izarkhin Posted February 12, 2020 Share Posted February 12, 2020 Hi guys! I really hope someone can help me here. I received an email from my Internet provider stating that they detected malware traffic coming from my WAN IP. It prompted me to check my router logs and I see a lot of traffic going from my unRAID IP address to all kinds of weird sites. Unfortunately, my Advanced Tomato router only gives me timestamp, originating IP and domain accessed. What can I do to identify the source of the problem? Are there any tools for selective traffic monitoring that provide more info? Thanks! Quote Link to comment
izarkhin Posted February 12, 2020 Author Share Posted February 12, 2020 (edited) Thanks for looking into this. I updated to 6.8.2 (was 6.8.0 before) and attached the diagnostics. Oh, and one more thing: the provider said that suspicious traffic originated from port 55612. tower-diagnostics-20200212-0825.zip Edited February 12, 2020 by izarkhin Quote Link to comment
ijuarez Posted February 12, 2020 Share Posted February 12, 2020 yep attempts from China, pull the Ethernet cable off and so some security measures. Quote Link to comment
izarkhin Posted February 12, 2020 Author Share Posted February 12, 2020 18 minutes ago, ijuarez said: yep attempts from China, pull the Ethernet cable off and so some security measures. it's not really helpful. what security measures? Quote Link to comment
ijuarez Posted February 12, 2020 Share Posted February 12, 2020 3 minutes ago, izarkhin said: it's not really helpful. what security measures? Like @BRiT stated, stop any port forwards, any NAT's, power it off give it a new ip do not access it from the publc internet. setup a vpn if you want access it. Quote Link to comment
izarkhin Posted February 12, 2020 Author Share Posted February 12, 2020 (edited) 1 hour ago, Squid said: Or use wireguard Thanks! I read up on it some. Do I understand it correctly that the idea is that you set up wireguard, then forward its port and use it as the tunnel to access nginx/letsenctypt, so you can keep accessing your dockers via reverse proxy? What is the advantage compared to setting up regular VPN on my router? Sorry, I'm new to this. There are quite a few guides on setting up wireguard but nobody tells you how to use it afterwards. Edited February 12, 2020 by izarkhin Quote Link to comment
limetech Posted February 13, 2020 Share Posted February 13, 2020 On 2/12/2020 at 9:09 AM, ijuarez said: yep attempts from China, pull the Ethernet cable off and so some security measures. There is a ssh login attempt from an IP geo-located in China. But either your win10 VM has malware or maybe a Docker container has some kind of malware. Please provide a list of all your containers. Quote Link to comment
Morphed Posted February 13, 2020 Share Posted February 13, 2020 (edited) I'd say that there is no real advantage to wireguard over setting up a VPN on your router, though I haven't looked into wireguard much myself. Go with what you are comfortable with, but I imagine if you need help you would get more community support here for Wireguard than your router's VPN. VPN (in the context we are talking about) is a way to give you/others a secure, encrypted connection into your own network from outside with out having to open multiple ports to the outside world. The end result would be that you have access to all/most features of your home network securely from anywhere in the world. Edit: I would also focus on clearing up what ever is causing the malicious traffic before looking at setting up a VPN. Edited February 13, 2020 by Morphed Quote Link to comment
izarkhin Posted February 14, 2020 Author Share Posted February 14, 2020 10 hours ago, limetech said: There is a ssh login attempt from an IP geo-located in China. But either your win10 VM has malware or maybe a Docker container has some kind of malware. Please provide a list of all your containers. I haven't booted my Win VM at least 2 years, so I don't think that's it. Here is my list of dockers: binhex-delugevpn binhex-sabnzbdvpn cadvisor calibre-web DokuWiki duckdns Grafana HandBrake hydra Influxdb Krusader letsencrypt MakeMKV-RDP mariadb medusa organizr organizrv2 phpmyadmin plex telegraf radarr Quote Link to comment
izarkhin Posted February 15, 2020 Author Share Posted February 15, 2020 OK, I stopped all dockers, disabled port forwarding, removed Win10 VM and changed IP address. SSH attempts seem to have stopped. However, I would like to eventually be able to access at least some dockers via reverse proxy. My understanding is that, unless I forward SSH port or a docker contains malware, it should be relatively safe with letsecrypt/nginx, right? Now that Win10 VM is out of the picture, how do I proceed with figuring out which docker contains malware? Quote Link to comment
Squid Posted February 15, 2020 Share Posted February 15, 2020 4 minutes ago, izarkhin said: it should be relatively safe with letsecrypt/nginx, right? Even easier with the wireguard plugin. Quote Link to comment
izarkhin Posted February 15, 2020 Author Share Posted February 15, 2020 2 minutes ago, Squid said: Even easier with the wireguard plugin. Yeah, but that means whatever device is used for access should be configured for VPN, right? For example, my work place doesn't allow VPN, my friends & family use my Plex server, etc. Quote Link to comment
dockerPolice Posted February 15, 2020 Share Posted February 15, 2020 6 minutes ago, izarkhin said: how do I proceed with figuring out which docker contains malware? Stop one at a time and see when the traffic to "weird sites" stops. Quote Link to comment
izarkhin Posted February 15, 2020 Author Share Posted February 15, 2020 1 minute ago, dockerPolice said: Stop one at a time and see when the traffic to "weird sites" stops. I tried that. Nothing seemed to help, SSH requests kept coming even after I stopped all dockers, until I changed IP and rebooted. Quote Link to comment
Squid Posted February 15, 2020 Share Posted February 15, 2020 2 minutes ago, izarkhin said: Yeah, but that means whatever device is used for access should be configured for VPN, right? For example, my work place doesn't allow VPN, my friends & family use my Plex server, etc. Nothing says that you can't forward the ports required for plex to operate. In order for you to have had the login attempts on your server, you either forwarded the SSH ports or port 80/443 that unRaid uses or placed your server within your router's DMZ which opens up every port directly to the internet If you need to access your server remotely (and by this, people mean the GUI or directly accessing via SSH), then you really need to use a VPN service of some kind, unless you are a network security expert (of which there are few and far between) and know exactly what you are doing. Quote Link to comment
izarkhin Posted February 15, 2020 Author Share Posted February 15, 2020 4 minutes ago, Squid said: Nothing says that you can't forward the ports required for plex to operate. In order for you to have had the login attempts on your server, you either forwarded the SSH ports or port 80/443 that unRaid uses or placed your server within your router's DMZ which opens up every port directly to the internet If you need to access your server remotely (and by this, people mean the GUI or directly accessing via SSH), then you really need to use a VPN service of some kind, unless you are a network security expert (of which there are few and far between) and know exactly what you are doing. Yes, I get that. Going forward I will not forward SSH port and only use SSH over VPN (which I already have set up on my router). I only mentioned Plex as an example. There are other dockers that I share, such as calibre, and I also run a WordPress site, so I will need to forward at least port 443. I guess my real question was: "Short of fully locking my server down behind VPN, what is the most secure way for allowing extended audience to access content on my server"? I thought letsecrypt/nginx was secure enough. Is it not? Quote Link to comment
Squid Posted February 15, 2020 Share Posted February 15, 2020 1 hour ago, izarkhin said: I thought letsecrypt/nginx was secure enough. Is it not? Should be good Quote Link to comment
BRiT Posted February 15, 2020 Share Posted February 15, 2020 Front all of your traffic via CloudFlare, never have anything pointed directly to your home server(s). Their free plan works well. https://www.cloudflare.com/plans/ Quote Link to comment
izarkhin Posted February 16, 2020 Author Share Posted February 16, 2020 (edited) 19 hours ago, BRiT said: Front all of your traffic via CloudFlare, never have anything pointed directly to your home server(s). Their free plan works well. https://www.cloudflare.com/plans/ Thanks for the idea! Do you happen to know a good write-up for how to configure it to use with unRAID? Also, do I understand it correctly that CloudFlare doesn't work with duckdns subdomains (i.e. [mysubdomain].duckdns.org)? Edited February 16, 2020 by izarkhin Quote Link to comment
ijuarez Posted February 21, 2020 Share Posted February 21, 2020 Thanks for the idea! Do you happen to know a good write-up for how to configure it to use with unRAID? Also, do I understand it correctly that CloudFlare doesn't work with duckdns subdomains (i.e. [mysubdomain].duckdns.org)?While I love duck duck dns, I would do your own domain name, that’s being said I believe that spaceinvader one has YouTube on LE reverse proxy using Cloudflare. Sent from my iPhone using Tapatalk Quote Link to comment
izarkhin Posted February 23, 2020 Author Share Posted February 23, 2020 On 2/21/2020 at 10:10 AM, ijuarez said: I believe that spaceinvader one has YouTube on LE reverse proxy using Cloudflare That's exactly why I asked about subdomains I watched it, but he uses his own domain there. Quote Link to comment
Mihai Posted June 20, 2020 Share Posted June 20, 2020 If you had an SSH port opened to the internet my post I made a few minutes ago will explain this. You can try it yourself: Note: The tunnel opened will be socks5, so you'll have to configure your browser as such to actually test it. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.