Is someone trying to hack into my FreeNAS???

[butterwrath]

...but how did you do this? Dynamic DNS will not give you access to a web server that's behind a standard home router, much less a proper firewall. Do you have port 80 open to the outside as well? If so, you should consider yourself screwed--the FreeNAS web GUI just doesn't have safeguards in place that would make it appropriate to expose it to the Internet. I'm certainly not saying someone has hacked your box--but I am saying someone could have, and you really wouldn't have any way to know.

Yeah... 80 was forwarded in order to access the WebGUI. Wasn't sure how to change the port when I first set it up.

I can't just change the password or disable ssh? Or change the port?

 

[depasseg]

But as an update, I changed the port from 22 to a random number, and this is what I got today...
<<snipped>>
Dec 11 03:55:59 Archon sshd[85433]: input_userauth_request: invalid user admin [preauth]
Dec 11 03:55:59 Archon sshd[85433]: Failed password for invalid user admin from 185.112.102.222 port 45636 ssh2
-- End of security output --[/CODE]

What exactly did you change (you can obfuscate the new port number)? and on what device? The simplest way to do it is to do it on the router. Change the external port to something like 12344 and forward it to internal port 22. I would be surprised if they found your random port that quickly which leaves me wondering what you actually changed.

 

[danb35]

The FreeNAS web GUI should not be exposed to the Internet, on any port (port 80 would be even worse, since that's the standard HTTP port, but attackers tend to use port scans anyway, so using a non-standard port won't really buy you much in terms of security), because it isn't designed or secured for that application. You've left it exposed, on the standard port, for two weeks. There's no way of knowing what could have happened in that time. Your system could be fine, with a password change a mere precaution. Or it might be totally pwned, and part of a botnet that's trying to hack into NORAD.

The problem is that if someone has managed to log in to the web GUI, they have full root shell access to your server. They can do anything--install any software, modify any configuration, install any rootkit, etc. Some of these things are undetectable.

There are two safe ways of accessing your FreeNAS server remotely: (1) through a VPN, ideally set up at the router; or (2) via SSH, to include SSH tunneling. Forwarding anything from the Internet to any port on your FreeNAS server other than the port being used for SSH is highly insecure. Forwarding ports to jails may be secure or not, depending on how those jails are set up (I haven't heard of vulnerabilities related to forwarding 32400 to the Plex Server, but forwarding port 22 to a jail running Telnet wouldn't be safe at all).

When it comes to network and server security, "am I being paranoid?" isn't the question to ask. The question should be, "am I being paranoid enough?"

 

[butterwrath]

What exactly did you change (you can obfuscate the new port number)? and on what device? The simplest way to do it is to do it on the router. Change the external port to something like 12344 and forward it to internal port 22. I would be surprised if they found your random port that quickly which leaves me wondering what you actually changed.

On my router, nothing has changed:
For the whole server, ports 22, 80, and 443 were forwarded.
For plex, ports 32400, 139, 445 were forwarded. (Yes, 139 and 445 were forwarded incorrectly. They were meant for samba, and should be forwarded the server. Friend messed these up).

The only thing I changed was the SSH setting in FreeNAS because of the login attempts. I changed the port for SSH from 22 to another number under 100.

That's it. Nothing else really changed.

 

[pirateghost]

First of all, sharing SMB ports 139 and 445 are about the worst thing you do over the internet. Consider your server already compromised.

Secondly, changing the port on freenas did literally nothing to hide the port. The people are hitting port 22 on the public IP

 

[butterwrath]

First of all, sharing SMB ports 139 and 445 are about the worst thing you do over the internet. Consider your server already compromised.

Secondly, changing the port on freenas did literally nothing to hide the port. The people are hitting port 22 on the public IP

I guess I'll stop following these internet guides... Ok, so I should assume that my box has been compromised. What about the volumes? Can I wipe the OS flash drive and reinstall the OS, and import the volumes? Could anything be installed on the volumes that would warrant me needing to wipe the drives out too?

 

[butterwrath]

There are two safe ways of accessing your FreeNAS server remotely: (1) through a VPN, ideally set up at the router; or (2) via SSH, to include SSH tunneling. Forwarding anything from the Internet to any port on your FreeNAS server other than the port being used for SSH is highly insecure. Forwarding ports to jails may be secure or not, depending on how those jails are set up (I haven't heard of vulnerabilities related to forwarding 32400 to the Plex Server, but forwarding port 22 to a jail running Telnet wouldn't be safe at all).

I thought what I was doing was considered SSH tunneling. Guess I have a lot to learn...

 

[pirateghost]

I thought what I was doing was considered SSH tunneling. Guess I have a lot to learn...

You weren't tunnelling over ssh if you had all those ports forwarded. Those were wide open to the internet. Ssh tunnelling involves only using ssh to access the server and tunneling your traffic over the ssh tunnel to access services. It certainly works well if you know what you're doing

 

[butterwrath]

You weren't tunnelling over ssh if you had all those ports forwarded. Those were wide open to the internet. Ssh tunnelling involves only using ssh to access the server and tunneling your traffic over the ssh tunnel to access services. It certainly works well if you know what you're doing

So if I were to be paranoid, I should wipe the whole OS?

 

[pirateghost]

So if I were to be paranoid, I should wipe the whole OS. What about the volumes? Can I wipe the OS flash drive and reinstall the OS, and import the volumes? Could hackers do anything on the volumes that would warrant me needing to wipe the drives out too?

You can wipe the flash and reinstall, and even import your config, and not touch the volumes but there is no way of knowing what has been done on your system. Maybe nothing. Who knows.

 

[butterwrath]

When it comes to network and server security, "am I being paranoid?" isn't the question to ask. The question should be, "am I being paranoid enough?"

So if I were to be paranoid, I should wipe the whole OS. What about the volumes? Can I wipe the OS flash drive and reinstall the OS, and import the volumes? Could hackers do anything on the volumes that would warrant me needing to wipe the drives out too?

 

[joeschmuck]

FreeNAS is based on FreeBSD so any vulnerability in FreeBSD could be taken advantage of. In general I wouldn't think your pool(s) would be infected so wiping out the OS and reconfiguring from scratch should be enough, at least a starting point. Find another way into your system such as the methods mentioned in this thread. It's not easy for a novice configuring these network firewalls and tunnels, sometimes it's outright complicated as hell. I remote into my main computer using RDP and then control FreeNAS from that computer. I could have a more secure method and someday after I understand the VPN tunnelling more, I'll set that up too. Heck, maybe during my Christmas vacation but I have more to figure out first.

 

[danb35]

Can I wipe the OS flash drive and reinstall the OS, and import the volumes?

Probably.

Could hackers do anything on the volumes that would warrant me needing to wipe the drives out too?

Could they? Yes--if you have jails running (and you have at least one for your plex server), an attacker could place executable code in one. Is it likely? Probably not. But possible, at least in theory.

 

[depasseg]

I changed the port for SSH from 22 to another number under 100.

If you are going to pick a different port, I'd suggest one above 1024. Just change the router for forward port 12144 (for example) to internal port 22. No need to change the internal server.

 

[Robert Trevellyan]

I should assume that my box has been compromised

At this point, assume everything on your friend's LAN is compromised.

 

[butterwrath]

At this point, assume everything on your friend's LAN is compromised.

Yeah.. I wiped the flash drive, and reinstalled FreeNAS over the weekend. The ONLY thing connected to the web is Plex right now. Too scared to do SSH or allowing web access to the GUI. Wasn't sure if I should wipe all my drives too and reinstall...

 

[nightshade00013]

Ok, I know you guys are talking about "port 22" but I would gather that the FreeNAS has been put in the DMZ unless there are a ton of forwards from different ports to it.

• Dec 10 06:28:53 Archon sshd[96591]: Failed password for root from 187.210.58.215 port 49135 ssh2

• Dec 10 06:28:58 Archon sshd[96593]: Failed password for root from 187.210.58.215 port 49889 ssh2

• Dec 10 06:29:01 Archon sshd[96604]: Failed password for root from 187.210.58.215 port 50930 ssh2

• Dec 10 06:29:04 Archon sshd[96634]: Failed password for root from 187.210.58.215 port 51788 ssh2

• Dec 10 06:29:07 Archon sshd[96658]: Failed password for root from 187.210.58.215 port 52588 ssh2

• Dec 10 06:29:11 Archon sshd[96669]: Failed password for root from 187.210.58.215 port 53374 ssh2

• Dec 10 06:29:15 Archon sshd[96679]: Failed password for root from 187.210.58.215 port 54371 ssh2

• Dec 10 06:29:18 Archon sshd[96701]: Failed password for root from 187.210.58.215 port 55411 ssh2

• Dec 10 06:29:21 Archon sshd[96709]: Failed password for root from 187.210.58.215 port 56234 ssh2

• Dec 10 06:29:25 Archon sshd[96711]: Failed password for root from 187.210.58.215 port 56997 ssh2

• Dec 10 06:29:29 Archon sshd[96722]: Failed password for root from 187.210.58.215 port 57836 ssh2

• Dec 10 06:29:33 Archon sshd[96730]: Failed password for root from 187.210.58.215 port 58787 ssh2

• Dec 10 06:29:39 Archon sshd[96732]: Failed password for root from 187.210.58.215 port 59782 ssh2

• Dec 10 06:29:45 Archon sshd[96749]: Failed password for root from 187.210.58.215 port 33083 ssh2

• Dec 10 06:29:51 Archon sshd[96763]: Failed password for root from 187.210.58.215 port 34560 ssh2

• Dec 10 06:29:54 Archon sshd[96774]: Failed password for root from 187.210.58.215 port 36061 ssh2

• Dec 10 06:29:58 Archon sshd[96776]: Failed password for root from 187.210.58.215 port 36909 ssh2

• Dec 10 06:30:01 Archon sshd[96790]: Failed password for root from 187.210.58.215 port 37652 ssh2

• Dec 10 06:30:04 Archon sshd[96819]: Failed password for root from 187.210.58.215 port 38494 ssh2

• Dec 10 06:30:10 Archon sshd[96837]: Failed password for root from 187.210.58.215 port 39285 ssh2

• Dec 10 06:30:13 Archon sshd[96848]: Failed password for root from 187.210.58.215 port 40689 ssh2

In just that short of a timeframe you're looking at over 20 ports. This goes slightly beyond a forward.

 

[pirateghost]

Ok, I know you guys are talking about "port 22" but I would gather that the FreeNAS has been put in the DMZ unless there are a ton of forwards from different ports to it.

In just that short of a timeframe you're looking at over 20 ports. This goes slightly beyond a forward.

That is not how communication works. It is telling you it is generating FROM the port on the client side. When you initiate a connection to some service, the client side (you) generates a random port. The server side listening is the only port that matters.

 

[JDCynical]

That is not how communication works. It is telling you it is generating FROM the port on the client side. When you initiate a connection to some service, the client side (you) generates a random port. The server side listening is the only port that matters.

This, plus...

but I would gather that the FreeNAS has been put in the DMZ

I can't think of any sane reason to put a FreeNAS machine into a DMZ. It's not designed to have any exposure to any network that isn't trusted.

 

[9C1 Newbee]

All your FreeNAS are belong to us.