fatfree69
Posts: 6
Joined: Thu Aug 27, 2020 7:06 am

Password stops working next day - fresh install

Thu Aug 27, 2020 7:19 am

Setup:
- Fresh install of Raspberry Pi OS Buster Lite
- Enabled ssh with ssh file in boot
- Enabled wifi with wifi file in boot

What works:
- I can log in via ssh and console

What doesn't work:
- After 1 day, password gets denied from ssh or console
- I would redo the install, problem would repeat the next day


What would be locking the account/password automatically?

Aydan
Posts: 734
Joined: Fri Apr 13, 2012 11:48 am
Location: Germany, near Lake Constance

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 9:39 am

Welcome to the forum.

Did you change the default password?
Do you have the SSH port open to the internet?
If you are still using the default password and have ssh open to the internet then your raspberry has most likely been taken over by a bot net or a hacker.
You should change the password before connecting the pi to the network, or make sure ssh is only enabled after the password has been changed.

Regards
Aydan

fatfree69
Posts: 6
Joined: Thu Aug 27, 2020 7:06 am

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 2:03 pm

The pi itself is not connected to the internet, only internal home network. Incase it does have internet access, all ssh/ftp/etc are blocked at the router by default and I double checked to make sure it is still that way.

Password has not been changed because no one has access to the pi, so I didn’t bother. I know it should be good practice but I’m the only person in thr house. Shrug?

JovianPyx
Posts: 132
Joined: Fri Nov 20, 2015 9:34 pm

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 3:50 pm

This is a good one. Some questions:

Do you have an image of Buster lite locally stored? If so, is it current? If local, have you checked sha-sum? or re-download?

Any applications installed beyond the contents of Buster lite?

I'm guessing toward some weird clock related thing. Is the failure precisely 24 hours later? Locale setting perhaps...

In order to probe around, I'd have a second ssh connection with root as user. First to see if that stays connected when the other fails and maybe get some useful information from /var/log/messages or dmesg. Might also be able to re-enable the account.

I would also run the date command to check what time the pi thinks it is both before and after it fails. I may be wrong, but I think there's an ntp client the runs to keep the clock correct. With no internet connection, it can't access a public NTP server. There may be security involved with the clock and logins and not being able to correct the clock may be a problem. If you test with it connected to the internet and it starts working, the clock may be the problem.

fatfree69
Posts: 6
Joined: Thu Aug 27, 2020 7:06 am

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 4:02 pm

Okay guys, I'm an idiot. Apparently it seems I don't know much about my network very well. My Pi was indeed connected to the internet, but don't understand how the world is reaching my Pi.

I checked the /var/log/auth.log and noticed failed logins every second from various users. Basically, all these attempts seems to be non-malicious, and as if users were actually trying their own login to get to my Pi.

My router does not allow any port forwarding unless I specifically set it up for the specific IP on my network. My Pi has static IP and the port is not forwarded, which I understood as no one is able to reach my Pi from the internet. Also, if they were to access my Pi, they would have to do something like "ssh <user>@<my router IP> <my assigned port to forward>.

How could they even reach my Pi?

Snippet:

Code: Select all

Aug 26 09:45:23 raspberrypi sshd[30678]: Invalid user fmaster from 164.132.196.98 port 59819
Aug 26 09:45:53 raspberrypi sshd[30743]: Invalid user anna from 114.215.145.108 port 37086
Aug 26 09:46:01 raspberrypi sshd[30761]: Invalid user ravi from 2.139.209.78 port 43977
Aug 26 09:46:22 raspberrypi sshd[30817]: Invalid user knu from 213.32.70.208 port 41452
Aug 26 09:46:35 raspberrypi sshd[30863]: Invalid user ftpuser from 112.196.9.88 port 39922
Aug 26 09:46:39 raspberrypi sshd[30891]: Invalid user ark from 111.229.130.46 port 42558
Aug 26 09:46:54 raspberrypi sshd[30942]: Invalid user avi from 54.38.53.251 port 48152
Aug 26 09:46:56 raspberrypi sshd[30948]: Invalid user dejan from 139.59.10.186 port 37226
Aug 26 09:47:13 raspberrypi sshd[30975]: Invalid user db2inst1 from 129.204.42.144 port 60730
Aug 26 09:47:25 raspberrypi sshd[31004]: Invalid user laurent from 114.215.145.108 port 51516
Aug 26 09:47:32 raspberrypi sshd[31048]: Invalid user sic from 159.65.154.48 port 47226
Aug 26 09:47:52 raspberrypi sshd[31091]: Invalid user chengyu from 167.172.117.26 port 41616
Aug 26 09:48:00 raspberrypi sshd[31098]: Invalid user postgres from 51.158.20.200 port 3176
Aug 26 09:48:21 raspberrypi sshd[31141]: Invalid user sammy from 164.132.196.98 port 46757
Aug 26 09:48:29 raspberrypi sshd[31166]: Invalid user alice from 201.184.68.58 port 47626
Aug 26 09:48:38 raspberrypi sshd[31178]: Invalid user adie from 64.40.230.49 port 21961
Aug 26 09:48:43 raspberrypi sshd[31196]: Invalid user lsa from 167.99.75.240 port 57884

trejan
Posts: 2928
Joined: Tue Jul 02, 2019 2:28 pm

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 4:42 pm

fatfree69 wrote:
Thu Aug 27, 2020 4:02 pm
I checked the /var/log/auth.log and noticed failed logins every second from various users. Basically, all these attempts seems to be non-malicious, and as if users were actually trying their own login to get to my Pi.
This is definitely malicious. Those are automated scanners that are continually looking for vulnerable servers and will try lists of usernames/passwords. The default pi/raspberry combination will be in those lists. Once it finds a working server then it'll start running malicious scripts to attack other machines on the internet, look around the server and potentially attack other devices within your network.
fatfree69 wrote:
Thu Aug 27, 2020 4:02 pm
How could they even reach my Pi?
You definitely have port forwarding enabled and configured to forward to the SSH port. Raspberry Pi OS doesn't automatically open ports using UPNP.

jbudd
Posts: 1499
Joined: Mon Dec 16, 2013 10:23 am

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 5:21 pm

The failed login attempts in /var/log/auth.log indicate that your router has port forwarding enabled.
If you can't see any evidence of that in the router setup, perhaps the router itself has been hacked.

If you were using user pi and password raspberry, they have almost certainly gained access to the Pi and you should be concerned about all the devices on your network.

Reboot your router (to get a new public IP address) then do a factory reset, check for and apply any firmware updates.
Check online if the router model is vulnerable to any known attacks.

fatfree69
Posts: 6
Joined: Thu Aug 27, 2020 7:06 am

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 5:39 pm

I've checked port forwarding on my router, but the list is very short. Also, if I tried to ssh to my pi using any of the ports that are open (none are ssh), I can't even access it myself. So while I do agree something looks wrong, I can't figure it out.

Unfortunately, my router IP is pretty static (AT&T fiber), and almost everyone on this couldn't get new IP's no matter what they did unless they get a different AT&T router.

Thanks everyone for the responses. It will help me with my trouble-shooting with my network...

trejan
Posts: 2928
Joined: Tue Jul 02, 2019 2:28 pm

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 5:42 pm

Do you have any kind of VPN or P2P software installed that is opening a tunnel? What have you installed on the Pi? Something is definitely allowing people into your network.

epoch1970
Posts: 5710
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 5:46 pm

Also check other computers on the network, if any, and the router firmware itself.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

fatfree69
Posts: 6
Joined: Thu Aug 27, 2020 7:06 am

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 6:03 pm

Thank you all! I found the issue, definitely self error as you all have suspected. One of the port forwarding is one to my raspberryPi but had it named differently for another device a very long time ago. I reused the IP that belonged to that device.

It is scary that there are things that are hitting up my router's IP and to this specific port that I had chosen.

jbudd
Posts: 1499
Joined: Mon Dec 16, 2013 10:23 am

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 6:17 pm

and to this specific port that I had chosen
Once they find an open port on your IP address they will keep on hitting it.

Since most bots dont scan all possible ports you can make it less likely they will find you by choosing a high port number, maybe somewhere around 50000. But as noted above, once they see it you are on their list.

jbudd
Posts: 1499
Joined: Mon Dec 16, 2013 10:23 am

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 6:24 pm

and to this specific port that I had chosen
Once they find an open port on your IP address they will keep on hitting it.

Since most bots dont scan all possible ports you can make it less likely they will find you by choosing a high port number, maybe somewhere around 50000. But as noted above, once they see it you are on their list.

ps
Password has not been changed because no one has access to the pi, so I didn’t bother. I know it should be good practice but I’m the only person in thr house. Shrug?
There's a good reason for the warning at login if you have ssh enabled and the default password.

trejan
Posts: 2928
Joined: Tue Jul 02, 2019 2:28 pm

Re: Password stops working next day - fresh install

Thu Aug 27, 2020 6:44 pm

fatfree69 wrote:
Thu Aug 27, 2020 6:03 pm
It is scary that there are things that are hitting up my router's IP and to this specific port that I had chosen.
As mentioned already, the bots will try various ports to see if anything interesting is running on a non-standard port. It is very easy to identify it as SSH because the SSH server immediately prints a version banner when you connect.

Code: Select all

SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2

cleverca22
Posts: 1829
Joined: Sat Aug 18, 2012 2:33 pm

Re: Password stops working next day - fresh install

Fri Aug 28, 2020 9:05 am

epoch1970 wrote:
Thu Aug 27, 2020 5:46 pm
Also check other computers on the network, if any, and the router firmware itself.

Code: Select all

Aug 26 09:48:21 raspberrypi sshd[31141]: Invalid user sammy from 164.132.196.98 port 46757
that IP came from outside the LAN, so it cant be a local computer, but the router could lie about the source
port forwarding is definitely setup

Return to “Troubleshooting”