[arm-allstar] Login password changed automatically

Tony node4139x at gmail.com
Mon Jan 27 14:49:16 EST 2020 

On 1/26/20 5:21 AM, "Darren via ARM-allstar" wrote:
> Hi all,
>
> I am wondering if anyone else has experienced this issue and have a recommendation on how to fix it.
> ...
> Fast forward to present and I have had one of our club members who is hosting one of the pi's as a repeater link and simplex node at his qth.  He received a message from his ISP that a computer on his network is participating in a DDOS attack to his neighbors.  When I tried to log into the pi at that location to do some investigation and I got the same problem as 6 months ago, but on the second pi not the original.  Try to log in and keeps asking for password.  I could still log into the other 2 servers no problem.
> ...
> Has anyone seen this before and if so how was it fixed.  If not, how do I keep this from happening again. ...

A radio friend operates several voip-/radio-linked linked repeaters, and 
called me for help with a somewhat different issue. He simply could not 
ssh to the login prompt, and "nmap -sS -p 22 ..." requests took an 
extraordinary time to complete, so at least I knew the machine was 
operational. It took me about 15 minutes using an automated method to 
gain a login prompt, and the first thing I did was examine the 
log/journal  files, a couple of which were several MB, mostly sshd login 
failures. Luckily the password was strong, but if it wasn't, once the 
root password is cracked, it can be changed and any sort of DDOS program 
could have been planted. It sounds like you used a strong password, but 
those millions of attempts might have possibly gained entrance ... 
computers don't get bored of trying.

I edited /etc/ssh/sshd_config and changed port 22 to something else, 
e.g. 20022 and restarted the daemon with "systemctl restart sshd". The 
system again became accessible via ssh on port 20022. Log/journal 
analysis showed over 3.7 _million_ ssh login attempts in 48 hours, which 
were what was crippling the machine. They came from an APNIC block of 4 
IP addresses (Asia Pacific).

My advice is to never use WKS (well known services) port 22 for ssh, as 
it invites every bad player in the world to try and crack it.

More information about the ARM-allstar mailing list