Something awful happened to my OMV and I don't know what

  • ask them to put me on a private ip

    Just to clear things up regarding public and private ip. You seem quite confused here. Everyone who accesses the internet has a public ip. You cannot access internet without it. Either you have got an IP that makes your gateway/router reachable from the world, this is a public one then - or you don't have internet access at all. Then, you dont have a public IP. There is nothing like private ip from internet service provider. Best you can do in that matter is accessing your services via VPN only and forbid anything else. That may be kind of what you mean by private ip.


    In the local network your devices communicate via local IPs. These are kind of private. But you dont get them from your isp as they only work within your lan environment. They are not reachable from outside and you cannot connect to the internet with them. [sic!]


    So I really wonder what you mean by you switched to a public IP. Have you setup a dyndns maybe?


    ----

    BTW Here we see again why TechnoDadLife 's videos are toxic. For him, the quantity and simplicity of the videos takes precedence over quality and care. He explains the most easy way to setup something so that it is somehow working. But he never gives any hint about why he does what settings and what topics are left to make things at least a little bit secure. Just open up everything, people gonna be happy. Security and Safety? What the hell is that?!

  • There is nothing like private ip from internet service provider.

    Not true.


    There are many users who are on Carrier-grade NAT networks and they do not have public IP addresses on any of their equipment.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 6.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

  • Not true.


    There are many users who are on Carrier-grade NAT networks and they do not have public IP addresses on any of their equipment.


    Now you got me! I really wonder why I never heard about that :/ ... Well, perhaps I did and forgot. So massenzio is it that what you meant? Because if your Ports are not exposed, it should actually not be necessary. I think the big question is how can one contact your port 22 from the internet.

  • That SSH log is pretty troubling.. Not sure how they'd have gotten there though if you don't have Port 22 open on your router.... Does that IP address look familiar? 209.141.61.174 as that is where all the hits are coming from apparently... Seems they just kept trying random usernames/passwords, but again w/o Port 22 open in your router, I'm pretty sure this had to be done within your network.

    If the ssh port was exposed to the internet then sshd logs like that are commonly seen. There is a program called ncrack (by Fyodor, the nmap author) that is largely responsible for this.


    https://nmap.org/ncrack/


    If the victim and the attacker both have high speed network access, then several thousand brute force user/password attempts can be made in a second or two by ncrack.


    I have seen this attack frequency in my own sshd logs. It is so fast that thousands of attempts will happen and be logged before programs like denyhosts or fail2ban can react and block the attacking IP address.


    As to what actually happened to the OP it will be difficult to say for sure if no logs that identify the deletions can be found.


    As for the attacking IP address, it has been reported frequently to the various abuse cataloging sites, for example:


    https://www.abuseipdb.com/check/209.141.61.174

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 6.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

    Edited 2 times, last by gderf ().

  • Hello,


    please show a screenshot of your portforwardings in your Fritzbox.

    Who was your previous ISP and who is it now?


    Please show the output of

    Code
    zcat /var/log/auth.log* | grep 'sshd.*opened'




    Greetings,

    Hendrik

  • BTW Here we see again why TechnoDadLife 's videos are toxic. For him, the quantity and simplicity of the videos takes precedence over quality and care. He explains the most easy way to setup something so that it is somehow working. But he never gives any hint about why he does what settings and what topics are left to make things at least a little bit secure. Just open up everything, people gonna be happy. Security and Safety? What the hell is that?!

    Toxic is pretty harsh. I have a few issues with a few things he does, but I would never call his videos toxic. It seems unlikely anything I've ever seen in his videos, caused the OP's problem. So that is really an unfair attack.


    The problem is users take a 8min video as gospel and do not do their due diligence in further investigating how things should be set up. If he were to drone on for an hour in each video (who would be easy) nobody would watch them.

    Air Conditioners are a lot like PC's... They work great until you open Windows.


    Edited once, last by KM0201 ().

  • What I mean by toxic is that the popularity of the vids in combination with the lack of any hint about security leads to a mass of servers with basic Nextcloud, plex, smb/cifs, …. setup that works in general but have not a minimum of security.


    People expose their ports, grant full file access to everyone, open their shares for everyone in the network. They allow root to connect via ssh with poor password and heard nothing about eg fail2ban. They setup raid but have no backup.


    When someone tells them, they are almost always very surprised and even kind of shocked. And very often it has begun with one of these howtos where the instructor did not even spent 1 min for at least giving some keywords about missing security aspects that must be covered before going productive. They just thought it’s done.


    Furthermore, if you comment his videos just to add missing info for a proper setup, he just deletes your comment.

  • What I mean by toxic is that the popularity of the vids in combination with the lack of any hint about security leads to a mass of servers with basic Nextcloud, plex, smb/cifs, …. setup that works in general but have not a minimum of security.


    People expose their ports, grant full file access to everyone, open their shares for everyone in the network. They allow root to connect via ssh with poor password and heard nothing about eg fail2ban. They setup raid but have no backup.


    When someone tells them, they are almost always very surprised and even kind of shocked. And very often it has begun with one of these howtos where the instructor did not even spent 1 min for at least giving some keywords about missing security aspects that must be covered before going productive. They just thought it’s done.

    I have to agree with most of the above. If I had my druthers, beginners would start with a basic NAS and manually do the extra's until they understand what they're doing. Then, once the processes are well understood, it's time to automate them. Unfortunately, it doesn't work that way. As a result, the "insta-addons" from Internet How-To's and Video's generate a lot of secondary forum traffic.

    With the doc's I've written, I try to fill in some detail so users understand what they're doing,, but that's not for everyone. Unfortunately, KM0201 is right in that a high percentage of users wouldn't watch the Video's or do the How-To's if security was added. It is what it is.

  • What I mean by toxic is that the popularity of the vids in combination with the lack of any hint about security leads to a mass of servers with basic Nextcloud, plex, smb/cifs, …. setup that works in general but have not a minimum of security.


    People expose their ports, grant full file access to everyone, open their shares for everyone in the network. They allow root to connect via ssh with poor password and heard nothing about eg fail2ban. They setup raid but have no backup.


    When someone tells them, they are almost always very surprised and even kind of shocked. And very often it has begun with one of these howtos where the instructor did not even spent 1 min for at least giving some keywords about missing security aspects that must be covered before going productive. They just thought it’s done.

    Let me assure you... every single bit of that, was going on before Technodad ever produced a single minute of video about OMV and several of us here on the forum were screaming from the hilltops on setting things up properly. I agree w/ most of what you're saying, but this is crap that has went on long before him, and it will go on long after him. However if he attempted to drone on about security, etc.. people would just fast forward through that part of his video anyway and get to the setup. Then when they have a problem.. they are completely dumfounded that their idea instead of password1234, 4321password was the best password ever, was terrible.


    That still has not a single thing to do w/ Technodad.

    Air Conditioners are a lot like PC's... They work great until you open Windows.


  • Not true.


    There are many users who are on Carrier-grade NAT networks and they do not have public IP addresses on any of their equipment.

    I was exactly talking about this. This was my condition before changing ISP. FYI I moved from a big ISP to a small one. My understanding is that big ISPs use this approach, cause having many public IPs is expensive (or at least, more expensive than just using NAT).


    With my previous provider Nextcloud / Plex and so on were completely inaccessible from outside my LAN (and I knew it). By changing ISP I guess it was possible for an external attack...


    But again, was it? I can't try this command (zcat /var/log/auth.log* | grep 'sshd.*opened) right now, will do soon.


    And by the way, I blame only myself for this, not TechnoDad or anyone else. I am a n00b but I was also pretty aware of the possibilities and consequences of having a server set up this way. The big mistake was not to realize the consequences of the ISP changes.


    Thanks all for the huge support, it's really appreciated

  • I fail to see where berating TechnoDadLife is of relevance unless there is a video somewhere that actually opens port 22, whilst the videos are somewhat basic they have helped get noobs up and running.

    You can bang on as much as you want about security, but if a noob watches a 'youtube guru' video and implements it that has nothing to do with OMV nor the How-To's in here. Likewise can be said about sites like Reddit.


    Let's look at we know;


    the logs clearly show numerous ssh access attempts from outside, what the logs do not appear to show is when the successful attempt occurred.


    shields up, shows the ports in stealth mode, which means they are not open, as this is new ISP and therefore new router all ports are closed, I have personally never had an ISP router with open ports. The customer has the option to open ports within the router to facilitate port forwarding.


    End user routers use dynamic ip addressing, the NAT router then 'translates' that to your home network, if you shut down your router then restart it you get issued with a different ip address. In the UK business users can be issued with a static public ip address by the ISP if requested as can home users.


    The attempted attacks within the logs clearly shows that port 22 was open otherwise the 'bot' would not have located it, having found it it will continue to bombard the port until it gets access. Unless there was another port open that had access to or was using ssh.

    Raid is not a backup! Would you go skydiving without a parachute?

  • It's tough to own it when crap happens and it's likely some lax policies allowed it (or at least made it easier) to happen. Glad you had a backup... hopefully it was reasonably current.


    If it were me... I would make some notes on settings and then do a clean install of OMV, just to make sure they didn't somehow leave themselves a back door in for another time... but that's your prerogative.


    Look at it this way, if you had a reasonably recent backup... the most this is really costing you is inconvenience and time... and it will be a lesson you won't soon forget (trust me, I've been there and it's one reason I'm so anal retentive about some things now).

    Air Conditioners are a lot like PC's... They work great until you open Windows.


  • if you had a reasonably recent backup... the most this is really costing you is inconvenience and time... and it will be a lesson you won't soon forget

    Two points that just hit it:

    Having a solid Backup and a Lesson learn, not only to the person that it happened but also to us not-so-knowlegeable-"newbies" that sometimes don't take measures due to either not knowing or weren't advise to do it.

    This makes you think that it's not just a matter of having a nice server/NAS/Home Cloud that can be used from anywhere in the world but also to try to keep things solid enough to prevent hiccups.

    Thank you to all of the inputs on this post so far, ;)

  • It's tough to own it when crap happens and it's likely some lax policies allowed it (or at least made it easier) to happen. Glad you had a backup... hopefully it was reasonably current.


    If it were me... I would make some notes on settings and then do a clean install of OMV, just to make sure they didn't somehow leave themselves a back door in for another time... but that's your prerogative.


    Look at it this way, if you had a reasonably recent backup... the most this is really costing you is inconvenience and time... and it will be a lesson you won't soon forget (trust me, I've been there and it's one reason I'm so anal retentive about some things now).


    I will probably ask the ISP to move to a NATted IP, I don't need the NAS to be accessible from the outside. Already changed all the psw , disabled ssh and implemented fail2ban.


    Actually, the omv nas WAS the backup so it's not a big deal in terms of data loss, just a huge wake up call that I was doing things the wrong way. So far it has been just a huge moral kick in the face.


    Btw henfri I ran the command:


  • I may be late to the party but just wanted to tell my story.


    I had a similar issue a year ago: somebody logged in my Transmission (torrent) instance and deleted everything*, tried to download a torrent (likely a malware), but ultimately abandoned the task.


    It was my fault: I had authentication enabled on Nginx but not in Transmission, and I'm sure I made a mistake in nginx config. So I disabled nginx auth and enabled it in Transmission using a strong generated password.


    What saved me? Transmission runs in a Docker container, which can only read the torrent download folder. So I just lost a couple of silly downloads and the malware/torrent they tried to download could not go anywhere.


    Also Transmission logs where stored somewhere else so it was easy to find out what happened.


    everything* = only my downloads (hehehe)

    OMV BUILD - MY NAS KILLER - OMV 5.x + omvextrasorg


    Core i3-8300 - ASRock H370M-ITX/ac - 8GB RAM - Sandisk Ultra Flair 32GB (OMV), 256GB NVME SSD (Docker), 3x4TB HDD (Data) - Fractal Design Node 304 - Be quiet! Pure Power 11 350W

  • Yeah, that's why I still doubt it was Plex or qBittorrent, they're both containerized and can read/write only the folders I've assigned to them. Unless of course I did a mess in the folders permissions...

  • Let me assure you... every single bit of that, was going on before Technodad ever produced a single minute of video about OMV and several of us here on the forum were screaming from the hilltops on setting things up properly. I agree w/ most of what you're saying, but this is crap that has went on long before him, and it will go on long after him. However if he attempted to drone on about security, etc.. people would just fast forward through that part of his video anyway and get to the setup. Then when they have a problem.. they are completely dumfounded that their idea instead of password1234, 4321password was the best password ever, was terrible.


    That still has not a single thing to do w/ Technodad.


    Fair enough. They would still exist without him, so my saying may have been a bit too harsh. But his vids nevertheless are on the exact right position to place at least a small hint. I would not expect everyone to note that but since thousands of people watch them, it could still change something. Half of them taking note would already be a big positive impact for the community. Perhaps my harshness came from being reminded of my attempt when I had asked him once and he just deleted my comment.

  • What about Public Key Authentication and is this guide by subzero79 still up to date for OMV 5? I know gderf has posted on a method for this more recently but I couldn’t find it off hand. And would it have thwarted such an attack through ssh (if that is what this was)?


    And about setting a different port for ssh: can someone post a quick 1-2-3 on that.

    Easy data backup: In a Scheduled Job: rsync -av --delete /srv/dev-disk-by-label-SOURCE/ /srv/dev-disk-by-label-DESTINATION/ (HT: Getting Started with OMV5)
    OMV 5 (current) - Thinkserver TS140, Nextcloud, Plex, Airsonic, Navidrome, Ubooquity, Digikam, Wetty, & Heimdall - NanoPi M4 (v.1): backups using Rsync and Rsnapshot - Odroid XU4 (Using DietPi): PiHole - hc2, xu4, Pi 3B+, Odroid H2, and VirtualBox: Testing and playing - Mac user converting to Linux, Debian 10 KDE.

  • Disabling password authentication and allowing only public keys will absolutely prevent any brute force user/password attacks from working. The logs will still be flooded though in the default configuration.


    Easiest way to change the port exposed to the internet is to change it in the router port forward settings and leave it set to 22 in OMV if the roter will allow the ports to be different.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 6.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!