ceratophyllum
Posts: 2
Joined: Mon Nov 19, 2012 1:26 pm
Location: the arsehole of florida,

My rPi is under attack

Mon Nov 19, 2012 1:41 pm

I'm using a r-Pi to monitor my fishtank. Right now I just have a DS18B20 temp. sensor set up and a cron job that probes once an hour. I'm trying to figure out the best way to access this machine away from home.

It is behind a router, so I signed up for a free account from no-ip.com to make my r-Pi visible to the outside world and set my router to forward port 22 from this machine.

Unfortunately, I see loads of stuff like this every day in the /var/log/auth.log:

Code: Select all

Nov 18 21:55:01 raspberrypi sshd[3472]: Failed password for root from  61.132.237.9 port 35473 ssh2

Nov 18 21:55:01 raspberrypi sshd[3472]: Received disconnect from 61.132.237.9: 11: Bye Bye [preauth]

Nov 18 21:55:03 raspberrypi sshd[3476]: pam_unix(sshd:auth): authentication      failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.132.237.9  user=root

Nov 18 21:55:05 raspberrypi sshd[3476]: Failed password for root from 61.132.237.9 port 35896 ssh2
This stuff happens every day. Random ports and IP addresses from all over the place.... (eg. whois reports that 61.132.237.9 is someplace in China!)

Is there anything I can do to make this computer less visible or more secure? I'm only running sshd because I want to tinker around in my spare time with the scripts that will probe the sensors when I'm at the office.

Maybe I should just forget about having a permanent domain name, get dropbox write all my fishtank data logs to ~/Dropbox?

I don't know a lot about network security, but I'm starting to get paranoid :D !

User avatar
rpdom
Posts: 15020
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: My rPi is under attack

Mon Nov 19, 2012 2:10 pm

My Pi isn't visible from external addresses, but one of my Debian PCs is.

On that I run denyhosts, which updates the hosts.deny file when an IP address has x failed login attempts in a defined period.

I also use one time passwords for connecting from outsde (otpw-bin and libpam-otpw) and generate a list of random single-use passwords for each user.

Some people use fail2ban instead of denyhosts.

If your office always shows up as the same IP, you could probably set your router rule to only forward port 22 from that address to your fishtank.

ceratophyllum
Posts: 2
Joined: Mon Nov 19, 2012 1:26 pm
Location: the arsehole of florida,

Re: My rPi is under attack

Mon Nov 19, 2012 3:19 pm

Well, I decided to try fail2ban just because I found it first.

I'll probably set up one-time passwords as well.

I'm also using DHT22 to sense room temp/humidity and the adafruit "driver"--a c-program that must run as root--only works about 2/3 tries. Maybe an arduino would work better?

I've been considering an arduino with an ethernet shield or Xbee instead of the Pi, but all these "shields" and Xbee doo-dads are really confusing, overly specialized, and expensive compared to a Pi, breadboard, and GPIO cable, and a handful of cheap sensors. (Right now, price of 2 Xbee modules = one rPi, at least.)

I'm curious about Xbee, but the books on it look scary: large sections are devoted to screen shots of some horrid windows serial/USB program full of arcane options. (If Xbee is the craptaculatar version hell it appears at first glance, perhaps the price of Xbee modules will drop and I will get more curious to try them.)

User avatar
RaTTuS
Posts: 10415
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: My rPi is under attack

Mon Nov 19, 2012 3:36 pm

if you don't have the default raspberry name and password set and you only forward 22 80 then your going to be mostly ok.....
just make sure your username / password is not a easy guess ;)
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

ghans
Posts: 7871
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: My rPi is under attack

Mon Nov 19, 2012 4:26 pm

I heard using another port would also easily deter most attacks.

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

elatllat
Posts: 1337
Joined: Sat Dec 17, 2011 5:05 pm

Re: My rPi is under attack

Mon Nov 19, 2012 4:40 pm

using ssh keys (disabling pass auth) is the best solution IMO
SBC with 32GB RAM: https://hardkernel.com

FAQ : https://raspberrypi.stackexchange.com

Unanswered: https://www.raspberrypi.org/forums/search.php?search_id=unanswered

freemanbubu
Posts: 111
Joined: Sun Jun 17, 2012 11:12 am

Re: My rPi is under attack

Mon Nov 19, 2012 6:16 pm

Ports 1 to 1024 are reserved for services like http, ftp, ssh, imap, ....

Hacking bot scan random IPs and try attack on these "defaults" ports...
NAT these port direct from WAN to a computer is totally unsecure....

To avoid this, just NAT another WAN port .
For example, I NAT port 22000 (WAN) to port 22 (Pi)

to connect from WAN, I use my dns name, and port 22000....
Easy and I never see any attack from years on my computers....

Wendo
Posts: 142
Joined: Sun Jun 10, 2012 8:27 pm

Re: My rPi is under attack

Wed Nov 21, 2012 4:41 am

Depending on your router/firewall you may also be able to firewall countries. So you could drop connections from everywhere but your home country. Certainly forwarding a different port number will cut down heavily on this

utamav
Posts: 12
Joined: Sat Jun 14, 2014 6:18 pm

Re: My rPi is under attack

Fri Jun 20, 2014 12:16 am

Not sure if this has got to do anything but I listed my IP on no-ip to get DDNS. I have been getting brute force login from China as well. Has no-ip's database intentionally or unintentionally been compromised?

binaryhermit
Posts: 54
Joined: Sun Apr 13, 2014 1:26 am
Location: Lockport, Illinois
Contact: Website

Re: My rPi is under attack

Fri Jun 20, 2014 12:54 am

Probably not... I suspect that the Chinese cracker just port-scanned and is attacking your box because he/she found a ssh server on port 22.

ghans
Posts: 7871
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: My rPi is under attack

Fri Jun 20, 2014 8:12 am

Its not that difficult ... AFAIK crackers already portscan whole
countries at a time.

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

User avatar
DougieLawson
Posts: 35814
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: My rPi is under attack

Fri Jun 20, 2014 1:20 pm

It's not just you. My Ubuntu system blocks about ten attempts per day. I have fail2ban running set for one attempt and you get blocked forever (until the next reboot or fail2ban restart).

I've even blocked myself from a remote location a couple of times.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

firedrow
Posts: 5
Joined: Thu Jun 19, 2014 5:42 pm

Re: My rPi is under attack

Fri Jun 20, 2014 4:18 pm

NO-IP is a popular free DNS service, they could just be scanning NO-IP domains then port scanning those that respond to ping. You could try another free service like DuckDNS or Afraid.org. Also do different port mapping, such as 2222/tcp WAN to 22/tcp LAN (I pretty sure someone said something similar already). SSH Keys is also another good call. Don't use passwords, use SSH Keys to login or do password AND SSH Keys. Then they can try all day long for password cracking.

User avatar
JAVE
Posts: 36
Joined: Thu Sep 19, 2013 11:08 am

Re: My rPi is under attack

Thu Jun 26, 2014 2:03 pm

The simplest solution is to use another port.
Pick an unused port >1024 (the first 1024 ports are reserved).

For example, pick port 2022.
Edit the /etc/ssh/sshd_config file, and change the line with 'Port 22' to 'Port 2022' (or add that line if it's not there)
While you're there, make sure that 'PermitRootLogin' is set to 'no'
reload the sshd config (/etc/init.d/ssh reload), and you should be able to log in on port 2022 from now on.

You will never want to log in as root. You log in as a regular user. If you must do something as root, su to root, and drop back to the normal user when you're done. (I'm not a fan of sudo. If somebody knows your password, he has root access, if you use a 'normal' set up, a user must know both your password and the root password before he has root access)

User avatar
DougieLawson
Posts: 35814
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: My rPi is under attack

Thu Jun 26, 2014 2:11 pm

How does picking an obscure port help? If the crackers do a full port scan they will find that one. Security by obscurity is no security at all.

Preventing password use and having fail2ban monitoring /var/log/auth.log for violations is easier - my system has 22 open with no problems (except when I've blocked my own remote sessions).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

HiroProtagonist
Posts: 212
Joined: Sat Jun 29, 2013 9:45 am

Re: My rPi is under attack

Fri Jun 27, 2014 12:29 am

DougieLawson wrote:How does picking an obscure port help? If the crackers do a full port scan they will find that one. Security by obscurity is no security at all.

Preventing password use and having fail2ban monitoring /var/log/auth.log for violations is easier - my system has 22 open with no problems (except when I've blocked my own remote sessions).
How does it help? With port 22 open, my system was getting constant root login attempts. Since switching to a different port I've had zero. Evidently failure to do a full port scan is very common.

Disabling password access is a good idea no matter what your setup is.

n3tm4n
Posts: 28
Joined: Tue Jun 10, 2014 11:34 am
Location: East Midlands, UK
Contact: Website

Re: My rPi is under attack

Fri Jun 27, 2014 8:03 am

My Internet router is configured to log amongst other things all incoming TCP SYNs (the first step to a TCP handshake) to a syslog server. Whilst other scanning methods are available without using SYN (the RST bit for session reset for example) any TCP session handshake will contain a SYN.

Anyway, what this has demonstrated over the years is that 95%+ of all the port scans my router gets are in the first 1024 TCP ports. I've only had 1 complete scan of ports 1 through 65k in the last 18 months.

If you have to run services, and can move them to an obsecure port then I would recommend it.

Out of interest, some of the ports above 1024 most often scanned on my Internet link are 8080,8888,2222,2323,22222,23232,323232,44300. I can only assume most people pick ports that are not to inventive. :)

HTH. Jon.
http://0x25.blogspot.co.uk/

User avatar
jojopi
Posts: 3079
Joined: Tue Oct 11, 2011 8:38 pm

Re: My rPi is under attack

Fri Jun 27, 2014 8:46 am

DougieLawson wrote:How does picking an obscure port help? If the crackers do a full port scan they will find that one.
You are supposing they are human. Of course a human will do a full port scan, review the protocols and services and versions you are running, and consider the best way in. They will be attacking you specifically, for some reason.

But essentially all background SSH noise is from automated attack tools. They cannot do social engineering or use any intelligence to determine likely credentials. They can only try standard usernames and dictionary passwords like "root" and "password1".

They only understand how to attack a specific protocol. (You could probably have a root shell open on a port, and they would not know how to use it.) With billions of addresses to target, it is not worth their time scanning all 65536 ports on the off chance that SSH is on a non-standard port, yet still accepts a standard password.

I have had SSH open on non-standard ports for decades and never seen a single connection.
Preventing password use and having fail2ban monitoring /var/log/auth.log for violations is easier - my system has 22 open with no problems (except when I've blocked my own remote sessions).
When there are botnets of tens of millions of machines, blocking their IP addresses one at time seems very unlikely to be useful. If you know you will only connect from specific ranges, then allow only those ranges, otherwise do not worry.

You have never blocked a single attack (presumably, your machines are not vulnerable to password guessing anyway), but you admit you have locked yourself out. And blocking scripts can actually increase the noise in your log files.

rgrbic
Posts: 128
Joined: Thu Jun 12, 2014 1:07 pm
Contact: Website

Re: My rPi is under attack

Fri Jun 27, 2014 9:39 am

Here you can find some guidelines how to improve security of your RPi.
Change port number, use key pair based authentication and install fail2ban.
At 127.0.0.1
Twitter: @rgrbic
IoT-projects.com

zSprawl
Posts: 6
Joined: Sun Jun 22, 2014 3:36 pm

Re: My rPi is under attack

Fri Jul 04, 2014 8:20 pm

A better answer is to setup VPN to your home router, then access your stuff safely. Exposing to the internet is exposing it to attackers all day, every day.

User avatar
emgi
Posts: 357
Joined: Thu Nov 07, 2013 4:08 pm
Location: NL

Re: My rPi is under attack

Sat Jul 05, 2014 7:18 am

Same thing here. For this reason I decided to only have port 80 open.
When checking the logs I'm happy to knowthat I'm not doing anything with php.
The number of attempts involving an assumed weakness in some php script are stunning.

And indeed, it's often the Chinese.
Sometimes I wonder if they are being encouraged somehow to attack the capitalists. :evil:

/emgi

User avatar
cyrano
Posts: 714
Joined: Wed Dec 05, 2012 11:48 pm
Location: Belgium

Re: My rPi is under attack

Sat Jul 05, 2014 11:07 am

emgi wrote:And indeed, it's often the Chinese.
Sometimes I wonder if they are being encouraged somehow to attack the capitalists. :evil:
There is an "official" bounty program for "information". And since official policy is complete denial when it comes to cybercrime every poor person with a little bit of IT knowledge will try getting a part of the bounty. They also carry out information gathering inside China, as long as it is dissidents being spied upon. There is even OSX malware, directed at Tibetan dissidents that was very probably government issued.

Your average Russian, Israeli or NSA hacker, off course, won't be as easily spotted in your logs.

ghans
Posts: 7871
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: My rPi is under attack

Sat Jul 05, 2014 11:16 am

Or those guys just mask themselves with Chinese IPs ?

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

binaryhermit
Posts: 54
Joined: Sun Apr 13, 2014 1:26 am
Location: Lockport, Illinois
Contact: Website

Re: My rPi is under attack

Sun Jul 06, 2014 12:50 am

If I had to guess, it's Chinese XP boxes that are part of a botnet either due to dubious DRM cracks or lack of patching.

H2SO4
Posts: 1
Joined: Wed Jul 09, 2014 10:36 pm

Re: My rPi is under attack

Wed Jul 09, 2014 10:39 pm

DougieLawson wrote:How does picking an obscure port help? If the crackers do a full port scan they will find that one. Security by obscurity is no security at all.
Which explains why the military gave up on that silly camo nonsense and now equips everything with blaze orange.

Return to “Networking and servers”