Networking Noob Questions about running Internet Facing Devices

    • OMV 2.x
    • Networking Noob Questions about running Internet Facing Devices

      I'm working on setting up my OMV with CrashPlan right now, and configuring the router to allow friends to backup to my storage array. This will be the first time I've had a device on my network exposed to the internet and I would like a little bit of help/advice.

      (1) I have already obscured all of my port numbers by using non-standard and forwarding them to standard.
      (2) The OMV GUI will not be accessible from over the WAN, only via LAN.
      (3) SSH is disabled on OMV machine.

      I'm going to setup Fail2Ban soon, but other than that what else can I do? I've heard that DMZ is a good option, but I've never done that/don't know what that entails.

      Anyone able to chime in on this or link to some helpful articles?

      Thanks!
    • Learning2NAS wrote:

      I have already obscured all of my port numbers by using non-standard and forwarding them to standard.


      What services? they provide authentication like a webUI? at least with ssl i guess right?

      Learning2NAS wrote:

      SSH is disabled on OMV machine.


      That's probably the only service you want open but using PKA (not password) or openvpn, and close all other services you're using (if they are web based) and access them through socks proxy (ssh). Read more about this in the guide section
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • subzero79 wrote:


      What services? they provide authentication like a webUI? at least with ssl i guess right?


      CrashPlan is the one I had in mind. I don't need to access my machine over the WAN at all, so SSH seemed unnecessary. The only port on my OMV box that will be open to the world is CrashPlan. I may add OwnCloud in the future. At the moment, even those are blocked in the router because my OMV build is still undergoing testing.
    • I think my new OMV server got pwnd already, and it shouldn't even be accessible from the internet.

      I setup my OMV. Everything is default accept I've turned off all of the services that I'm not using (FTP, SSH, etc) and I've added CrashPlan. My router has a non-default password, is running a newer firmware, and all internet facing ports are set to stealth. No port forwarding is currently configured and UPnP is disabled.

      My new OMV test build has been idling for a few days to see how stable it is before I put it in service. First day of idle, nothing unusual. I put some backups on it from our home PCs. Second day of idle, nothing unusual. Third day of idle, I just happened to be moving some wires and noticed my router was flashing a lot.

      I log in to the router UI, all settings are correct. Connected clients are all familiar, so nobody is on my wifi that shouldn't be. I go to the logs and see that for the last week, on average, we have uploaded a few hundred megabytes of data. That sounds about right. However, in the last 24 hours we have uploaded 5GB of data! I checked a graph of my bandwidth and there was an active outbound connection from my OMV that was saturating my internet connection. I unplugged it, and here I sit.

      Questions for a non-noob:
      How did they get to my server with all of my ports in stealth?
      How do I check logs to see what files they accessed?
      How do I figure out what protocol they were using so I can block it going forward?
      How do I figure out what user they logged in as? (So I can change that password)
      How can I verify that my OMV operating system has not been modified in a malicious way?
      Images
      • portscan.JPG

        22.6 kB, 211×275, viewed 119 times

      The post was edited 1 time, last by Learning2NAS ().

    • Learning2NAS wrote:

      How did they get to my server with all of my ports in stealth?


      I am not sure, but in iptables you have drop and reject, the first should be stealth, since it looks like timeout if you try and finger a port, the second is explicit and the connections says actively refused

      Learning2NAS wrote:

      How do I check logs to see what files they accessed?


      Only certain protocols provide that, like samba and ftp. If the user gained access using ssh then there is no track what files he accessed .But there must a be a software that can track all files, in linux everything is a file.


      Learning2NAS wrote:

      How do I figure out what protocol they were using so I can block it going forward?


      You said you have no protocols open, only crashplan. Is crashplan known for spreading malware?

      Learning2NAS wrote:

      How do I figure out what user they logged in as? (So I can change that password)


      If he used any protocol it will show in /var/log/auth.log.

      Learning2NAS wrote:

      How can I verify that my OMV operating system has not been modified in a malicious way?


      Is hard to know, you'll have to keep like a checksum db of all files, and keep that db outside of the server. The malware i've seen in linux here in the forum is in the form of strange process with a random alpha character name, like "fdsjgadrtyqe"
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • After hours of snooping and troubleshooting, I decided to plug the OMV machine back in and do some packet sniffing to find the culprit.

      It turns out that something really weird is going on with the Notification system. When it is enabled, it constantly renegotiates with the email's SMTP server. So much that in just a few minutes it had sent 80MB worth of SMTP packets while not sending any messages. I disabled the Notification service and many hours later my network is still quiet. That was absolutely the problem.

      It didn't make any sense that someone could have compromised OMV because it was never outside of the LAN. Ugh. Thanks for your help SubZero! To answer your question, no Crashplan has not been known to spread malware. They're a very reputable company.





      Still looking for any tips to harden my NOT yet compromised internet facing OMV system, if there's anything obvious that I've overlooked :)

      The post was edited 2 times, last by Learning2NAS ().

    • @tinh_x7,

      I use mxtoolbox.com/PortScan.aspx for this kind of stuff. It will give you a comprehensive run down in about 30 seconds of what is and is not open from the outside, looking in at your network.

      Keep in mind that your router is most likely to be the cause of any issues here. Unless your OMV box is inside a DMZ and is directly facing the internet with no protection from the router, any issues you find will need to be addressed in the router GUI, rather than OMV.

      Good luck!