am I under attack ?

  • well I was reading my syslog and this consecutive message get my attention. over and over again said permission denied (now, cause I disabled ssh) and many ip's added to the list of known hosts.

  • yes, to access to qbittorrent container. I already tried change raspberry IP, hostname, remove all permission of "pi" user, delete all port fordwaring.

    should I do a clean installation?

  • In general, when you expose ssh to the internet it is very common someone will find it and try to connect. It is an automated process where people search for vulnerable devices in the internet. If you use PublicKey authentication, you should actually be quite safe. You could also setup a fail2ban service that bans an ip after certain number of failed login attempts. It is also a good idea to not use default ports and not expose the port permanently but only when you need it. (Thats actually what I do, since I rarely need it anyway)

    But still this is just hardening against common noob attacks. To some level, you are still vulnerable to serious attacks. At least such attacks occur very rarely, if at all, unless you are a worthwhile target. To protect yourself against this while still exposing ports, you would have to go to a lot more effort. Eg. companies have much more complex security / firewall concepts. But this is hardly worth it at home. At home, the most efficient and effective solution for secure permanent access is to allow it only via VPN.

    Regarding your logs it is not the failed login attempts what looks strange for me, but the warning about IPs that have been added to your known hosts. I'm not a professional but could be that someone successfully did some nasty on your server. So I agree best solution may be to reinstall everything.

  • Maybe reverse lookup those IP addresses?

    If I access my OMV from away, using a VPN / TOR on my devices obviously, I get all kids of IPs that I log in from and they show on my logs.

    Maybe clear the log and look if there's a pattern of re-occurance (that's what I do with error codes on engine ECUs).

    And maybe your OMV even shows up on Shodan, it might reveal vulnerabilities...

    Some content might be slightly modified to mask personal settings- just to keep the sharks away, you never know :)

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!