16.1.55 192.168.1.55 Does unraid usually have an IP like one of these? Edited December 19, 20196 yr by soja
December 19, 20196 yr Author Only one question is still left for me. Should I reinstall all dockers or a fresh reinstall of UnRaid? Edited December 19, 20196 yr by RossEm
December 19, 20196 yr Author 10 minutes ago, soja said: Ok I just wanted to make sure we knew ALL forwarded ports, thank you and sorry for asking you to do it twice. A public IP is an address that is not within these ranges: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses Typical private IP addresses look like: 10.1.10.55 172.16.1.55 192.168.1.55 Does unraid usually have an IP like one of these? Yes it’s 192.168.2.23
December 19, 20196 yr 5 minutes ago, RossEm said: Yes it’s 192.168.2.23 Ok so that should eliminate the possibility of it being a smtp server open to the internet without any authentication. Points toward something on the server sending the mail. When do you think you'd be able to see if you have a smtp server installed, and if you do check out any logs from it?
December 19, 20196 yr Community Expert 14 minutes ago, RossEm said: Only one question is still left for me. Should I reinstall all dockers or a fresh reinstall of UnRaid? You should close all those ports, that is the main thing. The docker and Unraid installs are very unlikely to be a problem. In any case, dockers are easily reinstalled using the Previous Apps feature on the Apps page. As for Unraid, it installs itself into RAM fresh from the archives on flash each time it boots.
December 19, 20196 yr Author Can in open port 443 that points to 1443 locally and 80 that points to 180 locally for the nextcloud?
December 20, 20196 yr Author I got an email back from the abuse team they said close port 22 and turn the machine back on. Should I open in safe mode because the dockers are on autostart
December 20, 20196 yr Community Expert 1 hour ago, RossEm said: I got an email back from the abuse team they said close port 22 and turn the machine back on. Should I open in safe mode because the dockers are on autostart The Safe Mode boot option only stops plugins from being installed (since they can de-stabilize the system ) It will not stop dockers from being started.
Archived
This topic is now archived and is closed to further replies.