My OMV got hacked, I need help

Zitat von ToTheRedMoon

You're right, I'm exposed to the internet via Duck DNS and Heimdall is running via a Docker container

Did you have a password protected Heimdall access or you could just open the page and it would show the apps links?

If the later, then the system was open to, at least Heimdall.

Not good news, but as votdev Said, with the blocked user, the hack may not gone to deep.

For now, try to start the NAS disconnected from LAN, and list the files/folders to see what is the damage.

Search internet on common files extensions of ransomwares.

Zitat von ToTheRedMoon

Thanx for your quick reply,

You're right, I'm exposed to the internet via Duck DNS and Heimdall is running via a Docker container.

I expose mine too but i configure it to ask for user/password like is described on: https://hub.docker.com/r/linuxserver/heimdall/

your logical next step are:

1 - delete your actual heimdall config and recreate container from scratch

2 - protect it like is described on documentation.

Personally, the only services I have internet exposed are things that I want other people to access, but even those are login account protected.

Anything else that I would consider more of an admin function, like heimdall (personally I run dashy instead), portainer, OMV UI, etc, is only accessible from the internet via a wireguard vpn.

Zitat von KM0201

Yeah, I've never forwarded Heimdall. Honestly, I'm not even sure why I have Heimdall anymore. I have a pretty organized set of bookmarks that take me to my domains

I hear ya, I set up dahy to "have a look" at it as a potential multi-user splash page for use at the office where I am jumping around the building from Linux to Mac to Windows so I could get access to the various servers I run. At home I use opera and just have the links I need in a speed dial group.

Even at that though, I tend to remember the ip's easy enough, but I was also thinking about a couple of other's in the office that are not as tech savvy but still expected to log in to a couple of the servers to change an occasional config or reboot one if I'm not around. So the plan in the upcoming facility upgrades is dashy for the splash page for the server config pages (I kind of like dashy more since it is a little less "flashy" and it shows the "online" status of the servers via a green/red dot) and a small lxc running olivetin accessible in dashy with buttons that are pre-programmed ssh cli commands that will ssh to a server and run a command or script without those others having to venture into the scary world of the cli. Both of the others are petrified of it.

Zitat von BernH

Personally, the only services I have internet exposed are things that I want other people to access, but even those are login account protected.

Anything else that I would consider more of an admin function, like heimdall (personally I run dashy instead), portainer, OMV UI, etc, is only accessible from the internet via a wireguard vpn.

Which through many discussions I am nearly at as well. Actually, I am at that stage now.

May I suggest you have a look at Cloudflare Tunnel. It's IMHO a better way to publish things to the internetz...

Here is a video explaining it a bit.

May I suggest "real" router/firewall like pfSense with IDS/IPS running?

if you don't want to go down the cloudflare or pfsense/opnsense road, at the very least you should be using a reverse proxy like swag or nginx-proxy-manager with fail2ban enabled so that hammering by a hacker is blocked after a few failed login attempts. I believe swag has fail2ban built in, while nginx-proxy-manager requires an extra docker container and some custom config to make it work.

Zitat von andrzejls

May I suggest "real" router/firewall like pfSense with IDS/IPS running?

Isn't fail2ban or CrowdSec enought for this type of attack?

EDIT:

Zitat von BernH

if you don't want to go down the cloudflare or pfsense/opnsense road, at the very least you should be using a reverse proxy like swag or nginx-proxy-manager with fail2ban enabled so that hammering by a hacker is blocked after a few failed login attempts. I believe swag has fail2ban built in, while nginx-proxy-manager requires an extra docker container and some custom config to make it work.

Read it after :p

Zitat von metRo_

Isn't fail2ban or CrowdSec enought for this type of attack?

EDIT:

Read it after :p

fail2ban works well for hammering attacks, but you have to ensure it is working. Try logging in from the internet with bad credentials and monitor the fail2ban logs to make sure it is seeing the attempts. Keep doing it until you see exceed the number of set bad attempts a ban happens then try with correct credentials. If you can't get in the ban was successful.

You may want to check the set maxretry attempts, findtime and bantime though. The defaults are pretty low, so if the hammering is happening at a slower rate than that, it is not really effective.

I have mine set like this (5 failed attemps in 1 hour results in a 12 hour ban):

maxretry = 5

bantime = 10800

findtime = 3600

You can then remove the ban for yourself and feel fairly confident that it's working.

It will not protect against someone that knows the credentials already, so if you have been breached already, you need to change all credentials too.

There's some misunderstandings on this matter.

The reason that OP was hacked, is none other than the fact that the container was running wide open.

When launching Heimdall and reverse-proxy it (be it via SWAG, NPM, whatever) it should be enforced that it should be configured a password access on it:

If people don't do this, anyone who can manage to find the URL, will be able to do any changes they want (which was the case of OP).

If the container is running as an unpriveledge user, the hack won't go too far other than beeing able to change the Heimdall container itself.

The links on the above example point to reverse-proxied services that will require another auth, once clicked. (NOTE: except SCRUTINY but will explain below)

The above example has only default links on Heimdall that point to other proxied services. Clicking those links will open NEW webpages that require another authentication. Hack will be blocked.

Now, let's add some complexity to this:

Imagine that USER created the links with access to extract INFO from the services that the links point to (which required saved USER/PASSWORD) to read some METRICS from those same services.

The HACKER will be able to find more INFO on how to access those services.

As mentioned above, the SCRUTINY service that is seen on that PAGE, once running, is open to the world.

Although it's a not-so-dangerous container, it's still accessible from anyone via WAN (if they figure out the URL), as long as it's running.

With this in consideration, I keep the container down, until I want to see the INFO from it:

Go to OMV GUI, launch the container on Services-> Compose, access the SCRUTINY PAGE, see what I want to see and bring the container down, afterwards.

So, TL:DR;

When running Heimdall, make sure that a USER/PASSWORD is set/created PRIOR to make any hops/links to block any unwanted access.