Jump to content
izarkhin

Unauthorized web traffic from unRAID IP

23 posts in this topic Last Reply

Recommended Posts

Hi guys!

 

I really hope someone can help me here. I received an email from my Internet provider stating that they detected malware traffic coming from my WAN IP. It prompted me to check my router logs and I see a lot of traffic going from my unRAID IP address to all kinds of weird sites. Unfortunately, my Advanced Tomato router only gives me timestamp, originating IP and domain accessed. What can I do to identify the source of the problem? Are there any tools for selective traffic monitoring that provide more info?

 

Thanks!

Share this post


Link to post

Thanks for looking into this. I updated to 6.8.2 (was 6.8.0 before) and attached the diagnostics. Oh, and one more thing: the provider said that suspicious traffic originated from port 55612.

tower-diagnostics-20200212-0825.zip

Edited by izarkhin

Share this post


Link to post

yep attempts from China, pull the Ethernet cable off and so some security measures. 

Share this post


Link to post
18 minutes ago, ijuarez said:

yep attempts from China, pull the Ethernet cable off and so some security measures. 

it's not really helpful. what security measures?

Share this post


Link to post
3 minutes ago, izarkhin said:

it's not really helpful. what security measures?

Like @BRiT stated, stop any port forwards, any NAT's, power it off give it a new ip do not access it from the publc internet. setup a vpn if you want  access it.

 

Share this post


Link to post
1 hour ago, Squid said:

Or use wireguard

Thanks! I read up on it some. Do I understand it correctly that the idea is that you set up wireguard, then forward its port and use it as the tunnel to access nginx/letsenctypt, so you can keep accessing your dockers via reverse proxy? What is the advantage compared to setting up regular VPN on my router? Sorry, I'm new to this. There are quite a few guides on setting up wireguard but nobody tells you how to use it afterwards.

Edited by izarkhin

Share this post


Link to post
On 2/12/2020 at 9:09 AM, ijuarez said:

yep attempts from China, pull the Ethernet cable off and so some security measures. 

There is a ssh login attempt from an IP geo-located in China.  But either your win10 VM has malware or maybe a Docker container has some kind of malware.  Please provide a list of all your containers.

Share this post


Link to post

I'd say that there is no real advantage to wireguard over setting up a VPN on your router, though I haven't looked into wireguard much myself. Go with what you are comfortable with, but I imagine if you need help you would get more community support here for Wireguard than your router's VPN.

VPN (in the context we are talking about) is a way to give you/others a secure, encrypted connection into your own network from outside with out having to open multiple ports to the outside world. The end result would be that you have access to all/most features of your home network securely from anywhere in the world.

 

Edit: I would also focus on clearing up what ever is causing the malicious traffic before looking at setting up a VPN.

Edited by Morphed

Share this post


Link to post
10 hours ago, limetech said:

There is a ssh login attempt from an IP geo-located in China.  But either your win10 VM has malware or maybe a Docker container has some kind of malware.  Please provide a list of all your containers.

I haven't booted my Win VM at least 2 years, so I don't think that's it. Here is my list of dockers:

binhex-delugevpn
binhex-sabnzbdvpn
cadvisor
calibre-web
DokuWiki
duckdns
Grafana
HandBrake
hydra
Influxdb
Krusader
letsencrypt
MakeMKV-RDP
mariadb
medusa
organizr
organizrv2
phpmyadmin
plex
telegraf
radarr

Share this post


Link to post

OK, I stopped all dockers, disabled port forwarding, removed Win10 VM and changed IP address. SSH attempts seem to have stopped. However, I would like to eventually be able to access at least some dockers via reverse proxy. My understanding is that, unless I forward SSH port or a docker contains malware, it should be relatively safe with letsecrypt/nginx, right? Now that Win10 VM is out of the picture, how do I proceed with figuring out which docker contains malware?

Share this post


Link to post
4 minutes ago, izarkhin said:

it should be relatively safe with letsecrypt/nginx, right?

Even easier with the wireguard plugin.

Share this post


Link to post
2 minutes ago, Squid said:

Even easier with the wireguard plugin.

Yeah, but that means whatever device is used for access should be configured for VPN, right? For example, my work place doesn't allow VPN, my friends & family use my Plex server, etc.

Share this post


Link to post
6 minutes ago, izarkhin said:

how do I proceed with figuring out which docker contains malware?

Stop one at a time and see when the traffic to "weird sites" stops.

Share this post


Link to post
1 minute ago, dockerPolice said:

Stop one at a time and see when the traffic to "weird sites" stops.

I tried that. Nothing seemed to help, SSH requests kept coming even after I stopped all dockers, until I changed IP and rebooted.

Share this post


Link to post
2 minutes ago, izarkhin said:

Yeah, but that means whatever device is used for access should be configured for VPN, right? For example, my work place doesn't allow VPN, my friends & family use my Plex server, etc.

Nothing says that you can't forward the ports required for plex to operate.  In order for you to have had the login attempts on your server, you either forwarded the SSH ports or port 80/443 that unRaid uses or placed your server within your router's DMZ which opens up every port directly to the internet

 

If you need to access your server remotely (and by this, people mean the GUI or directly accessing via SSH), then you really need to use a VPN service of some kind, unless you are a network security expert (of which there are few and far between) and know exactly what you are doing.

Share this post


Link to post
4 minutes ago, Squid said:

Nothing says that you can't forward the ports required for plex to operate.  In order for you to have had the login attempts on your server, you either forwarded the SSH ports or port 80/443 that unRaid uses or placed your server within your router's DMZ which opens up every port directly to the internet

 

If you need to access your server remotely (and by this, people mean the GUI or directly accessing via SSH), then you really need to use a VPN service of some kind, unless you are a network security expert (of which there are few and far between) and know exactly what you are doing.

Yes, I get that. Going forward I will not forward SSH port and only use SSH over VPN (which I already have set up on my router). I only mentioned Plex as an example. There are other dockers that I share, such as calibre, and I also run a WordPress site, so I will need to forward at least port 443. I guess my real question was: "Short of fully locking my server down behind VPN, what is the most secure way for allowing extended audience to access content on my server"? I thought letsecrypt/nginx was secure enough. Is it not?

Share this post


Link to post
1 hour ago, izarkhin said:

I thought letsecrypt/nginx was secure enough. Is it not?

Should be good

Share this post


Link to post
19 hours ago, BRiT said:

Front all of your traffic via CloudFlare, never have anything pointed directly to your home server(s). Their free plan works well. https://www.cloudflare.com/plans/

Thanks for the idea! Do you happen to know a good write-up for how to configure it to use with unRAID? Also, do I understand it correctly that CloudFlare doesn't work with duckdns subdomains (i.e. [mysubdomain].duckdns.org)?

Edited by izarkhin

Share this post


Link to post
Thanks for the idea! Do you happen to know a good write-up for how to configure it to use with unRAID? Also, do I understand it correctly that CloudFlare doesn't work with duckdns subdomains (i.e. [mysubdomain].duckdns.org)?


While I love duck duck dns, I would do your own domain name, that’s being said I believe that spaceinvader one has YouTube on LE reverse proxy using Cloudflare.




Sent from my iPhone using Tapatalk

Share this post


Link to post
On 2/21/2020 at 10:10 AM, ijuarez said:

I believe that spaceinvader one has YouTube on LE reverse proxy using Cloudflare

That's exactly why I asked about subdomains :) I watched it, but he uses his own domain there.

Share this post


Link to post

If you had an SSH port opened to the internet my post I made a few minutes ago will explain this. You can try it yourself:

 

Note: The tunnel opened will be socks5, so you'll have to configure your browser as such to actually test it.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.