[arm-allstar] Login password changed automatically

Bryan St Clair bryan at k6cbr.us
Mon Jan 27 18:35:55 EST 2020 

For years I have had some form of a Linux box online and accessible with
SSH.   By changing the default port to a nonstandard port and using a
strong and long root password, then setting my computers to use key
authentication (for my own laziness reasons), I have never seen a box
compromised.  Not impossible, but for you to see multiple issues, my first
thought is the password you used was a recycled password that was already
compromised in the past.

Have you brought a node back online with the same IP and port to log who
tries to access it yet?

Bryan

On Mon, Jan 27, 2020 at 3:14 PM "Darren via ARM-allstar" <
arm-allstar at hamvoip.org> wrote:

> Thanks for the reply Tony.
>
>
> Interestingly enough, the reason I even found the problem was that one on
> my nodes at a different location couldn't be logged into by ssh, and the
> host ham received an email from his isp stating that a machine on his
> network was found to be causing a DDOS attack on a mail server.
>
>
> That is when I realized that I couldn't log into all of my nodes ssh (3 at
> separate locations).  When I went into Supermon and looked at the Linux
> logs, that is when I saw that in the Linux log that there was 336 pages of
> attempted logins.  I disabled port 222 from port forwarding and it stopped
> immediately and hasn't happened again in 24 hours. Only thing showing note
> are all-star routine housekeeping tasks.
>
>
> Today I got a call from my isp stating that one of the machines on my
> network had been creating an attack on a cloud hosting server in New York,
> but that it had stopped yesterday afternoon.  Coincidentally when I closed
> port 222.
>
>
> I noticed a post that was posted by another user a little while ago about
> being locked out of his root login as well.
>
>
> Might be something that all should check to log into their Supermon page
> and look at their Linux log and see if they are being attacked as well.
> Almost as though someone has seen that 222 was a default ssh for all-star
> and using the systems for their attacks.
>
>
> Just my two cents worth from what I have found here.
>
>
> Regards,
>
> Darren VE3REK
>
>
> Sent from Workspace ONE Boxer
>
>
> On Jan 27, 2020 2:49 PM, Tony via ARM-allstar <arm-allstar at hamvoip.org>
> wrote:
>
> On 1/26/20 5:21 AM, "Darren via ARM-allstar" wrote:
> > Hi all,
> >
> > I am wondering if anyone else has experienced this issue and have a
> recommendation on how to fix it.
> > ...
> > Fast forward to present and I have had one of our club members who is
> hosting one of the pi's as a repeater link and simplex node at his qth.  He
> received a message from his ISP that a computer on his network is
> participating in a DDOS attack to his neighbors.  When I tried to log into
> the pi at that location to do some investigation and I got the same problem
> as 6 months ago, but on the second pi not the original.  Try to log in and
> keeps asking for password.  I could still log into the other 2 servers no
> problem.
> > ...
> > Has anyone seen this before and if so how was it fixed.  If not, how do
> I keep this from happening again. ...
>
> A radio friend operates several voip-/radio-linked linked repeaters, and
> called me for help with a somewhat different issue. He simply could not
> ssh to the login prompt, and "nmap -sS -p 22 ..." requests took an
> extraordinary time to complete, so at least I knew the machine was
> operational. It took me about 15 minutes using an automated method to
> gain a login prompt, and the first thing I did was examine the
> log/journal  files, a couple of which were several MB, mostly sshd login
> failures. Luckily the password was strong, but if it wasn't, once the
> root password is cracked, it can be changed and any sort of DDOS program
> could have been planted. It sounds like you used a strong password, but
> those millions of attempts might have possibly gained entrance ...
> computers don't get bored of trying.
>
> I edited /etc/ssh/sshd_config and changed port 22 to something else,
> e.g. 20022 and restarted the daemon with "systemctl restart sshd". The
> system again became accessible via ssh on port 20022. Log/journal
> analysis showed over 3.7 _million_ ssh login attempts in 48 hours, which
> were what was crippling the machine. They came from an APNIC block of 4
> IP addresses (Asia Pacific).
>
> My advice is to never use WKS (well known services) port 22 for ssh, as
> it invites every bad player in the world to try and crack it.
> _______________________________________________
>
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>
> _______________________________________________
>
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>


-- 
Bryan
K6CBR
bryan at k6cbr.us

More information about the ARM-allstar mailing list