Beware of Raspberry Pi SSH hijacks

Topics (not sure which fora)
when not sure where to post, post here and mods will move it to right forum.

Moderators: leecollings, remb0

User avatar
leecollings
Posts: 167
Joined: Tuesday 30 June 2015 18:09
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: United Kingdom
Contact:

Beware of Raspberry Pi SSH hijacks

Post by leecollings »

After two weeks of trying to find the culprit, last night I discovered that my Pi was attempting to SSH into random servers using default usernames such as admin and ubnt every 2 seconds.

OVer the past fortnight, Sky had suspended my broadband twice because of this, but were unable to tell me which device was doing it, I had no logs on the Pi until I put a global SSH block on my router, with logging turned on, and found this:

Code: Select all

​​Dec  6 20:32:06 syslog: [177226.669000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.77.235.142 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=58722 DF PROTO=TCP SPT=46995 DPT=22 WINDOW=
Dec  6 20:32:08 syslog: [177228.669000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.252.66.152 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=769 DF PROTO=TCP SPT=55723 DPT=22 WINDOW=29
Dec  6 20:32:10 syslog: [177230.669000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.31.238.132 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48723 DF PROTO=TCP SPT=33028 DPT=22 WINDOW=
Dec  6 20:32:12 syslog: [177232.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.214.122.63 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=61285 DF PROTO=TCP SPT=45883 DPT=22 WINDOW=
Dec  6 20:32:14 syslog: [177234.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.101.235.194 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=15592 DF PROTO=TCP SPT=42448 DPT=22 WINDOW
Dec  6 20:32:16 syslog: [177236.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.22.13.149 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23987 DF PROTO=TCP SPT=45429 DPT=22 WINDOW=2
Dec  6 20:32:18 syslog: [177238.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.43.217.248 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=25345 DF PROTO=TCP SPT=37689 DPT=22 WINDOW=
Dec  6 20:32:20 syslog: [177240.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.146.53.208 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32293 DF PROTO=TCP SPT=45376 DPT=22 WINDOW=
Dec  6 20:32:22 syslog: [177242.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.146.53.208 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32294 DF PROTO=TCP SPT=45376 DPT=22 WINDOW=
Dec  6 20:32:24 syslog: [177244.668000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.147.147.215 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=40277 DF PROTO=TCP SPT=34167 DPT=22 WINDOW
Dec  6 20:32:26 syslog: [177246.672000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.195.129.191 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=16239 DF PROTO=TCP SPT=43757 DPT=22 WINDOW
Dec  6 20:32:28 syslog: [177248.673000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.248.145.38 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=2365 DF PROTO=TCP SPT=35716 DPT=22 WINDOW=2
Dec  6 20:32:30 syslog: [177250.673000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.116.114.61 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=41178 DF PROTO=TCP SPT=59729 DPT=22 WINDOW=
Dec  6 20:32:32 syslog: [177252.669000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.248.47.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=44427 DF PROTO=TCP SPT=49729 DPT=22 WINDOW=
Dec  6 20:32:34 syslog: [177254.672000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.227.2.76 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=21406 DF PROTO=TCP SPT=38601 DPT=22 WINDOW=29
Dec  6 20:32:36 syslog: [177256.674000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.160.63.73 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59706 DF PROTO=TCP SPT=51622 DPT=22 WINDOW=2
Dec  6 20:32:38 syslog: [177258.674000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.41.246.144 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=62622 DF PROTO=TCP SPT=37910 DPT=22 WINDOW=
Dec  6 20:32:40 syslog: [177260.684000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.80.202.36 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45460 DF PROTO=TCP SPT=50467 DPT=22 WINDOW=2
Dec  6 20:32:42 syslog: [177262.673000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.245.38.59 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=24975 DF PROTO=TCP SPT=59411 DPT=22 WINDOW=2
Dec  6 20:32:44 syslog: [177264.675000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.235.119.223 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=50823 DF PROTO=TCP SPT=36418 DPT=22 WINDOW
Dec  6 20:32:46 syslog: [177266.675000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.240.228.51 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=11878 DF PROTO=TCP SPT=45982 DPT=22 WINDOW=
Dec  6 20:32:48 syslog: [177268.675000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.173.45.236 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10616 DF PROTO=TCP SPT=54059 DPT=22 WINDOW=
Dec  6 20:32:50 syslog: [177270.676000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.139.130.25 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57244 DF PROTO=TCP SPT=38615 DPT=22 WINDOW=
Dec  6 20:32:52 syslog: [177272.676000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.162.184.223 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=6530 DF PROTO=TCP SPT=53391 DPT=22 WINDOW=
Dec  6 20:32:54 syslog: [177274.676000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.44.182.115 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=19440 DF PROTO=TCP SPT=46005 DPT=22 WINDOW=
Dec  6 20:32:56 syslog: [177276.667000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.191.219.44 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=49006 DF PROTO=TCP SPT=49709 DPT=22 WINDOW=
Dec  6 20:32:58 syslog: [177278.667000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.168.68.16 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=21133 DF PROTO=TCP SPT=38476 DPT=22 WINDOW=2
Dec  6 20:33:00 syslog: [177280.667000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.81.184.85 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=58635 DF PROTO=TCP SPT=54457 DPT=22 WINDOW=2
Dec  6 20:33:02 syslog: [177282.668000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.138.179.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=33371 DF PROTO=TCP SPT=45075 DPT=22 WINDOW
Dec  6 20:33:04 syslog: [177284.668000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.151.206.88 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=37670 DF PROTO=TCP SPT=44752 DPT=22 WINDOW=
Dec  6 20:33:06 syslog: [177286.669000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.151.206.88 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=37671 DF PROTO=TCP SPT=44752 DPT=22 WINDOW=
Dec  6 20:33:08 syslog: [177288.669000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.205.162.91 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=44651 DF PROTO=TCP SPT=37148 DPT=22 WINDOW=
Dec  6 20:33:10 syslog: [177290.669000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.116.191.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=58562 DF PROTO=TCP SPT=58236 DPT=22 WINDOW=
Dec  6 20:33:12 syslog: [177292.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.179.53.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=31661 DF PROTO=TCP SPT=47324 DPT=22 WINDOW=29
Dec  6 20:33:14 syslog: [177294.668000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.227.254.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=41810 DF PROTO=TCP SPT=51375 DPT=22 WINDOW
Dec  6 20:33:16 syslog: [177296.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.24.37.49 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35986 DF PROTO=TCP SPT=48187 DPT=22 WINDOW=29
Dec  6 20:33:18 syslog: [177298.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.137.97.102 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54088 DF PROTO=TCP SPT=59567 DPT=22 WINDOW=
Dec  6 20:33:20 syslog: [177300.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.250.171.19 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=49806 DF PROTO=TCP SPT=50540 DPT=22 WINDOW=
Dec  6 20:33:22 syslog: [177302.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.87.88.35 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=50371 DF PROTO=TCP SPT=33368 DPT=22 WINDOW=29
Dec  6 20:33:24 syslog: [177304.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.152.23.85 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63418 DF PROTO=TCP SPT=48943 DPT=22 WINDOW=2
Dec  6 20:33:26 syslog: [177306.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.152.23.85 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63419 DF PROTO=TCP SPT=48943 DPT=22 WINDOW=2
Dec  6 20:33:28 syslog: [177308.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.247.86.126 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32032 DF PROTO=TCP SPT=33581 DPT=22 WINDOW=
Dec  6 20:33:30 syslog: [177310.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.184.139.120 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=61619 DF PROTO=TCP SPT=45471 DPT=22 WINDOW
Dec  6 20:33:32 syslog: [177312.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.130.204.152 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10400 DF PROTO=TCP SPT=41967 DPT=22 WINDOW
Dec  6 20:33:34 syslog: [177314.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.112.148.80 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60578 DF PROTO=TCP SPT=41504 DPT=22 WINDOW=
Dec  6 20:33:36 syslog: [177316.667000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.43.178.222 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9863 DF PROTO=TCP SPT=59234 DPT=22 WINDOW=2
Dec  6 20:33:38 syslog: [177318.682000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.67.199.0 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=52313 DF PROTO=TCP SPT=38360 DPT=22 WINDOW=29
Dec  6 20:33:40 syslog: [177320.672000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.162.216.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=58442 DF PROTO=TCP SPT=52801 DPT=22 WINDOW=
Dec  6 20:33:42 syslog: [177322.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.32.45.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54027 DF PROTO=TCP SPT=41563 DPT=22 WINDOW=292
Dec  6 20:33:44 syslog: [177324.673000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.59.254.81 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=4278 DF PROTO=TCP SPT=43845 DPT=22 WINDOW=29
Dec  6 20:33:46 syslog: [177326.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.147.50.18 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=65485 DF PROTO=TCP SPT=56470 DPT=22 WINDOW=2
Dec  6 20:33:48 syslog: [177328.674000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.246.84.168 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=58668 DF PROTO=TCP SPT=42997 DPT=22 WINDOW=
Dec  6 20:33:50 syslog: [177330.674000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.76.75.230 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47975 DF PROTO=TCP SPT=47177 DPT=22 WINDOW=2
Dec  6 20:33:52 syslog: [177332.667000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.158.8.32 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59911 DF PROTO=TCP SPT=36935 DPT=22 WINDOW=29
Dec  6 20:33:54 syslog: [177334.669000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.222.144.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=33023 DF PROTO=TCP SPT=42873 DPT=22 WINDOW=2
Dec  6 20:33:56 syslog: [177336.675000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.152.44.147 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=31758 DF PROTO=TCP SPT=46981 DPT=22 WINDOW=
Dec  6 20:33:58 syslog: [177338.670000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.193.245.93 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=28781 DF PROTO=TCP SPT=35402 DPT=22 WINDOW=
Dec  6 20:34:00 syslog: [177340.671000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=198.18.143.66 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48615 DF PROTO=TCP SPT=36839 DPT=22 WINDOW=2
Dec  6 20:34:02 syslog: [177342.677000] always->SSHIN=br0 OUT=ptm0.1 MAC=c0:3e:0f:cc:25:b8:b8:27:eb:5b:02:87:08:00 SRC=192.168.0.250 DST=190.108.45.219 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=62925 DF PROTO=TCP SPT=58484 DPT=22 WINDOW=
Dec  6 20:38:22 syslog: Administrator login successful from IP: 192.168.0.9 .
I have no idea what has exactly caused this, whether it's Domoticz, or the OS, or something else (I only used the Pi for Domoticz), but I have since removed the device from the network, and will now be getting rid of Domoticz and the Pi.

I just wanted to make others aware, in case this is some kind of bug or hole in Domoticz, or anything related. Please take a look through your logs people.
User avatar
havnegata
Posts: 114
Joined: Wednesday 10 September 2014 11:05
Target OS: Raspberry Pi / ODroid
Domoticz version: V4.10162
Location: Norway
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by havnegata »

It's always interesting to know what kind of security you have on your system ;)
MiloshCZ
Posts: 19
Joined: Monday 23 January 2017 17:15
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by MiloshCZ »

It is standard SSH attack. This is log of my IP address for last month.
https://ctrlv.cz/In9r
febalci
Posts: 331
Joined: Monday 03 July 2017 19:58
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by febalci »

User avatar
leecollings
Posts: 167
Joined: Tuesday 30 June 2015 18:09
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: United Kingdom
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by leecollings »

Like I said, it doesn't bother me anymore, because the Pi has now gone to someone else, the SD card has been destroyed.

I'm not continuing with Domoticz anymore, I'll just continue to use the LWRF app and IFTTT.
User avatar
leecollings
Posts: 167
Joined: Tuesday 30 June 2015 18:09
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: United Kingdom
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by leecollings »

Just coming back to this, if anyone wants to read into this more.

I've decided to come back to Domoticz, as I enjoy it too much. I've got a new Pi, and have changed the default password for user 'pi' from 'raspberry' to something much stronger.

I've also blocked all outgoing SSH traffic on my router, so there should be no way this should happen again.

Hopefully this will fix this, and keep the Pi more secure.
poudenes
Posts: 667
Joined: Wednesday 08 March 2017 9:42
Target OS: Linux
Domoticz version: 3.8993
Location: Amsterdam
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by poudenes »

always change the default port 22 to something else above 5000.
That makes it difficult for those who want get in
RPi3 B+, Debain Stretch, Domoticz, Homebridge, Dashticz, RFLink, Milight, Z-Wave, Fibaro, Nanoleaf, Nest, Harmony Hub, Now try to understand pass2php
domoticzcom1234
Posts: 19
Joined: Saturday 25 June 2016 17:21
Target OS: Raspberry Pi / ODroid
Domoticz version: Stable
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by domoticzcom1234 »

Another (more secure) advise:
Please always disable password login for your SSH accounts. Changing the port only is simply nowadays not secure.
Only enable ssh login using the by yourself generated public key / private key.
It sounds complicated to get it working but there are hundreds of "How To's" available on the internet.
User avatar
DeBaat
Posts: 33
Joined: Saturday 27 January 2018 14:52
Target OS: NAS (Synology & others)
Domoticz version: V3.8153
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by DeBaat »

This looks like a serious issue.

And as I try to be carefull and accessible at the same time, I configured a Let's Encrypt certificate on my Synology to access it securely from outside.
Now that I also have a RPi, I would like to extend the Lets Encrypt certificate to also make the RPi available from the outside.
However, I cannot find a working "How to" to import the certificate from my Synology into the RPi.

The certificate is configured for my domain and some subdomains like this: "mydomain.nl; domo.mydomain.nl; rasp.mydomain.nl".
As you might understand, the "domo.mydomain.nl" url should point to the Domoticz web site served from the Synology.
The "rasp.mydomain.nl" should be forwarded to the Raspberry Pi 3B+.

I've got the Synology working, but the RPi not.
Any suggestions?
tontze
Posts: 317
Joined: Thursday 12 January 2017 15:30
Target OS: Linux
Domoticz version: Beta Ch
Location: Finland
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by tontze »

Is this domoticz/rpi related, or does this concern every linux out there ?
-----------------------------------------
Smartthings
zigbee2mqtt
RFLink 433mhz / Nrf 2.4Ghz
Mi Light
esp8266MiLight Hub
OpenHab/HomeAssistant/Domoticz
HP T610 & Debian 5.10.19-1 x86_64[/b]
markk
Posts: 267
Joined: Tuesday 14 January 2014 14:50
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by markk »

I received an email from my ISP (VM) yesterday saying a device using my internet connection may be infected with malware. I thought it was spam at first but the message referenced my name and VM account number. Something about Mirai Malware!? Do you think this could be related to my Pi?
Running Domoticz on Pi3 with RFXtrx433e. LWRF power sockets and dimmer switches. Integrated my existing wirefree alarm PIRs and door contacts with domoticz. Geofencing with Pilot. Harmony Hub. Tado for Heating. Now playing with mysensors.
User avatar
leecollings
Posts: 167
Joined: Tuesday 30 June 2015 18:09
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: United Kingdom
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by leecollings »

Just an update, I'm not entirely sure what caused it or what malware it was that was causing it, but I've since gotten rid of that RPi, and actually bought a new one, with a new SD card with a fresh install.

I've also blocked my router from allowing outgoing SSH connections as a fail-safe.

However, I did realise that on my old Pi that was infected, I was using the default pi:raspberry credentials, so I've changed that on my new one with a new, stronger password.

I believe this should rectify any issue I have in future now.
EddyG
Posts: 1042
Joined: Monday 02 November 2015 5:54
Target OS: -
Domoticz version:

Re: Beware of Raspberry Pi SSH hijacks

Post by EddyG »

leecollings wrote: Tuesday 10 April 2018 14:00 I was using the default pi:raspberry credentials
Which hacker should have found that out. ;)

I use an other port for my sshd AND use a self-signed certificate AND only accept logins with an certificate.
That should be secure enough.
pj-r
Posts: 140
Joined: Wednesday 17 December 2014 17:30
Target OS: Linux
Domoticz version: V3.8650
Location: Jyväskylä, Finland
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by pj-r »

Fail2Ban or this: https://serverfault.com/a/563794 ;)
It makes ssh brute force attacks quite slow and useless..

You can use Fail2Ban also with domoticz: https://www.domoticz.com/wiki/Setup_fail2ban
LXC(x64 Ubuntu Xenial), RFXtrx433E, MySensors
User avatar
leecollings
Posts: 167
Joined: Tuesday 30 June 2015 18:09
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: United Kingdom
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by leecollings »

Just wanted to say thanks to everyone who gave their help and comments here.

I ended up ditching the Pi, and replacing it with a newer one, and secured the root account with a strong password.

I've had no similar issues since! Lesson learnt!
ben53252642
Posts: 543
Joined: Saturday 02 July 2016 5:17
Target OS: Linux
Domoticz version: Beta
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by ben53252642 »

Personally I run my Domoticz installation in a Debian 9 KVM virtual machine (makes it easy to backup and restore).

Recently though I've been considering switching to a Ubuntu server LTS distribution, they have a really cool "live patching" feature available to "Ubuntu Community Members" at no cost! You can sign up to Ubuntu Community for free.

https://ubuntu.com/livepatch
Unless otherwise stated, all my code is released under GPL 3 license: https://www.gnu.org/licenses/gpl-3.0.en.html
User avatar
leecollings
Posts: 167
Joined: Tuesday 30 June 2015 18:09
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: United Kingdom
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by leecollings »

How would you use local network devices as Hardware, and USB hardware devices such as RFXCOM if Domoticz is run inside an VM to an off-site machine?
ben53252642
Posts: 543
Joined: Saturday 02 July 2016 5:17
Target OS: Linux
Domoticz version: Beta
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by ben53252642 »

The setup is completely local, I've got a a machine running Proxmox in my office.

That Proxmox server runs a number of virtual machines one of which is Domoticz, passing through the USB devices is point and click easy from the Proxmox GUI.

I really like the setup, I've got (again easy point and click) daily backups configured and I can even snapshot / restore almost instantly.

If I'm going to do any major work I just press the snapshot button before starting.

I got sick of having to re-image Raspberry Pi's which I was using previously, I've been using Proxmox for about 2 years now, very happy with it.

It can run on small hardware like an Intel NUC very well (I'd suggest 16gb of ram).
Last edited by ben53252642 on Wednesday 19 June 2019 15:20, edited 1 time in total.
Unless otherwise stated, all my code is released under GPL 3 license: https://www.gnu.org/licenses/gpl-3.0.en.html
User avatar
leecollings
Posts: 167
Joined: Tuesday 30 June 2015 18:09
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: United Kingdom
Contact:

Re: Beware of Raspberry Pi SSH hijacks

Post by leecollings »

Ah okay, I misunderstood your post
EddyG
Posts: 1042
Joined: Monday 02 November 2015 5:54
Target OS: -
Domoticz version:

Re: Beware of Raspberry Pi SSH hijacks

Post by EddyG »

Code: Select all

The Canonical Livepatch Service delivers live kernel patching to Ubuntu LTS1 systems without the need to reboot. 
This has nothing to do with SSH hijacks.

Currently my system is constant under attack and what they do is clever. This is part of my auth.log

Code: Select all

Jun 19 06:56:48 raspberrypitest sshd[4257]: Invalid user michal from 160.16.52.252 port 52488
Jun 19 06:56:48 raspberrypitest sshd[4257]: input_userauth_request: invalid user michal [preauth]
Jun 19 06:56:48 raspberrypitest sshd[4257]: Received disconnect from 160.16.52.252 port 52488:11: Bye Bye [preauth]
Jun 19 06:56:48 raspberrypitest sshd[4257]: Disconnected from 160.16.52.252 port 52488 [preauth]
What they do is: see if an user exists if they fail then just disconnect. This way they are not catched by the maxretry = 3
So an hour or something more they come back to try an other user until they succeed.
My fail2ban settings are changed to maxretry = 1 and bantime = 86400 (1 day)
B.t.w. they will never succeed because the only login on ssh (on an other port) is when you have my certificate.
The ssh setup is certificate only.
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 1 guest