Blocked by ISP

[RossEm]

okay now im confused should i wait for a reply of the Abuse Team, Just run it or disable dockers

 

[soja]

Just now, RossEm said:

okay now im confused should i wait for a reply of the Abuse Team, Just run it or disable dockers

 

I apologize, there are two different troubleshooting suggestions here. Disabling your port forwarding for 22 is a good first step.

[RossEm]

okay i will run this after what the abuse team sends back to me.

Edited December 19, 2019 by RossEm

[trurl]

See this thread for the sort of thing we're talking about:

 

https://forums.unraid.net/topic/86061-unraid-dropping-wan-connections

 

That user thought they had found their problem before we had a chance to respond. So they were going to keep doing what they were doing. They never came back to find out what we had to say about what was happening and what they were doing wrong, so probably they are still getting hacked.

 

 

[RossEm]

Ight thank you. I did send an email to the abuse team. Removed port 22. That’s all. I will wait for further instructions for them. Did you find any of them connections in my diagnostics?

[bonienl]

6 minutes ago, RossEm said:

Did you find any of them connections in my diagnostics?

You should uninstall the ssh plugin. This installs putty on your server, but this isn't really needed, because you won't use the server to set up ssh connections to other systems.

[trurl]

34 minutes ago, RossEm said:

Did you find any of them connections in my diagnostics?

The diagnostics you gave us only include a few seconds after reboot, and without the array started. You have to setup Syslog Server if you want to keep syslogs from earlier.

 

https://forums.unraid.net/topic/46802-faq-for-unraid-v6/?do=findComment&comment=781601

 

[RossEm]

I’ve might got some useful info from when this happend (not the most recent time)

 

received: from mail.abusix.invalid (ip.............adsl-surfen.hetnet.nl[MYIP]) by example.me(Haraka/2.8.25) with ESMTPA id 1E07A68A-DE36-4357-AC9D-4A3B86C1CC95.72 envelope-from <[email protected]> (authenticated bits=0); Mon, 25 Nov 2019 08:37:56 +0100

[soja]

Yeah that looks like something on your network is sending out mail. The question is where from?

[RossEm]

It’s from the UnRaid I can tell you that much.

 

[soja]

1 minute ago, RossEm said:

It’s from the UnRaid I can tell you that much.

 

I saw you have the community-applications plugin installed. Did you install anything email related from that? A SMTP server perhaps?

[RossEm]

Just now, soja said:

I saw you have the community-applications plugin installed. Did you install anything email related from that? A SMTP server perhaps?

maybe I don’t remember well it could be as I wanted to install my own. 

[soja]

1 minute ago, RossEm said:

maybe I don’t remember well it could be as I wanted to install my own. 

Do you have a list of all ports currently forwarded to your unraid box? Does it have a public IP usually? Is port 25 among those forwarded?

[RossEm]

I mentioned in above messages. 
 

first: 22, 80/180, 443/1443

now: 80/180, 443/1443

 

and what do you mean with public ip 

[bonienl]

Is your Unraid system fully up and running now?

If yes, please post new diagnostics.

 

[RossEm]

No it isn’t I’m posting an update when it is  waiting for the abuse team to write me back 

Edited December 19, 2019 by RossEm

[soja]

22 minutes ago, RossEm said:

I mentioned in above messages. 
 

first: 22, 80/180, 443/1443

now: 80/180, 443/1443

 

and what do you mean with public ip 

Ok I just wanted to make sure we knew ALL forwarded ports, thank you and sorry for asking you to do it twice.

 

A public IP is an address that is not within these ranges: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

 

Typical private IP addresses look like:
10.1.10.55

172.16.1.55

192.168.1.55

Does unraid usually have an IP like one of these?

Edited December 19, 2019 by soja

[RossEm]

Only one question is still left for me. Should I reinstall all dockers or a fresh reinstall of UnRaid? 

Edited December 19, 2019 by RossEm

[RossEm]

10 minutes ago, soja said:

Ok I just wanted to make sure we knew ALL forwarded ports, thank you and sorry for asking you to do it twice.

 

A public IP is an address that is not within these ranges: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

 

Typical private IP addresses look like:
10.1.10.55

172.16.1.55

192.168.1.55

Does unraid usually have an IP like one of these?

Yes it’s 192.168.2.23

[soja]

5 minutes ago, RossEm said:

Yes it’s 192.168.2.23

Ok so that should eliminate the possibility of it being a smtp server open to the internet without any authentication. Points toward something on the server sending the mail. When do you think you'd be able to see if you have a smtp server installed, and if you do check out any logs from it?

[RossEm]

If I ever had it installed I removed it anyway

 

[trurl]

14 minutes ago, RossEm said:

Only one question is still left for me. Should I reinstall all dockers or a fresh reinstall of UnRaid? 

You should close all those ports, that is the main thing. The docker and Unraid installs are very unlikely to be a problem.

 

In any case, dockers are easily reinstalled using the Previous Apps feature on the Apps page.

 

As for Unraid, it installs itself into RAM fresh from the archives on flash each time it boots.

[RossEm]

Can in open port 443 that points to 1443 locally and 80 that points to 180 locally for the nextcloud?

 

[RossEm]

I got an email back from the abuse team they said close port 22 and turn the machine back on. Should I open in safe mode because the dockers are on autostart

[itimpi]

1 hour ago, RossEm said:

I got an email back from the abuse team they said close port 22 and turn the machine back on. Should I open in safe mode because the dockers are on autostart

The Safe Mode boot option only stops plugins from being installed (since they can de-stabilize the system )  It will not stop dockers from being started.