What does this command show:
sudo cat /var/log/auth.log | grep sshd
Someone is trying to use ssh but without PKA the attempts all fail. I hid my username and PKA key.
Why i see a different port every time? I don't know, the SSH tunneling that i have enabled in OMV (TCP forwarding)?
From where you set them up.
You might as well have something leaking around vpn or something jumping around the loopback. We can play guessing for a long time.
Look at the firewall rules to make sure everything is ok and make sure the container routing with vpn is properly filtered.
And set up your logs and listen for another case.
I think i need some guidance here. I have not touched firewall manually. I just access ssh locally as usual. For the other sevices i mentioned in my previous post i have instead port forwarded the ports on my router.
Screenshot attached, my firewall tab is empty.
This is detail from the notifications i receive from fail2ban:
Lines containing failures of 185.204.1.184
Feb 13 09:07:51 DK sshd[30610]: User admin from 185.204.1.184 not allowed because none of user's groups are listed in AllowGroups
Feb 13 09:07:51 DK sshd[30610]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.204.1.184 user=admin
Feb 13 09:07:53 DK sshd[30610]: Failed password for invalid user admin from 185.204.1.184 port 6632 ssh2Lines containing failures of 185.212.149.206
Feb 7 14:09:14 DK sshd[17407]: User admin from 185.212.149.206 not allowed because none of user's groups are listed in AllowGroups
Feb 7 14:09:14 DK sshd[17407]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.212.149.206 user=admin
Feb 7 14:09:16 DK sshd[17407]: Failed password for invalid user admin from 185.212.149.206 port 14059 ssh2How are you verifying that your sshd is not exposed to the internet?
Cause i had it in the past. I had the port forwarded to the outside. But now since a long time i have that disabled and only access locally. I also tried to access from outside on the port and it is inaccessible.
Checked again now, i only have opened ports on my router for SFTP, Wireguard, qBittorrent. The ports forwarded are different from the one i use for ssh ofc.
Are you 100% sure that something is not leaking somewhere? Show firewall logs how the traffic on the interface looks like...
How can i grab them?
You opened up ssh to the internet?
Are you from Finland and Oy Crea Nova Hosting Solution Ltd is your ISP?
Nope, as said i only connect to my NAS locally or via Wireguard container that's hosted on OMV itself. I'm not in Finland.
EDIT: Also checked latest handshakes for my Wireguard peers and there is nothing wrong there. So i actually have no clue how/why i'm receiving attempts on my ssh port that's not exposed to the internet 
From the Fail2Ban logs i still see attempts now:
2022-02-13 15:37:59,242 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 15:37:59
2022-02-13 15:37:59,542 fail2ban.actions [19528]: WARNING [ssh] 185.204.1.184 already banned
2022-02-13 15:57:01,552 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 15:57:01
2022-02-13 15:57:01,553 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 15:57:01
2022-02-13 15:57:04,160 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 15:57:03
2022-02-13 15:57:04,462 fail2ban.actions [19528]: WARNING [ssh] 185.204.1.184 already banned
2022-02-13 16:10:40,745 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 16:10:40
2022-02-13 16:10:40,746 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 16:10:40
2022-02-13 16:10:42,750 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 16:10:42
2022-02-13 16:10:43,532 fail2ban.actions [19528]: WARNING [ssh] 185.204.1.184 already bannedAlso found this:
https://www.abuseipdb.com/check/185.204.1.184
https://www.abuseipdb.com/check/185.212.149.206
I can actually ping both the ips i mentioned in my first post.
I mean, i would expect to find someone trying to force my ssh, but it's not public... how possible? I'm ignoring somehow how fail2ban works?
Hi, I noted something strange lately.
I have my ssh setup on a different port then 22.
-Disabled password auth.
-PKA enabled.
-Root access disabled.
I access ssh only locally or via vpn(wireguard container).
-The IP 185.212.149.206 has just been banned by Fail2Ban after
3 attempts against ssh.
-The IP 185.204.1.184 has just been banned by Fail2Ban after 3 attempts against ssh.
What could be happening?
Thanks
The path is correct, there is a symlink.
Thanks, so it the path is correct why no notification is sent?
Thanks.
Noted that an email is sent when a reboot is needed. I never received a message like that, i only receive notifications for new accesses and automatically installed security updates. Btw i have always activated all notifications
How is cronapt scheduled to start?
Please make sure that you have installed the latest version (5.6.15), then run omv-salt deploy run cronapt. This should fix your issue.
Thanks!
Here is the output:
----------
ID: remove_cron-apt_refrain_file
Function: file.absent
Name: /etc/cron-apt/refrain
Result: True
Comment: File /etc/cron-apt/refrain is not present
Started: 19:31:38.339318
Duration: 2.453 ms
Changes:
----------
ID: remove_cron-apt_cron_d_file
Function: file.absent
Name: /etc/cron.d/cron-apt
Result: True
Comment: File /etc/cron.d/cron-apt is not present
Started: 19:31:38.342112
Duration: 2.213 ms
Changes:
----------
ID: create_cron-apt_config
Function: file.managed
Name: /etc/cron-apt/config
Result: True
Comment: File /etc/cron-apt/config is in the correct state
Started: 19:31:38.344608
Duration: 147.558 ms
Changes:
----------
ID: divert_cron-apt_config
Function: omv_dpkg.divert_add
Name: /etc/cron-apt/config
Result: True
Comment: Adding 'local diversion of /etc/cron-apt/config to /etc/cron-apt/c onfig.distrib'
Started: 19:31:38.496446
Duration: 55.531 ms
Changes:
----------
ID: create_cron-apt_download_msg
Function: file.managed
Name: /etc/cron-apt/mailmsg.d/3-download
Result: True
Comment: File /etc/cron-apt/mailmsg.d/3-download is in the correct state
Started: 19:31:38.552834
Duration: 31.052 ms
Changes:
----------
ID: remove_cron-apt_config_install_security_upgrades
Function: file.absent
Name: /etc/cron-apt/config.d/5-openmediavault-security
Result: True
Comment: Removed file /etc/cron-apt/config.d/5-openmediavault-security
Started: 19:31:38.584289
Duration: 2.908 ms
Changes:
----------
removed:
/etc/cron-apt/config.d/5-openmediavault-security
----------
ID: remove_cron-apt_action_install_security_upgrades
Function: file.absent
Name: /etc/cron-apt/action.d/5-openmediavault-security
Result: True
Comment: Removed file /etc/cron-apt/action.d/5-openmediavault-security
Started: 19:31:38.587533
Duration: 2.58 ms
Changes:
----------
removed:
/etc/cron-apt/action.d/5-openmediavault-security
----------
ID: remove_cron-apt_install_security_upgrades_msg
Function: file.absent
Name: /etc/cron-apt/mailmsg.d/5-openmediavault-security
Result: True
Comment: Removed file /etc/cron-apt/mailmsg.d/5-openmediavault-security
Started: 19:31:38.590455
Duration: 1.619 ms
Changes:
----------
removed:
/etc/cron-apt/mailmsg.d/5-openmediavault-security
----------
ID: create_cron-apt_config_install_security_upgrades
Function: file.managed
Name: /etc/cron-apt/config.d/5-openmediavault-security
Result: True
Comment: File /etc/cron-apt/config.d/5-openmediavault-security updated
Started: 19:31:38.592402
Duration: 13.881 ms
Changes:
----------
diff:
New file
mode:
0644
----------
ID: create_cron-apt_action_install_security_upgrades
Function: file.managed
Name: /etc/cron-apt/action.d/5-openmediavault-security
Result: True
Comment: File /etc/cron-apt/action.d/5-openmediavault-security updated
Started: 19:31:38.606682
Duration: 7.457 ms
Changes:
----------
diff:
New file
mode:
0644
----------
ID: create_cron-apt_install_security_upgrades_msg
Function: file.managed
Name: /etc/cron-apt/mailmsg.d/5-openmediavault-security
Result: True
Comment: File /etc/cron-apt/mailmsg.d/5-openmediavault-security updated
Started: 19:31:38.614551
Duration: 22.995 ms
Changes:
----------
diff:
New file
mode:
0644
Summary for odroidxu4
-------------
Succeeded: 11 (changed=6)
Failed: 0
-------------
Total states run: 11
Total run time: 290.247 msHello,
i noticed a thing lately. It seems that cron-apt is not running because in OMV i do not see any update until i manually check for them.
How can i fix this? Also, with both OMV4 and OMV5 now i never received notifications for updates but only for the ones installed automatically.
Thanks in advance!
So if I create a full dd backup and then I manually unpack it and upload it, what's the best way to compress it again? There are specific parameters that need to be passed for the compression to be able to write the image to a microsd or I can directly write the unpacked file to a microsd?
You really shouldn't. If you do, duplicati will want to upload those files because they are "new".
I was referring to Duplicacy.
Here is the discussion about this topic https://forum.duplicacy.com/t/…attern/5452/6?u=iocularis
I would like to store my backups on the cloud with Duplicacy. In order to deduplicate the backups I should upload the files uncompressed. If I uncompress the .ddfull.gz what is the best way to compress the file again manually later?
Hi,
i noticed this entry in my syslogs:
kernel: [1816962.694777] TCP: enx001e06328f28: Driver has suspect GRO implementation, TCP performance may be compromised.
Any idea what it is and if i have to do something?
Thanks!
I assume you mean a different server? Yes.
Yep. I'm thinking on a smart solution to automatically move the backup to the cloud. Maybe a cron job with rclone.
ddfull gives you an image you can just write to the media. dd requires you recreating grub (on some systems), mbr, etc, and then write the partition image. So, ddfull is just easier. I kept the dd option because some people have extra data partitions that might be very large that they don't want in the OS backup.
Thanks a lot!
So my first backup took 40 minutes. All 32 GB were read and the dd full backup image is less than 2 GB. The microsd is 32 GB. Cloning it after shutdown only took 8 minutes. It's because it's live?
Two other things:
-It's ok to manually delete the backup files i assume.
-i can just copy somewhere else the .ddfull.gz file ignoring the other files generated by the backup process? If yes, why they are needed also after the backup is complete?
