Possible intrusion to my OMV at home?

    • OMV 4.x
    • Possible intrusion to my OMV at home?

      Last night my OMV was not accessible anymore. Also docker not. I tried to open my web gui, but it responded very slow. After tipying my password and hitting login, I saw firefox was sending and waiting for a lot requests (little notice at the bottom of firefox). I checked the cpu, io and ram usage, but nothing was suspicious. When I tried to login via ssh, I barely could type any letter. After typing two letters into the ssh terminal, I had to wait long time till the next two would appear.

      I could not find anything leaking in kernel log. What could explain the slow response from omv nginx? What could explain the extreme delay in which the letters appeared in ssh terminal? Today everything seems back to normal.

      How could I check if my server was hacked? :/
      Intel Pentium G3460T @ 3GHz
      Debian GNU/Linux 9.2 (stretch)
      Release: 4.0.10-1 Arrakis
    • A very high latency connection, or a connection with very high packet loss could explain what you saw, especially on a ssh session.

      Typically every character typed into the terminal is echoed back to the sender one at a time, but not until they first arrive at the destination. And you can't type the next character until the last one you typed is echoed back to you and displayed. This has the effect of seemingly multiplying the latency.

      Some ssh clients such as SecureCRT have a feature that allows commands to be fully typed into a chat style box. Once the command is complete, hitting the Enter key sends the entire command string all at once rather than once character at a time.

      The problem with trying to determine if a server has been hacked is that if someone really knows what they are doing they will be largely able to erase their footprints on their way out.

      The usual advice is that unless you are completely sure your server has not been compromised (you have verified that every file on the machine has not been replaced with a non-original compromised copy) you should format the drive and reinstall the OS. And in case you are wondering, I agree this advice is not very helpful. But it is absolute.

      Unexplained network traffic is one symptom of a compromised machine, as the real value of a hacked machine is one that is remotely accessible without being easily noticed. Large amounts of available storage, and high available bandwidth are valuable (to hackers) bonus features.

      If you detect hidden directories on your machine that you can't explain, unexplained high disk space loss, or you notice warez or porn files that don't belong to you, be worried. Another thing to look for are processes that use TCP/UDP ports that you didn't setup yourself such as IRC offer bots, additional ssh/sftp/ftp server processes and such running on obscure ports or SSL tunnels.

      Entire books have been written about compromised server forensics and some people make a living at this. So it really can't be well covered in a forum like this.
      OMV 4.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380
    • As it has already been said above.

      For the future, change your approach to security. Control all traffic that goes to OMV. A firewall with a rystic traffic policy. Let go only what has to be, everything else block. It's also good to control outgoing traffic. In addition, IDS and IPS in the network too. Log network traffic to a separate machine. Always have an up-to-date system and software to avoid more familiar vulnerabilities. Do not run unnecessary utilities if it is not absolutely necessary. Regularly check the correctness of the configuration of the software. Human error is also a frequent cause of vulnerability.
      If you have a suspicion that the machine has been penetrated, treat it as a fact, not a guess and hope that it may not. Reinstalling the system. Change of passwords and keys. Exchange of certificates. Treat the machine as dirty and data as potentially stolen or modified.
      Implement a sensible backup system.
      Think about the data encryption. Encryption of the disk itself in the case of online penetration gives nothing. Think about encrypted data containers that you store on the NAS. The data should always be on the server in encrypted form 24/7 and the decryption should take place directly on the user's machine and not on the NAS.

      The subject is very extensive. It's best if you adopt the versions that the machine is dirty, and start all over again taking into account many aspects of security.
    • Thank you guys for your valuable hints. I still couldnt find anything, but as you said there might be many reasons for this. I am also not very skilled in thi.s I guess I will follow your suggestion and start from scratch. Also installing a firewall will be the way to go. Now I am using the router firewall only :(

      Still I dont know how to safe my important data...very likely I have to buy an external drive I guess.

      Again, thank you very much :/
      Intel Pentium G3460T @ 3GHz
      Debian GNU/Linux 9.2 (stretch)
      Release: 4.0.10-1 Arrakis
    • godfuture wrote:

      Now I am using the router firewall only
      Shouldn't that be enough if you have not forwarded any ports?


      godfuture wrote:

      Still I dont know how to safe my important data...very likely I have to buy an external drive I guess.
      Have a look at the 3-2-1-Backup-Strategy
      Odroid HC2 - armbian - Seagate ST4000DM004 - OMV4.x
      Asrock Q1900DC-ITX - 16GB - 2x Seagate ST3000VN000 - Intenso SSD 120GB - OMV4.x
      :!: Backup - Solutions to common problems - OMV setup videos - OMV4 Documentation - user guide :!:
    • macom wrote:

      Shouldn't that be enough if you have not forwarded any ports?
      Good question. I do have a few port forwards. Isn't the (insecure) application behind open ports the real thread here? I mean are common router firewalls known to be insecure by default considering the user wants to host a service privately? Is it best practice to have multiple firewalls active?

      macom wrote:

      Have a look at the 3-2-1-Backup-Strategy
      Thanks. I will do that.
      Intel Pentium G3460T @ 3GHz
      Debian GNU/Linux 9.2 (stretch)
      Release: 4.0.10-1 Arrakis