Unifi detects threats straight to local server IP


wwed26

Recommended Posts

Hello all,

 

Periodically I check the IDS feature in the unfi controller (I own a USG). Normally I am dismissive of the threats as they pertain to my wife who uses wechat and will time to time get threats to her phone and I block the incoming IP, perhaps just because. More recently I have received nearly 20 threats directly to the local IP of my Unraid server not from China but globally. The threat appears as "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 748".  None of the docker containers share the ports of 'attack'. I have 5 VMs operating on a bridged connection. As another data point, I use PIVPN to access my files externally, it auto updates except for the period the PI RAM usage was to high. 

 

My primary concern is, am I compromised. 

 

My questions are two fold while I seek external advice to harden my network my broadly. In the meantime:

 

1. What is the best way to perform diagnostics to see what occurred.

2. Is there a way to harden Unraid generally speaking. 

 

Kindest for those willing to assist,

 

John

Link to comment

As soon as you put a router online you will see hundreds of such access attempts to your network. Most users don't check the logs or have an IDS active on their routers like Surricata or Snort and won't notice this. I think the USGs use Snort and tracking unnormal traffic trying to access your network. Traffic from Tor network is really common same as traffic from internet discovery/scanning services like shodan. Not sure if the USG has some supression rules in place where you can configure which types of access or traffic you wanna log.

 

Best practice for your self hosted server is still to limit the attack surface. Don't open any port as long as you not really need it. Don't use standard ports if you have to open them. Use a VPN to access your internal services. Keep your firewall/router up to date and have a routine to check the logs once a week or so.

Link to comment

Looks like you have installed WireGuard. That is what I meant by a VPN. Have you been able to get it setup and working?

 

You have multiple disk problems, probably a controller or SAS cable issue.

 

Also

Jan 26 04:30:02 Geralt root: Fix Common Problems: Error: Same share (mkv) exists in a different case
Jan 26 04:30:02 Geralt root: Fix Common Problems: Error: Same share (MKV) exists in a different case
Jan 26 04:30:02 Geralt root: Fix Common Problems: Error: Same share (video) exists in a different case
Jan 26 04:30:02 Geralt root: Fix Common Problems: Error: Same share (Video) exists in a different case

Probably you have used different upper/lower case in your docker mappings and so accidentally created shares you didn't intend to have.

Link to comment

Yes I have installed Wireguard but haven't toyed with it yet. I was not sure if there were pros/cons to having VPN on a separate device or same as the server. Plus wanted to research the timeline of when Wireguard would be 'complete' with audit. As of this rate I am still using PiVPN and accessing externally via openvpn. 

 

Re: disk problems, I would not be surprised. One of the two controllers on-board is the infamous Marvell controller that has issues with drives dropping in and out. Pair that with running 4 non-essential VM's on one SSD hooked to the very same

 

Last re share case: Yes, my laziness has been exposed. 

 

Thanks trurl and bastl

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.