Compromised login -- investigate odd IPs!

[mastrmind11 717]

TL;DR -- Did a reverse lookup of an IP, turns out to be a rogue user, no idea how they got the PW but monitor your shit... pretty bizarre.

 

I'm not entirely sure how this came about, but yesterday I noticed a user I labeled "Parents" logging in and watching Nickelodeon.  My parents live in HI and I live in NY, and they have some relatives visiting at the moment.  Due to the time difference, I didn't think anything of the fact they were logging in at 1am NY time, but the age range of who's visiting doesn't coincide w/ watching Nick Jr shows, not to mention the fact that they rarely connect to my server.  The user also tried to update settings for 2 other users and were denied due to bad password.  I have no idea how the password was guessed, but access.log, fail2ban.log, nginx.log, and emby-server.log (s) do not show a brute force... they would've been blocked. I disabled the account for now. 

 

The IP connecting originates in Puerto Rico, and I confirmed from my Parents in HI that they have not tried to connect in the last month, nor are they using a VPN.

 

 

 

 

[Guest asrequested]

That's worrying.

[mastrmind11 717]

More of a heads up... set up monitoring.  I can't, for the life of me, figure out how they got the password.... but being users who are 65+ years, they don't quite understand security.  Maybe they have a word doc w/ passwords on their PC that was compromised... I dunno.  Eye opening, and in the end, warch out for your own shit.

[pir8radio 1292]

TL;DR -- Did a reverse lookup of an IP, turns out to be a rogue user, no idea how they got the PW but monitor your shit... pretty bizarre.

 

I'm not entirely sure how this came about, but yesterday I noticed a user I labeled "Parents" logging in and watching Nickelodeon.  My parents live in HI and I live in NY, and they have some relatives visiting at the moment.  Due to the time difference, I didn't think anything of the fact they were logging in at 1am NY time, but the age range of who's visiting doesn't coincide w/ watching Nick Jr shows, not to mention the fact that they rarely connect to my server.  The user also tried to update settings for 2 other users and were denied due to bad password.  I have no idea how the password was guessed, but access.log, fail2ban.log, nginx.log, and emby-server.log (s) do not show a brute force... they would've been blocked. I disabled the account for now. 

 

The IP connecting originates in Puerto Rico, and I confirmed from my Parents in HI that they have not tried to connect in the last month, nor are they using a VPN.

 

You are https only right?  as in don't allow http connections after the initial request?      If so, I would guess some scrip kiddie has a key logger or something on their PC, time for a super scan!  

[mastrmind11 717]

You are https only right? as in don't allow http connections after the initial request? If so, I would guess some scrip kiddie has a key logger or something on their PC, time for a super scan!

Yeah https only. It's definitely some bs one off , but bizarre none the less. I have 0 bad pw guesses in my logs in the past week, though they did try to guess 2 other accounts on the login dashboard 1x. Really odd. Will be monitoring the IP in the next few days

 

Sent from my SM-G950U using Tapatalk

[tdiguy 96]

I recently looked through my servers logs, man there have been a lot of people trying to knock down my door. Glad i have login from any remote ip's blocked. Mind you this is for my ubuntu box and not so much emby, i dont allow remote connections to emby at all. 

I love tech and i like security but i hate having to spend much time on it. So for now my openvpn setup will do

[Swynol 375]

good catch.

 

its pretty scary when you look at firewalls logs.This is mine from this morning. 40,000 attempts blocked in 24hrs. mostly port scans, people trying to access ftp, ssh etc.

 

[mastrmind11 717]

yeah, at any given time I have 100+ IPs jailed from ssh attempts alone, and they only get jailed after 4 bad login attempts in 2 minutes, and get unjailed 30 mins after their last attempt!  freaky stuff.

[dcrdev 251]

How are you guys accumulating so many ssh attempts?

 

I don't think I've ever had that problem and all I'm really doing protection wise is fail2ban and only using key based authentication.

[mastrmind11 717]

How are you guys accumulating so many ssh attempts?

 

I don't think I've ever had that problem and all I'm really doing protection wise is fail2ban and only using key based authentication.

I'm using standard ports for everything and letting f2b do the work.

[Tur0k 143]

Here, I only open port 443 to secure connections. I do some funny ACL and action rules in my reverse proxy to redirect https calls to my public IP address that don't have a ruled in http request domain to a dummy ip. The net effect is the attacker will get a dead page.

 

I am in the middle of setting up fail2ban to work for all of my publicly accessible sites.

 

A correct password guess on first attempt on a reasonably complex password would indicate that the attacker already had the password. I would recommend scanning client systems and making sure they are not infected with a key logger , and checking that network devices have not been compromised.

 

 

Sent from my iPhone using Tapatalk

[Jdiesel 1114]

I only have ports 443 and 22 open to the internet. I've been wanting to setup fail2ban for a while now but I'm not currently using a reverse proxy. I suppose I should at least use a non default port for ssh as I'm sure my server is getting pounded.

 

On a side note does anyone know of a linux firewall that would allow me to whitelist connections from a specific country and block all others? I'm just using UFW at the moment but I don't think it has the capability to setup something like that.

[dcrdev 251]

I only have ports 443 and 22 open to the internet. I've been wanting to setup fail2ban for a while now but I'm not currently using a reverse proxy. I suppose I should at least use a non default port for ssh as I'm sure my server is getting pounded.

 

On a side note does anyone know of a linux firewall that would allow me to whitelist connections from a specific country and block all others? I'm just using UFW at the moment but I don't think it has the capability to setup something like that.

 

Yes fail2ban with geoip, will do this for you.

 

Perhaps I'm misreading your post, but you know you don't need a reverse proxy to use f2b, right?

[Jdiesel 1114]

Yes fail2ban with geoip, will do this for you.

 

Perhaps I'm misreading your post, but you know you don't need a reverse proxy to use f2b, right?

 

I thought I needed a reverse proxy to use fail2ban with Emby. Or can I just point fail2ban to the Emby log files rather than to NGINX? I realize I could be using it for SSH though.

[mastrmind11 717]

I thought I needed a reverse proxy to use fail2ban with Emby. Or can I just point fail2ban to the Emby log files rather than to NGINX? I realize I could be using it for SSH though.

Yeah you'd just point it at the Emby logs.  Nginx is so easy to setup it's almost silly to not have it at this point, and the integration w/ fail2ban is simple.

[dcrdev 251]

I agree with this - reverse proxies are great, you could even take it one step further and plonk CloudFlare on top of it.

 

My server is insanely locked down:

CentOS with full SELinux Enforcement on ZFS with full disk encryption, ontop of hardware decryption ---> Emby ---> Apache Reverse Proxy only accepting secured connections ----> fail2ban ---> iptables preventing inbound connections on anything but 443 and the port for ssh -----> pfSense firewall blocking all inbound again ----> CloudFlare with DNSSEC, HSTS and Strict SSL mode ----> behind a dynamic ip that is renewed from the modem every 24hours via telnet script.

 

It's a bit over the top, but hey ho.

[Jdiesel 1114]

I once used a reverse proxy and Cloudflare but removed both from my setup to simplify things. I closed up all of my other services to the internet and connect to them through a ssh tunnel now. I also moved to a purchased ssl cert so I no longer have to worry about renewing my letsencrypt cert every few months. I've been trying to adhere to the KISS principle and so far it has been working well for me, by no means the most secure but it works.

 

I think adding fail2ban to my setup would be a worthwhile endeavor though.

[dcrdev 251]

I once used a reverse proxy and Cloudflare but removed both from my setup to simplify things. I closed up all of my other services to the internet and connect to them through a ssh tunnel now. I also moved to a purchased ssl cert so I no longer have to worry about renewing my letsencrypt cert every few months. I've been trying to adhere to the KISS principle and so far it has been working well for me, by no means the most secure but it works.

 

I think adding fail2ban to my setup would be a worthwhile endeavor though.

 

I feel rather stupid for having to look up the KISS principle lol.

 

Fair enough, but yes definitely get fail2ban it's a must for any public facing Linux server, seriously!

[Jdiesel 1114]

Fail2Ban is setup and banning SSH connection attempts already

 

Does anyone have a jail configuration for parsing Emby logs directly?

Edited December 21, 2017 by Jdiesel

[Guest asrequested]

This is making me want to build a second gateway, and employ encryption, tunneling and another firewall.

[dcrdev 251]

This is making me want to build a second gateway, and employ encryption, tunneling and another firewall.

 

It's rocky road to madness - trust me once you start you can't stop.

[Guest asrequested]

It's rocky road to madness - trust me once you start you can't stop.

Lol.. Yeah, I don't want to reverse proxy. I want to do as much as I can, locally.

[Tur0k 143]

Lol.. Yeah, I don't want to reverse proxy. I want to do as much as I can, locally.

So you are still not able to get your VPN up on the Ubiquiti firewall?

 

 

Sent from my iPhone using Tapatalk

Edited December 21, 2017 by Tur0k

[mastrmind11 717]

Fail2Ban is setup and banning SSH connection attempts already

 

Does anyone have a jail configuration for parsing Emby logs directly?

Lol. Throw netdata into the mix and watch the fail2ban chart.

 

Re the script, just search the forums for the fail2ban regex, it's what I use and it works fine.

 

Sent from my SM-G950U using Tapatalk

[Guest asrequested]

So you are still not able to get your VPN up on the Ubiquiti firewall?

 

 

Sent from my iPhone using Tapatalk

It works, but it chokes my bandwidth. I bought a new TV instead of building another gateway

 

I want to build one that gives me strength and easy manageability. Pfsense seems to be the way forward.