Basic Networking Security Tips

[dextr3k]

Hi Guys,

I will start off by saying that I am a complete newbie, and getting Freenas running has been my crowning achievement. However, now I have reached a point where I need to enhance my security.

My freenas server is a plex and Time Machine server for my household. I have no need to access it from outside my house, and it holds backups and movies. As such, I only have 1 account for accessing and 1 root account. With 777 permissions for that account, because, only I use it, everything else is automated. I have apple afp and cifs and SMART services turned on, thats it (note, no SSH).

Recently, my security output has been giving me failed attempted logins from China, spamming all my ports. I would like to say there is no SSH, I have no DNS pointed to my home IP, Plex is not logged into the server. I don't even know how they are getting my ip.

Anyways, my security log looks like this, how can I up my network security?

Show : Daily Security Output Run

freenas.local login failures:
Jun 28 04:20:59 freenas sshd[23124]: Failed password for root from 222.186.34.130 port 2962 ssh2
Jun 28 04:20:59 freenas sshd[23124]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 04:20:59 freenas sshd[23134]: Failed password for root from 222.186.34.130 port 3516 ssh2
Jun 28 04:20:59 freenas sshd[23134]: Failed password for root from 222.186.34.130 port 3516 ssh2
Jun 28 04:21:00 freenas sshd[23132]: Failed password for root from 222.186.34.130 port 3401 ssh2
Jun 28 04:21:00 freenas sshd[23132]: Failed password for root from 222.186.34.130 port 3401 ssh2
Jun 28 04:21:00 freenas sshd[23130]: Failed password for root from 222.186.34.130 port 3294 ssh2
Jun 28 04:21:00 freenas sshd[23132]: Failed password for root from 222.186.34.130 port 3401 ssh2
Jun 28 04:21:00 freenas sshd[23132]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 04:21:00 freenas sshd[23130]: Failed password for root from 222.186.34.130 port 3294 ssh2
Jun 28 04:21:00 freenas sshd[23130]: Failed password for root from 222.186.34.130 port 3294 ssh2
Jun 28 04:21:00 freenas sshd[23130]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 04:21:00 freenas sshd[23136]: Failed password for root from 222.186.34.130 port 3547 ssh2
Jun 28 04:21:00 freenas sshd[23136]: Failed password for root from 222.186.34.130 port 3547 ssh2
Jun 28 04:21:00 freenas sshd[23138]: Failed password for root from 222.186.34.130 port 3555 ssh2
Jun 28 04:21:00 freenas sshd[23136]: Failed password for root from 222.186.34.130 port 3547 ssh2
Jun 28 04:21:00 freenas sshd[23138]: Failed password for root from 222.186.34.130 port 3555 ssh2
Jun 28 04:21:00 freenas sshd[23120]: Failed password for root from 222.186.34.130 port 2682 ssh2
Jun 28 04:21:01 freenas sshd[23120]: Failed password for root from 222.186.34.130 port 2682 ssh2
Jun 28 04:21:01 freenas sshd[23120]: Failed password for root from 222.186.34.130 port 2682 ssh2
Jun 28 04:21:01 freenas sshd[23126]: Failed password for root from 222.186.34.130 port 3078 ssh2
Jun 28 04:21:01 freenas sshd[23120]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 04:21:01 freenas sshd[23126]: Failed password for root from 222.186.34.130 port 3078 ssh2
Jun 28 04:21:01 freenas sshd[23122]: Failed password for root from 222.186.34.130 port 2879 ssh2
Jun 28 04:21:01 freenas sshd[23122]: Failed password for root from 222.186.34.130 port 2879 ssh2
Jun 28 04:21:01 freenas sshd[23126]: Failed password for root from 222.186.34.130 port 3078 ssh2
Jun 28 04:21:01 freenas sshd[23126]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 04:21:01 freenas sshd[23122]: Failed password for root from 222.186.34.130 port 2879 ssh2
Jun 28 04:21:01 freenas sshd[23128]: Failed password for root from 222.186.34.130 port 3226 ssh2
Jun 28 04:21:01 freenas sshd[23122]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 04:21:01 freenas sshd[23140]: Failed password for root from 222.186.34.130 port 3579 ssh2
Jun 28 04:21:01 freenas sshd[23128]: Failed password for root from 222.186.34.130 port 3226 ssh2
Jun 28 04:21:01 freenas sshd[23140]: Failed password for root from 222.186.34.130 port 3579 ssh2
Jun 28 04:21:01 freenas sshd[23128]: Failed password for root from 222.186.34.130 port 3226 ssh2
Jun 28 04:21:01 freenas sshd[23128]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 04:21:01 freenas sshd[23142]: Failed password for root from 222.186.34.130 port 3585 ssh2
Jun 28 04:21:01 freenas sshd[23142]: Failed password for root from 222.186.34.130 port 3585 ssh2
Jun 28 04:21:01 freenas sshd[23144]: Failed password for root from 222.186.34.130 port 3588 ssh2
Jun 28 04:21:01 freenas sshd[23144]: Failed password for root from 222.186.34.130 port 3588 ssh2
Jun 28 04:21:01 freenas sshd[23146]: Failed password for root from 222.186.34.130 port 3600 ssh2
Jun 28 04:21:01 freenas sshd[23146]: Failed password for root from 222.186.34.130 port 3600 ssh2
Jun 28 04:21:02 freenas sshd[23118]: Failed password for root from 222.186.34.130 port 2087 ssh2
Jun 28 04:21:02 freenas sshd[23116]: Failed password for root from 222.186.34.130 port 2015 ssh2
Jun 28 04:21:02 freenas sshd[23118]: Failed password for root from 222.186.34.130 port 2087 ssh2
Jun 28 04:21:02 freenas sshd[23116]: Failed password for root from 222.186.34.130 port 2015 ssh2
Jun 28 04:21:02 freenas sshd[23118]: Failed password for root from 222.186.34.130 port 2087 ssh2
Jun 28 04:21:02 freenas sshd[23118]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 04:21:02 freenas sshd[23116]: Failed password for root from 222.186.34.130 port 2015 ssh2
Jun 28 04:21:02 freenas sshd[23116]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 04:21:03 freenas sshd[23148]: Failed password for root from 222.186.34.130 port 3656 ssh2
Jun 28 04:21:03 freenas sshd[23150]: Failed password for root from 222.186.34.130 port 3669 ssh2
Jun 28 04:21:03 freenas sshd[23148]: Failed password for root from 222.186.34.130 port 3656 ssh2
Jun 28 04:21:03 freenas sshd[23150]: Failed password for root from 222.186.34.130 port 3669 ssh2
Jun 28 11:46:34 freenas sshd[27559]: Failed password for root from 193.107.17.72 port 18308 ssh2
Jun 28 11:46:34 freenas sshd[27560]: Failed password for root from 193.107.17.72 port 18366 ssh2
Jun 28 11:46:34 freenas sshd[27559]: Failed password for root from 193.107.17.72 port 18308 ssh2
Jun 28 11:46:34 freenas sshd[27560]: Failed password for root from 193.107.17.72 port 18366 ssh2
Jun 28 11:46:35 freenas sshd[27561]: Failed password for root from 193.107.17.72 port 18464 ssh2
Jun 28 11:46:35 freenas sshd[27559]: Failed password for root from 193.107.17.72 port 18308 ssh2
Jun 28 11:46:35 freenas sshd[27560]: Failed password for root from 193.107.17.72 port 18366 ssh2
Jun 28 11:46:35 freenas sshd[27561]: Failed password for root from 193.107.17.72 port 18464 ssh2
Jun 28 11:46:36 freenas sshd[27559]: Failed password for root from 193.107.17.72 port 18308 ssh2
Jun 28 11:46:36 freenas sshd[27560]: Failed password for root from 193.107.17.72 port 18366 ssh2
Jun 28 11:46:36 freenas sshd[27561]: Failed password for root from 193.107.17.72 port 18464 ssh2
Jun 28 11:46:37 freenas sshd[27559]: Failed password for root from 193.107.17.72 port 18308 ssh2
Jun 28 11:46:37 freenas sshd[27560]: Failed password for root from 193.107.17.72 port 18366 ssh2
Jun 28 11:46:37 freenas sshd[27561]: Failed password for root from 193.107.17.72 port 18464 ssh2
Jun 28 11:46:37 freenas sshd[27566]: Failed password for root from 193.107.17.72 port 18609 ssh2
Jun 28 11:46:37 freenas sshd[27559]: Failed password for root from 193.107.17.72 port 18308 ssh2
Jun 28 11:46:37 freenas sshd[27560]: Failed password for root from 193.107.17.72 port 18366 ssh2
Jun 28 11:46:37 freenas sshd[27559]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 11:46:37 freenas sshd[27560]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 11:46:37 freenas sshd[27561]: Failed password for root from 193.107.17.72 port 18464 ssh2
Jun 28 11:46:37 freenas sshd[27565]: Failed password for root from 193.107.17.72 port 18585 ssh2
Jun 28 11:46:37 freenas sshd[27566]: Failed password for root from 193.107.17.72 port 18609 ssh2
Jun 28 11:46:37 freenas sshd[27561]: Failed password for root from 193.107.17.72 port 18464 ssh2
Jun 28 11:46:37 freenas sshd[27561]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 11:46:37 freenas sshd[27565]: Failed password for root from 193.107.17.72 port 18585 ssh2
Jun 28 11:46:38 freenas sshd[27566]: Failed password for root from 193.107.17.72 port 18609 ssh2
Jun 28 11:46:38 freenas sshd[27565]: Failed password for root from 193.107.17.72 port 18585 ssh2
Jun 28 11:46:38 freenas sshd[27566]: Failed password for root from 193.107.17.72 port 18609 ssh2
Jun 28 11:46:38 freenas sshd[27565]: Failed password for root from 193.107.17.72 port 18585 ssh2
Jun 28 11:46:39 freenas sshd[27566]: Failed password for root from 193.107.17.72 port 18609 ssh2
Jun 28 11:46:39 freenas sshd[27565]: Failed password for root from 193.107.17.72 port 18585 ssh2
Jun 28 11:46:39 freenas sshd[27566]: Failed password for root from 193.107.17.72 port 18609 ssh2
Jun 28 11:46:39 freenas sshd[27566]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 11:46:39 freenas sshd[27565]: Failed password for root from 193.107.17.72 port 18585 ssh2
Jun 28 11:46:39 freenas sshd[27565]: Disconnecting: Too many authentication failures for root [preauth]
Jun 28 11:46:51 freenas sshd[27572]: Failed password for root from 193.107.17.72 port 19326 ssh2
Jun 28 11:46:55 freenas sshd[27572]: Disconnecting: Too many authentication failures for root [preauth]

-- End of security output --

 

[cyberjock]

Well, clearly SSH is running, else you wouldn't be getting those messages. :P

Sounds like your firewall isn't blocking traffic properly. That is, assuming you even have a firewall.

 

[dextr3k]

I double checked, under the Services menu, SSH is off, so I am not sure how much more I can turn it off?

I have the basic router firewall on, I will have to double check that too...

 

[cyberjock]

Can you PM me your debug file... it can be obtained from System -> Advanced -> Save Debug.

 

[depasseg]

Do you have a port forwarding rule on your router for port 22 going to your FreeNAS IP? Maybe from an older machine that got replaced? Or a hung UPNP request.

And what do you mean "all my ports"? The log shown above is all going to port 22 (SSH) on your FreeNAS (from different ports).

 

[Robert Trevellyan]

I don't even know how they are getting my ip.

They aren't "getting" your IP, they're just automated attacks that hammer on any IP that responds. As soon as you connect a device to the internet, it becomes a target.

 

[pirateghost]

It's obvious that SSH is running and forwarded from the router, or the FreeNAS box is in a dmz. Both of these are bad ideas.

 

[dextr3k]

Yeah, I just checked my freeness again, and SSH is turned off. My dmz is actually my ps4 machine, and I have no port forwarding rules. Is it just the shitty router that I have? I think its some chinese router, TP-Link I think

 

[cyberjock]

Well, I just looked at the debug you sent me. Here's what I found...

1. You have crash files. So your box is crashing. I don't have time/date stamps, but the fact its crashing should be pretty alarming to you. That's almost always a hardware problem.
2. You have 4GB of RAM (which is 1/2 of the minimum for FreeNAS, excluding jails and plugins). Let's not even talk about the fact you are using AMD or that you are using Realtek...
3. Your logs show nothing much except lots of hostname mismatches. This means that your log is filled with stuff that should have been corrected during initial setup.
4. Your acks on your network are weird. You have 3.7 million acks, with 6% being duplicate. The number of acks aren't abnormal, but the fact that 6% are duplicates are a tell-tale of something totally fubared with your networking. Considering you are using Realtek I can't say I'm too surprised. It also may not be from the Realtek, which would be an indicator of serious problems on your network.

Overall, I think you got much more to worry about than 'just' security. You've got serious reliability problems based on the crashes, choice of hardware, limited hardware being used, etc. So while I can't speak for security with this specific box, I can share a few things.

Security is a top-down and bottom-up problem. This means using proper hardware, proper software, and proper administration. I don't have high confidence that any of those are prevalent here. Insufficient and/or improper hardware can and will lead to weird behaviors. So your SSH may show it as off in the WebGUI , but if the script that is supposed to stop the SSH service is terminating before it can stop SSH you are suddenly in a world where the system thinks that SSH isn't running, but it actually is. We've got plenty of examples of services being turned off in the WebGUI, show as off in the WebGUI, yet still are running just because of insufficient RAM.Frankly, until you can clean up some of these problems with good solid hardware I'm not inclined to even try to do anything like a Teamviewer session with you (I was considering it). The problem is that we *know* that odd and totally unexplained behavior is the result of many other things like inappropriate or incompatible hardware. So until you want to fix the problems you have I don't know that anyone else can help you either.

Additionally, even if you were to find out what the heck is going on with the failing logins and either kill sshd or prevent it from starting, that's just covering up the problem. That doesn't mean you've fixed it. Generally, when I see a server with things like hostname lookup failures all over the logs that's generally a tell-tale of someone that set up the server and didn't do their due diligence. For me, seeing hostname lookup failures is a clear sign that someone is not reading their footers and figuring out what is wrong and fixing it. It's not a far fetched theory to then realize that if someone didn't do their due diligence when setting up their other servers, their desktops, their network configuration, their router and their firewall. So I think you really need to go back to the drawing board and start looking at everything all over. I have virtually no doubt that your router/firewalls are misconfigured. This is pretty obvious from the fact that you have failed login attempts from China. If it's not your firewall, then that means some other method is being employed to access your network, which then turns into what I said about other servers and desktops not being properly configured.. one or more is likely pwned. In either case, the problems are large in numbers, and fairly serious.

So yeah, I think you wanting to tighten down on security is a good idea (and there is plenty of evidence that security is totally bonkers right now), but trying to fix the ssh failed login attempts is a symptom of a much, much bigger systemic problem. There's far too many unknowns with this whole setup you have (networking as well as everything on the network) and it needs a more serious look from someone to figure out what is going on.

Hate to be the bearer of bad news, but from my perspective it feels like you are in way over your head on this one, and the solutions you need aren't on this forum. You need someone with far better IT skills than you have.

Sorry, but all I can do is wish you luck as this problem is much more severe than just some problem with your FreeNAS machine.

 

[rogerh]

There is something quite subtle about the ssh service in FreeNAS. When you turn the service off it appears to maintain existing connections but not accept new ones. And an instance sshd continues running even when the service is off and all connections dropped. Not that this has anything to do with the OP's problem, but it does make it hard to tell if the service is running or not. Except by trying to connect to it. I don't know if this is a FreeBSD thing, or specific feature of FreeNAS to stop people accidentally disconnecting themselves.

 

[cyberjock]

The behavior you just explained is for the SSH service on FreeBSD and linux at the minimum. Seems silly to be so confusing, but it allows people to change the ssh service settings, stop and start the service with the new settings, and not be kicked offline.

It would kind of suck to remote into the server to change an ssh setting and when you stop the service it kicks you out of the session. Makes it a little hard to restart the service then, eh? ;)

 

[rogerh]

The behavior you just explained is for the SSH service on FreeBSD and linux at the minimum. Seems silly to be so confusing, but it allows people to change the ssh service settings, stop and start the service with the new settings, and not be kicked offline.

It would kind of suck to remote into the server to change an ssh setting and when you stop the service it kicks you out of the session. Makes it a little hard to restart the service then, eh? ;)

Indeed. I think it's a great idea! I just didn't know it was generally available. Experience suggests it is still a bad idea to stop (as opposed to restarting) the NIC or other network service you are using, though.

 

[cyberjock]

Indeed. I think it's a great idea! I just didn't know it was generally available. Experience suggests it is still a bad idea to stop (as opposed to restarting) the NIC or other network service you are using, though.

Very true. But since nix admins are so sold on remote terminals and so many admins don't have actual local access to the server, it's a necessary function in the world. :P

 

[dextr3k]

Very true. But since nix admins are so sold on remote terminals and so many admins don't have actual local access to the server, it's a necessary function in the world. :p

Oh Wow, thanks cyberjock!

I am the first to admit that I maybe over my head in this, as you have mentioned, and I really appreciate all the advice that you have given me here. It really is already above and beyond what I was expecting in terms of feedback, so kudos for writing all of that out, to someone you don't know, on the internet!

I will have to re-evalate my situation, as I know that my IT skills probably topped out when I setup the NAS. No excuses on my end for improper security and hardware. Obviously my old box was not suited for this task!

I will be upping my investment in this project. Thanks again!