[arm-allstar] Login password changed automatically

dklortie at teksavvy.com dklortie at teksavvy.com
Mon Jan 27 18:05:54 EST 2020 

Thanks for the reply Tony. 


Interestingly enough, the reason I even found the problem was that one on my nodes at a different location couldn't be logged into by ssh, and the host ham received an email from his isp stating that a machine on his network was found to be causing a DDOS attack on a mail server. 


That is when I realized that I couldn't log into all of my nodes ssh (3 at separate locations).  When I went into Supermon and looked at the Linux logs, that is when I saw that in the Linux log that there was 336 pages of attempted logins.  I disabled port 222 from port forwarding and it stopped immediately and hasn't happened again in 24 hours. Only thing showing note are all-star routine housekeeping tasks. 


Today I got a call from my isp stating that one of the machines on my network had been creating an attack on a cloud hosting server in New York, but that it had stopped yesterday afternoon.  Coincidentally when I closed port 222. 


I noticed a post that was posted by another user a little while ago about being locked out of his root login as well. 


Might be something that all should check to log into their Supermon page and look at their Linux log and see if they are being attacked as well.  Almost as though someone has seen that 222 was a default ssh for all-star and using the systems for their attacks. 


Just my two cents worth from what I have found here. 


Regards, 

Darren VE3REK 


Sent from Workspace ONE Boxer 


On Jan 27, 2020 2:49 PM, Tony via ARM-allstar <arm-allstar at hamvoip.org> wrote: 

On 1/26/20 5:21 AM, "Darren via ARM-allstar" wrote:
> Hi all,
>
> I am wondering if anyone else has experienced this issue and have a recommendation on how to fix it.
> ...
> Fast forward to present and I have had one of our club members who is hosting one of the pi's as a repeater link and simplex node at his qth.  He received a message from his ISP that a computer on his network is participating in a DDOS attack to his neighbors.  When I tried to log into the pi at that location to do some investigation and I got the same problem as 6 months ago, but on the second pi not the original.  Try to log in and keeps asking for password.  I could still log into the other 2 servers no problem.
> ...
> Has anyone seen this before and if so how was it fixed.  If not, how do I keep this from happening again. ...

A radio friend operates several voip-/radio-linked linked repeaters, and 
called me for help with a somewhat different issue. He simply could not 
ssh to the login prompt, and "nmap -sS -p 22 ..." requests took an 
extraordinary time to complete, so at least I knew the machine was 
operational. It took me about 15 minutes using an automated method to 
gain a login prompt, and the first thing I did was examine the 
log/journal  files, a couple of which were several MB, mostly sshd login 
failures. Luckily the password was strong, but if it wasn't, once the 
root password is cracked, it can be changed and any sort of DDOS program 
could have been planted. It sounds like you used a strong password, but 
those millions of attempts might have possibly gained entrance ... 
computers don't get bored of trying.

I edited /etc/ssh/sshd_config and changed port 22 to something else, 
e.g. 20022 and restarted the daemon with "systemctl restart sshd". The 
system again became accessible via ssh on port 20022. Log/journal 
analysis showed over 3.7 _million_ ssh login attempts in 48 hours, which 
were what was crippling the machine. They came from an APNIC block of 4 
IP addresses (Asia Pacific).

My advice is to never use WKS (well known services) port 22 for ssh, as 
it invites every bad player in the world to try and crack it.
_______________________________________________

ARM-allstar mailing list
ARM-allstar at hamvoip.org
http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar

Visit the BBB and RPi2/3/4 web page - http://hamvoip.org

More information about the ARM-allstar mailing list