Been following this topic to be more mindfull about security. (Although I try to block all I can think off).
massenzio I'm thinking that you don't have the "fail2ban" service active, correct?
No fail2ban active, unfortunately.
Now, I'm recovering the data from the drives (which is not a big deal, I had backups somewhere else).
Is there something I can do to see if the date have been just erased and/or copied somewhere else? Maybe disk usage stats? Can I retrieve them from terimnal?
Would the "fail2ban" service be enough to prevent the OP situation? I'm almost certain that my port 22 is blocked on my router but am trying to cover all angles I can think of.
Also, the first thing I do, when configuring OMV ssh access is to disallow "root" access.
Sure but it can be a bit complex for noobs especially understanding how it works. personally I have found using a non-standard port and disabling password auth works better than anything. I don't disable root ssh access but I always have a very complex root password.
Alles anzeigenBeen following this topic to be more mindfull about security. (Although I try to block all I can think off).
massenzio I'm thinking that you don't have the "fail2ban" service active, correct?
ryecoaaron Would the "fail2ban" service be enough to prevent the OP situation? I'm almost certain that my port 22 is blocked on my router but am trying to cover all angles I can think of.
Also, the first thing I do, when configuring OMV ssh access is to disallow "root" access.
Maybe, crashtest can make an review on the install guide and focus some topics to this issue : a "checklist" of some of the most common "failures" that newbies or not-so-knowlegeable users might have that will lead to something as it happened to OP.
I've been saying that forever.. It may not be the first thing I do, but it's in the top 3-4 that is done fairly quickly.
I'm not sure fail2ban would have helped this.. especially if port 22 is open as aaron says (although he says it is closed).
I'm curious.. Is it possible someone gained access to his network, opened port 22, then when they were done, "closed the door behind them" so to speak? All they'd have to do is get back on his network to reopen it. I guess if they managed to get on his network though, there wouldn't have been much reason to use port 22.
OP, have you checked your router logs to see if anything is weird? Maybe log ins when you know you've not done so? I'm assuming you've done the very basic of security in setting a good password to log into your router and setting a strong wifi password.
I'm not really sure something like this should be in the new user manual, since it's almost impossible to ascertain what exactly happened although it appears to have happened over ssh. I think for the most part, short of the SSH root log in being automatically permitted... The system is secure or we'd hear of this sort of thing far more often (given the experience level of many users here). Short of going over a network lesson and explaining ports, how important passwords are, etc.. (which should all be reasonable common sense if someone is looking at building their own NAS.. or at least something they seek out answers on)
Alles anzeigenI've been saying that forever.. It may not be the first thing I do, but it's in the top 3-4 that is done fairly quickly.
I'm not sure fail2ban would have helped this.. especially if port 22 is open as aaron says (although he says it is closed).
I'm curious.. Is it possible someone gained access to his network, opened port 22, then when they were done, "closed the door behind them" so to speak? All they'd have to do is get back on his network to reopen it. I guess if they managed to get on his network though, there wouldn't have been much reason to use port 22.
OP, have you checked your router logs to see if anything is weird? Maybe log ins when you know you've not done so? I'm assuming you've done the very basic of security in setting a good password to log into your router and setting a strong wifi password.
I'm not really sure something like this should be in the new user manual, since it's almost impossible to ascertain what exactly happened although it appears to have happened over ssh. I think for the most part, short of the SSH root log in being automatically permitted... The system is secure. Short of going over a network lesson and explaining ports, how important passwords are, etc.. (which should all be reasonable common sense if someone is looking at building their own NAS.. or at least something they seek out answers on)
Port 22 seems to be close from my router page (I'm using FritzBox), but I also always logged in to the 22 port on PuTTy so it might be open by default? I am clueless.
To be frank, I've checked pretty well on the logs of the router too, there's nothing to indicate that my local network has been compromised. My idea so far is that I was just attacked from the outside to the public IP. My router psw is solid, and so is my wifi psw. I think it's very very unlikely the case of an attack to my local network.
Btw I'm failing even at just installing Fail2ban....
CodeE: Failed to fetch https://dl.bintray.com/openmediavault-plugin-developers/usul/pool/main/o/openmediavault-fail2ban/openmediavault-fail2ban_5.0.5_all.deb 403 Forbidden [IP: 52.37.64.70 443] E: Internal Error, ordering was unable to handle the media swap
That's weird. Are you sure your machine is up to date?
omv-updateI'm curious.. Is it possible someone gained access to his network, opened port 22, then when they were done, "closed the door behind them" so to speak? All they'd have to do is get back on his network to reopen it. I guess if they managed to get on his network though, there wouldn't have been much reason to use port 22.
The logs show they are coming in from internet ip addresses. If someone gained local access, they would be private IP addresses.
Failed to fetch https://dl.bintray.com/openmed…lt-fail2ban_5.0.5_all.deb 403 Forbidden [IP: 52.37.64.70 443]
Port 22 seems to be close from my router page (I'm using FritzBox), but I also always logged in to the 22 port on PuTTy so it might be open by default? I am clueless.
To be frank, I've checked pretty well on the logs of the router too, there's nothing to indicate that my local network has been compromised. My idea so far is that I was just attacked from the outside to the public IP. My router psw is solid, and so is my wifi psw. I think it's very very unlikely the case of an attack to my local network.
If port 22 isn't open externally... you can still use it internally (which from what you're saying is what you're doing). I've never seen a router have port 22 open by default, so if you didn't open it that really shouldn't be an issue.
The logs show they are coming in from internet ip addresses. If someone gained local access, they would be private IP addresses.
That makes sense.. hadn't considered that.
I've just looked at my auth logs and I can see nothing, just my own connection from my own workstation, the fact that the logs show attempted access might suggest that something is exposed.
Visit grc.com go into services and run shields up
This is the message i get:
| Please Stand By. . . |
 | Attempting connection to your computer. . . Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet! |
 | Preliminary Internet connection refused! This is extremely favorable for your system's overall Windows File and Printer Sharing security. Most Windows systems, with the Network Neighborhood installed, hold the NetBIOS port 139 wide open to solicit connections from all passing traffic. Either this system has closed this usually-open port, or some equipment or software such as a "firewall" is preventing external connection and has firmly closed the dangerous port 139 to all passersby. (Congratulations!) |
| Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet. |
 |  | |
  | ||
| Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community. Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.) Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation. | ||
Port | Service | Status | Security Implications |
0 | <nil> | Stealth |
>td >
FTP | Stealth |
>td >
SSH | Stealth |
>td >
Telnet | Stealth |
>td >
SMTP | Stealth |
>td >
Finger | Stealth |
>td >
HTTP | Stealth |
>td >
POP3 | Stealth |
>td >
IDENT | Stealth |
>td >
NNTP | Stealth |
>td >
RPC | Stealth |
>td >
Net BIOS | Stealth |
>td >
IMAP | Stealth |
>td >
LDAP | Stealth |
>td >
HTTPS | Stealth |
>td >
MSFT DS | Stealth |
>td >
ms-ils | Stealth |
>td >
DCOM | Stealth |
>td >
Host | Closed | Your computer has responded that this port exists but is currently closed to connections. |
1026 | Host | Closed | Your computer has responded that this port exists but is currently closed to connections. |
1027 | Host | Closed | Your computer has responded that this port exists but is currently closed to connections. |
1028 | Host | Closed | Your computer has responded that this port exists but is currently closed to connections. |
1029 | Host | Closed | Your computer has responded that this port exists but is currently closed to connections. |
1030 | Host | Closed | Your computer has responded that this port exists but is currently closed to connections. |
1720 | H.323 | Closed | Your computer has responded that this port exists but is currently closed to connections. |
5000 | UPnP | Closed | Your computer has responded that this port exists but is currently closed to connections. |
That's the same on mine 
further down you have to select what ports you want it to test
Maybe, crashtest can make an review on the install guide and focus some topics to this issue : a "checklist" of some of the most common "failures" that newbies or not-so-knowlegeable users might have that will lead to something as it happened to OP.
A home server that doesn't have ports open to the internet, at the gateway router, enjoys decent security. In the typical home scenario, the server's security depends on the gateway router's security profile. (Has the router's IOS version been compromised, are unneeded services shut down, is it up-to-date, etc.) There's a far greater chance that clients, on the LAN, would be the source of a compromise.
In the guide, where server share permissions are open, there is a note about -> port forwarding where port forwarding is NOT recommended. The hot second users begin to forward ports to their server, for any reason, they're in a new world security wise. Linux server security is far beyond the scope of a "walk through" guide. There are entire books written on this subject.
All that can said in the guide, regarding port forwarding, is "don't do it".
I would make sure the server isn't in some kind of DMZ where all port are opened.
A home server that doesn't have ports open to the internet, at the gateway router, enjoys decent security. In the typical home scenario, the server's security depends on the gateway router's security profile. (Has the router's IOS version been compromised, are unneeded services shut down, is it up-to-date, etc.) There's a far greater chance that clients, on the LAN, would be the source of a compromise.
In the guide, where server share permissions are open, there is a note about -> port forwarding where port forwarding is NOT recommended. The hot second users begin to forward ports to their server, for any reason, they're in a new world security wise. Linux server security is far beyond the scope of a "walk through" guide. There are entire books written on this subject.
All that can said in guide, regarding port forwarding, is "don't do it".
Thanks, I understand. Can this whole mess be caused by the fact that I changed provider and my IP was publicly exposed on the internet, which was not the case just 2 months ago? The server was set up with the old network approach, that's why I thought it was safe.
I would make sure the server isn't in some kind of DMZ where all port are opened.
How can I be sure about this?
Can this whole mess be caused by the fact that I changed provider and my IP was publicly exposed on the internet, which was not the case just 2 months ago?
Signing up for dyndns just puts a domain name with an ip. It doesn't change how your firewall works.
How can I be sure about this?
No idea. I never used a fritzbox (don't live in Germany).
How can I be sure about this?
Did you check in the GUI of the FRITZBox in Diagnose >> Sicherheit?
Also the support of AVM is quite responsive.
Signing up for dyndns just puts a domain name with an ip. It doesn't change how your firewall works.
Probably is easier to talk with my provider and ask them to put me on a private ip...
Did you check in the GUI of the FRITZBox in Diagnose >> Sicherheit?
Also the support of AVM is quite responsive.
This is the list from the home network to the box.
You are looking for ports open from internet to the box.
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!
