Forums

Resolved
0 votes
Hi;

My ClearOS Community Edition notified me that someone tried to get in my system 205 times on Sunday 10/09. I have Remote Management turned off.

ClearOS did it's job keeping the intruder out and notifying me of the attempted break in. So thank you ClearOS Community for the outstanding software tool.

So what does one do now? Do I call the police. I used whois lookup on the IP addresses. I think one 123.31.34.238 is in Turkey and one 176.53.12.123 is in Vietnam, but I am not absolutely sure. Do I call the FBI or the Carnegie Melon Computer Security team? I am one guy, not Microsoft or Facebook? Do I notify my ISP [Charter Communications]?

Any advice is welcome, as I am not sure what the next step should be.

Paul
Monday, October 10 2016, 05:45 PM
Share this post:
Responses (13)
  • Accepted Answer

    Sunday, January 08 2017, 02:35 PM - #Permalink
    Resolved
    0 votes
    I see, thanks a lot guys. Nothing to be worried about then! :)
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 08 2017, 11:13 AM - #Permalink
    Resolved
    0 votes
    As Nick has indicated... check cron (and the other logs - use grep) for activity for that time...
    By the way - you just discovered this about 50 days later! - had that been a break-in you could have been toast by now ;-)

    clearconsole is part of ClearOS 6 and 7 and is a defined user

    [root@alex etc]# grep -r clearconsole *
    group:clearconsole:x:990:
    group-:clearconsole:x:990:
    gshadow:clearconsole:!::
    gshadow-:clearconsole:!::
    passwd:clearconsole:x:991:990:Console:/var/lib/clearconsole/:/bin/bash
    passwd-:clearconsole:x:991:990:Console:/var/lib/clearconsole/:/bin/bash
    shadow:clearconsole:!!:17127::::::
    shadow-:clearconsole:!!:17127::::::
    sudoers:clearconsole ALL=NOPASSWD: CLEARCONSOLE
    systemd/system/getty@tty1.service.d/autologin.conf:ExecStart=-/sbin/agetty --autologin clearconsole --noclear %I 38400 linux

    see here for one of the rpms that provides some of that function

    [root@alex etc]# rpm -q --list clearos-console
    /etc/systemd/system/getty@tty1.service.d
    /etc/systemd/system/getty@tty1.service.d/autologin.conf
    /var/lib/clearconsole
    /var/lib/clearconsole/.bash_profile

    I have some hits for clearconsole early in the life of my 7.3 production system before I did this

    systemctl set-default multi-user.target.target

    so don't get the graphical screen any more on the local console - prefer the standard boring but simple login prompt...
    At least I think this is the reason don't see those entries anymore...
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 08 2017, 10:20 AM - #Permalink
    Resolved
    0 votes
    It is probably something related to cron. Have a look at /var/log/cron and see what was running at the time.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 08 2017, 09:43 AM - #Permalink
    Resolved
    0 votes
    Hi,

    Sorry to break-open this old thread, but I just noticed below message in my logs and I'm worried. Who is clear console and why did it log-in in the middle of the night to my system?!
    User clearconsole logged in via login - 2016-11-18 03:40:33

    Thanks!
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, October 13 2016, 01:50 PM - #Permalink
    Resolved
    0 votes
    If I were to hazard a guess, your "failed to execute unban" messages are because the firewall has restarted at some point in the past and wiped all the f2b iptables rules. Can you do a "iptables -nvL" and post the results between code tags (the piece of paper icon with a <> ). You can check the listing against what I posted earlier.

    You probably have similar failure messages when trying to f2b tries to activate a Ban.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, October 13 2016, 01:15 PM - #Permalink
    Resolved
    0 votes
    Hi Nick;

    I really appreciate your reply of Wednesday, October 12, 2016 at 12:34 PM US ET, on what to look for in the fail2ban log.

    I did a find string on ""Found", "Ban", and "Unban"" in my old and my latest fail2ban.log. I also tried variations searching for quot [not found], Found [not found], and Ban [not found].

    Here is what I found on Unban:
    2016-10-10 16:17:51,043 fail2ban.actions [4584]: NOTICE [sshd] Unban 123.31.34.238
    2016-10-10 16:17:51,266 fail2ban.actions [4584]: ERROR Failed to execute unban jail 'sshd' action 'iptables-multiport' info '{'matches': 'Oct 9 13:09:15 URA sshd[8777]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.31.34.238Oct 9 13:09:17 URA sshd[8777]: Failed password for invalid user enrique from 123.31.34.238 port 63361 ssh2 [This is a huge line that looks like a reiteration of Sundays attack log about the 123.31.34.238 IP. I truncated it for brevity.]
    2016-10-10 16:17:52,269 fail2ban.actions [4584]: NOTICE [sshd] Unban 176.53.12.123
    2016-10-10 16:17:52,493 fail2ban.actions [4584]: ERROR Failed to execute unban jail 'sshd' action 'iptables-multiport' info '{'matches': 'Oct 9 15:59:49 URA sshd[29762]: Invalid user a from 176.53.12.123 [This is a smaller line that looks like a reiteration of Sundays attack log about the 176.53.12.123 IP. I truncated it for brevity.]
    There were no more instances of Unban past this point.

    I really appreciate your feedback as I would be searching DuckDuckGo for clues on how to read the tea leaves in the fail2ban.log and what corrective actions if any to take.

    As for the ping, it doesn't matter to me if it on or off. My interest is in securing the ClearOS gateway, and the machines on my network.

    Thanks again, Paul
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, October 12 2016, 04:30 PM - #Permalink
    Resolved
    0 votes
    If you find "Found" messages in your fail2ban log then your firewall is not blocking. It only blocks once you see "Ban" messages and stops blocking when you see an "Unban" message. You should not find any "Found" messages between a Ban and Unban message for an sshd jail. (You can for some other jails like some of the postfix ones for technical reasons, but only very soon after the Ban).

    There is a bug/feature of f2b (and therefore app-attack-detector) and how it plays with ClearOS which unfortunately has not been acknowledged and presumably, therefore, not fixed. Every time the firewall restarts, all f2b rules get wiped and f2b stops working (you will see Ban messages in the f2b log, but the firewall rules will fail to be created). As a quick and dirty fix add the line "service fail2ban restart" to /etc/clearos/firewall.d/local. If you want to have a look at the firewall, do an "iptables -nvL". In the INPUT chain you should see a rule for each jail you have enabled which jumps to a chain further down where you will see any blocked IP's.

    There are very polarized views about Steve Gibson. I think there is a lot of scaremongering going on and I do not believe in disabling pings. It will give you some obscurity but no security and it may give you some issues with apps which use some sort of path MTU discovery. It won't stop ssh bots finding you. It also happens to be against the RFC's (the rules which govern lots of internet things).

    If you want to encrypt your LAN, there is a way of doing it with OpenVPN, but I doubt if you can do it for the TiVo or Playstation.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, October 12 2016, 01:52 PM - #Permalink
    Resolved
    0 votes
    Hi Tony Ellis;
    Thank you for your Tuesday, October 11, 2016 at 3:18 AM US ET response.
    In the "Incoming Firewall" I have a "SSH" place holder but it is currently disabled. I only enable it when I need it.
    Under "SSH Server" ClearOS gives the following message "The app is installed, but the firewall is not allowing connections from external networks."
    I am glad you mentioned failtoban. The failtoban.log was one I found 123.31.34.238 activity 10/10. I am a hack, so I am trying to figure out what that means. I think it is just notification that the firewall is rejecting 123.31.34.238.
    I did install the beta application filer & the protocol filter, very interesting. Funny thing though, after I installed them my Wireless Access Point stopped providing Internet access [still connected, still functioned as a LAN, direct laptop connection provided Internet]. I only use it for cell phones, when I am at home to keep down those pesky Data charges. After much troubleshooting I discovered I got my WAP internet back when I removed it's IP from ClearOS IbVPN add-in. I am not saying there is a cause and effect but that was curious.
    I follow Steve Gibson on Twitter and read his Security Now Newsletter when he publishes it. About half of it is over my head. I have also run his Shields Up program from my Windows Machine. With good results although there were changes suggested that I still need to run down.
    I really do appreciate your input as I want to secure my machine as secure as possible.

    Hi Nick Howitt;
    Thank you for your response Tuesday, October 11, 2016 at 11:46 AM US ET
    I have the following extras installed that I think are keeping outside intruders at bay: Gateway Aniphishing, Gateway Antivirus, Attack Detector, Intrusion Detection System [free version, all rules checked], Intrusion Prevention System.
    I use Lastpass with a YubiKey and my passwords and some of my log-ins are long and incomprehensible. Although I should change passwords more frequently.
    I really do value your input. I do want a secure system.

    Hi Tony;
    On your response from Tuesday, October 11, 2016 at 5:19 PM US ET
    I am running a small business on the Hot LAN and I am running a home network on the LAN [TIVO, PlayStation, Ubuntu Linux HTPC, other stuff]. I would love to encrypt LAN Intranet traffic too, but my skill set is lacking. That's something I need to work on.

    Thanks to both of your I really appreciate your input.

    Paul
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 11 2016, 09:14 PM - #Permalink
    Resolved
    0 votes
    see https://www.clearos.com/clearfoundation/social/community/posts-vanishing

    Below is an append made by Nick that disappeared...

    Nick Howitt replied to the discussion What do you do after a break-in attempt?

    Please don't think you have any more security with stock ClearOS compared to a domestic router. Your only security is user/password with a basic set up.

    There are a number of approaches you can take. Firstly do you need to leave SSH open? If you don't, close it. If you do, at a minimum install app-attackdetector or fail2ban,but these give you no protection if the attack comes from an IP subnet - there is one Chinese bot which does this so connections come from different but similar ip address.

    If you only need access for one or two devices consider closing the port on the WAN and connecting by Openvpn. You can then access SSH by using the ClearOS LAN IP. This is my preferred option. Other options are to change the port, set up SSH keys and set up port knocking. If you don't want to do anything like one of these options, then you are on your own, but at least use a strong password.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 11 2016, 07:15 AM - #Permalink
    Resolved
    0 votes
    There are thousands of machines on this planet attempting to break into systems all over the world - welcome to reality...

    What to do? Make your system less vulnerable and more secure.

    It would appear you have the ssh port open. Do you really need it open? Can you use a different port such as 222? Is ssh access only required from certain internet addresses? If so, allow them only with firewall rules or running xinetd with entries in /etc/hosts.allow

    Investigate tools such as Fail2ban. Also read https://www.clearos.com/clearfoundation/social/community/two-new-apps-application-filter-and-protocol-filter

    Make use of the 'web. There are much information re. closing system vulnerabilities making your system more secure.
    I built my own application that both bans and logs break-in attempts. As you can see, I get many each day.
    http://danda.poweredbyclear.com/frame-29-banned.html
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 10 2016, 09:05 PM - #Permalink
    Resolved
    0 votes
    I found the log to explore to find the port used for the failed log in attempts. It is the "Secure" log. There may be other logs that would help.
    Oct 9 12:55:35 URA sshd[7953]: Failed password for invalid user admin from 123.31.34.238 port 64207 ssh2
    Oct 9 12:55:41 URA sshd[7955]: Failed password for invalid user support from 123.31.34.238 port 63567 ssh2
    Oct 9 12:55:48 URA sshd[7957]: Failed password for invalid user ubnt from 123.31.34.238 port 62973 ssh2
    Oct 9 12:55:54 URA sshd[7959]: Failed password for invalid user admin from 123.31.34.238 port 63439 ssh2
    Oct 9 12:56:01 URA sshd[7961]: Failed password for root from 123.31.34.238 port 62482 ssh2
    Oct 9 12:56:21 URA sshd[7963]: Failed password for invalid user test from 123.31.34.238 port 63159 ssh2
    Oct 9 12:56:31 URA sshd[7965]: Failed password for root from 123.31.34.238 port 62465 ssh2
    Oct 9 12:56:38 URA sshd[7967]: Failed password for invalid user PlcmSpIp from 123.31.34.238 port 63564 ssh2
    Oct 9 12:56:44 URA sshd[7969]: Failed password for invalid user admin from 123.31.34.238 port 62262 ssh2
    Oct 9 12:56:49 URA sshd[7971]: Failed password for invalid user user from 123.31.34.238 port 63818 ssh2
    There are 1800 lines in this log for the time period of the attempted break-in.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 10 2016, 07:33 PM - #Permalink
    Resolved
    0 votes
    This is what I got from "Community: Events and Notifications"
    IPv4 Firewall Error - Restricted Access Only 2016-10-09 16:19:34
    User clearconsole logged in via login 2016-10-09 16:16:05
    Failed login attempt by invalid user ubuntu from 176.53.12.123 2016-10-09 16:00:04, 5 times various user names
    Failed login attempt by invalid user admin from 123.31.34.238 2016-10-09 13:19:12, 200 times various user names

    I haven't had time to go through the system logs. There just hasn't been time. I had what I still think was an Internet Outage Saturday night. I checked the Internet Outage Websites on the Android phone and they showed Charter down in my area. I called Charter and got a BS automated message about they didn't show anything but there may be localized problem. I did not take the time to speak with tech support because of past bad experiences. I had Internet Sunday morning when I got up. I went to church and had several activities to do Sunday. I got to look at the system Sunday afternoon around 03.30. The log shows the break-in attempts started around 12.55 PM and ended at 04.00 PM. Actually they stopped when I put the IP address in the incoming firewall block list. I am surprised they just did not switch to another ip.

    I wonder how they found my ip. Was it a guess or is there something in one of my systems that is acting as a beacon.

    I wonder if my system is responding to pings, and if it is, how do I turn that off. I'll have to run that down.

    Can you direct me to the ClearOS log that will have the port information you are asking for. I'd like to know that myself? If you don't know, don't worry. I will run through the logs looking for that information.

    Thank God I am not using a consumer grade router.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 10 2016, 05:59 PM - #Permalink
    Resolved
    0 votes
    Hi Paul,

    Good question but I think you can't do much it's only a attempt. There is nothing stolen...

    What did they tried? They tried to get access via port 22 or via port 81 to the webconfig?
    The reply is currently minimized Show
Your Reply