Unauthorized web traffic from unRAID IP


izarkhin

Recommended Posts

Hi guys!

 

I really hope someone can help me here. I received an email from my Internet provider stating that they detected malware traffic coming from my WAN IP. It prompted me to check my router logs and I see a lot of traffic going from my unRAID IP address to all kinds of weird sites. Unfortunately, my Advanced Tomato router only gives me timestamp, originating IP and domain accessed. What can I do to identify the source of the problem? Are there any tools for selective traffic monitoring that provide more info?

 

Thanks!

Link to comment
1 hour ago, Squid said:

Or use wireguard

Thanks! I read up on it some. Do I understand it correctly that the idea is that you set up wireguard, then forward its port and use it as the tunnel to access nginx/letsenctypt, so you can keep accessing your dockers via reverse proxy? What is the advantage compared to setting up regular VPN on my router? Sorry, I'm new to this. There are quite a few guides on setting up wireguard but nobody tells you how to use it afterwards.

Edited by izarkhin
Link to comment
On 2/12/2020 at 9:09 AM, ijuarez said:

yep attempts from China, pull the Ethernet cable off and so some security measures. 

There is a ssh login attempt from an IP geo-located in China.  But either your win10 VM has malware or maybe a Docker container has some kind of malware.  Please provide a list of all your containers.

Link to comment

I'd say that there is no real advantage to wireguard over setting up a VPN on your router, though I haven't looked into wireguard much myself. Go with what you are comfortable with, but I imagine if you need help you would get more community support here for Wireguard than your router's VPN.

VPN (in the context we are talking about) is a way to give you/others a secure, encrypted connection into your own network from outside with out having to open multiple ports to the outside world. The end result would be that you have access to all/most features of your home network securely from anywhere in the world.

 

Edit: I would also focus on clearing up what ever is causing the malicious traffic before looking at setting up a VPN.

Edited by Morphed
Link to comment
10 hours ago, limetech said:

There is a ssh login attempt from an IP geo-located in China.  But either your win10 VM has malware or maybe a Docker container has some kind of malware.  Please provide a list of all your containers.

I haven't booted my Win VM at least 2 years, so I don't think that's it. Here is my list of dockers:

binhex-delugevpn
binhex-sabnzbdvpn
cadvisor
calibre-web
DokuWiki
duckdns
Grafana
HandBrake
hydra
Influxdb
Krusader
letsencrypt
MakeMKV-RDP
mariadb
medusa
organizr
organizrv2
phpmyadmin
plex
telegraf
radarr

Link to comment

OK, I stopped all dockers, disabled port forwarding, removed Win10 VM and changed IP address. SSH attempts seem to have stopped. However, I would like to eventually be able to access at least some dockers via reverse proxy. My understanding is that, unless I forward SSH port or a docker contains malware, it should be relatively safe with letsecrypt/nginx, right? Now that Win10 VM is out of the picture, how do I proceed with figuring out which docker contains malware?

Link to comment
2 minutes ago, izarkhin said:

Yeah, but that means whatever device is used for access should be configured for VPN, right? For example, my work place doesn't allow VPN, my friends & family use my Plex server, etc.

Nothing says that you can't forward the ports required for plex to operate.  In order for you to have had the login attempts on your server, you either forwarded the SSH ports or port 80/443 that unRaid uses or placed your server within your router's DMZ which opens up every port directly to the internet

 

If you need to access your server remotely (and by this, people mean the GUI or directly accessing via SSH), then you really need to use a VPN service of some kind, unless you are a network security expert (of which there are few and far between) and know exactly what you are doing.

Link to comment
4 minutes ago, Squid said:

Nothing says that you can't forward the ports required for plex to operate.  In order for you to have had the login attempts on your server, you either forwarded the SSH ports or port 80/443 that unRaid uses or placed your server within your router's DMZ which opens up every port directly to the internet

 

If you need to access your server remotely (and by this, people mean the GUI or directly accessing via SSH), then you really need to use a VPN service of some kind, unless you are a network security expert (of which there are few and far between) and know exactly what you are doing.

Yes, I get that. Going forward I will not forward SSH port and only use SSH over VPN (which I already have set up on my router). I only mentioned Plex as an example. There are other dockers that I share, such as calibre, and I also run a WordPress site, so I will need to forward at least port 443. I guess my real question was: "Short of fully locking my server down behind VPN, what is the most secure way for allowing extended audience to access content on my server"? I thought letsecrypt/nginx was secure enough. Is it not?

Link to comment
19 hours ago, BRiT said:

Front all of your traffic via CloudFlare, never have anything pointed directly to your home server(s). Their free plan works well. https://www.cloudflare.com/plans/

Thanks for the idea! Do you happen to know a good write-up for how to configure it to use with unRAID? Also, do I understand it correctly that CloudFlare doesn't work with duckdns subdomains (i.e. [mysubdomain].duckdns.org)?

Edited by izarkhin
Link to comment
Thanks for the idea! Do you happen to know a good write-up for how to configure it to use with unRAID? Also, do I understand it correctly that CloudFlare doesn't work with duckdns subdomains (i.e. [mysubdomain].duckdns.org)?


While I love duck duck dns, I would do your own domain name, that’s being said I believe that spaceinvader one has YouTube on LE reverse proxy using Cloudflare.




Sent from my iPhone using Tapatalk
Link to comment
  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.