[arm-allstar] Login password changed automatically

Elden W7LDN w7ldn at w7ldn.com
Mon Jan 27 18:46:38 EST 2020


I'm no expert. But I've always figured the best way to secure SSH is to
disable the ability to login with a password... and use keys instead.

On Mon, Jan 27, 2020 at 3:38 PM "Bryan St Clair via ARM-allstar" <
arm-allstar at hamvoip.org> wrote:

> For years I have had some form of a Linux box online and accessible with
> SSH.   By changing the default port to a nonstandard port and using a
> strong and long root password, then setting my computers to use key
> authentication (for my own laziness reasons), I have never seen a box
> compromised.  Not impossible, but for you to see multiple issues, my first
> thought is the password you used was a recycled password that was already
> compromised in the past.
>
> Have you brought a node back online with the same IP and port to log who
> tries to access it yet?
>
> Bryan
>
> On Mon, Jan 27, 2020 at 3:14 PM "Darren via ARM-allstar" <
> arm-allstar at hamvoip.org> wrote:
>
> > Thanks for the reply Tony.
> >
> >
> > Interestingly enough, the reason I even found the problem was that one on
> > my nodes at a different location couldn't be logged into by ssh, and the
> > host ham received an email from his isp stating that a machine on his
> > network was found to be causing a DDOS attack on a mail server.
> >
> >
> > That is when I realized that I couldn't log into all of my nodes ssh (3
> at
> > separate locations).  When I went into Supermon and looked at the Linux
> > logs, that is when I saw that in the Linux log that there was 336 pages
> of
> > attempted logins.  I disabled port 222 from port forwarding and it
> stopped
> > immediately and hasn't happened again in 24 hours. Only thing showing
> note
> > are all-star routine housekeeping tasks.
> >
> >
> > Today I got a call from my isp stating that one of the machines on my
> > network had been creating an attack on a cloud hosting server in New
> York,
> > but that it had stopped yesterday afternoon.  Coincidentally when I
> closed
> > port 222.
> >
> >
> > I noticed a post that was posted by another user a little while ago about
> > being locked out of his root login as well.
> >
> >
> > Might be something that all should check to log into their Supermon page
> > and look at their Linux log and see if they are being attacked as well.
> > Almost as though someone has seen that 222 was a default ssh for all-star
> > and using the systems for their attacks.
> >
> >
> > Just my two cents worth from what I have found here.
> >
> >
> > Regards,
> >
> > Darren VE3REK
> >
> >
> > Sent from Workspace ONE Boxer
> >
> >
> > On Jan 27, 2020 2:49 PM, Tony via ARM-allstar <arm-allstar at hamvoip.org>
> > wrote:
> >
> > On 1/26/20 5:21 AM, "Darren via ARM-allstar" wrote:
> > > Hi all,
> > >
> > > I am wondering if anyone else has experienced this issue and have a
> > recommendation on how to fix it.
> > > ...
> > > Fast forward to present and I have had one of our club members who is
> > hosting one of the pi's as a repeater link and simplex node at his qth.
> He
> > received a message from his ISP that a computer on his network is
> > participating in a DDOS attack to his neighbors.  When I tried to log
> into
> > the pi at that location to do some investigation and I got the same
> problem
> > as 6 months ago, but on the second pi not the original.  Try to log in
> and
> > keeps asking for password.  I could still log into the other 2 servers no
> > problem.
> > > ...
> > > Has anyone seen this before and if so how was it fixed.  If not, how do
> > I keep this from happening again. ...
> >
> > A radio friend operates several voip-/radio-linked linked repeaters, and
> > called me for help with a somewhat different issue. He simply could not
> > ssh to the login prompt, and "nmap -sS -p 22 ..." requests took an
> > extraordinary time to complete, so at least I knew the machine was
> > operational. It took me about 15 minutes using an automated method to
> > gain a login prompt, and the first thing I did was examine the
> > log/journal  files, a couple of which were several MB, mostly sshd login
> > failures. Luckily the password was strong, but if it wasn't, once the
> > root password is cracked, it can be changed and any sort of DDOS program
> > could have been planted. It sounds like you used a strong password, but
> > those millions of attempts might have possibly gained entrance ...
> > computers don't get bored of trying.
> >
> > I edited /etc/ssh/sshd_config and changed port 22 to something else,
> > e.g. 20022 and restarted the daemon with "systemctl restart sshd". The
> > system again became accessible via ssh on port 20022. Log/journal
> > analysis showed over 3.7 _million_ ssh login attempts in 48 hours, which
> > were what was crippling the machine. They came from an APNIC block of 4
> > IP addresses (Asia Pacific).
> >
> > My advice is to never use WKS (well known services) port 22 for ssh, as
> > it invites every bad player in the world to try and crack it.
> > _______________________________________________
> >
> > ARM-allstar mailing list
> > ARM-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >
> > _______________________________________________
> >
> > ARM-allstar mailing list
> > ARM-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >
>
>
> --
> Bryan
> K6CBR
> bryan at k6cbr.us
> _______________________________________________
>
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>


More information about the ARM-allstar mailing list