Attacks on FreedomBox from Around the World?

Pioneer Support
1

As with many others, my Pioneer FreedomBox (version L board) becomes unreachable after 1 to 3 days requiring a press of the reset button. Server logs don’t really help much with identifying what caused the crash, but I am convinced that distributed denial of Service (DDoS) may have been responsible for at least some of my prior crashes. I had an old Netgear 3600 modem/router that was in place when multiple DDos attacks brought down the server. Hoping to put an end to the attacks, I purchased a new NightHawk modem/router with updated security options. I put in a fresh weekly version 22.1 FB image, installed OpenVPN, Samba, Apache, and started with the new router. I opened the appropriate ports for the installed programs. I uploaded my website and like a moth to a flame, they came. Within a few hours, the router logs showed hundreds of entries that say:

[LAN access from remote] from 47.90.216.230:58368 to 192.168.1.7:443, Jan 19 21:35:51 or

[LAN access from remote] from 45.146.165.37:52506 to 192.168.1.7:80, Jan 19 20:20:06

with mostly different source IP addresses. These LAN accesses were from dozens of IP addressed from around the world with only a few duplicate IP addresses. According to https://whatismyipaddress.com/ip-lookup, the first 62 IP addresses were from the following countries:
Taiwan 2
United States (various states) 32
Germany 3
Belgium 2
Netherlands 3
China 2
South Korea 1
Belize 1
Vietnam 1
Russia 5
Australia 1
Romania 4
Brazil 2
Iran 1
Switzerland 1
Cambodia 1

But who knows, the IP addresses might all be spoofed by Bots.

What I know:

Nearly all router log messages showed LAN entry through ports 80 and 443; HTTP and HTTPS respectively,

There were three entries through port 1194, OpenVPN

All were trying to reach the FreedomBox.

There were no attempts to reach the Freedom Box through port 22, ssh, except when I ssh’ed into the FB from windows command line.

Why is this happening and what can be done to stop it? Is this something I should worry about? These people or Bots are not my friend and apparently my WAN has been compromised through the presence of the FreedomBox on my home network. What do I need to do?

2

doliver10,
From my own experience, here is my answers to your questions:

Why is this happening and what can be done to stop it? Because the Internet is rife with this kind of activity, especially since Covid caused many more people to rely on the Internet for remote work, school, etc., so black hat hackers and nation states are trying to profit from or gain political or financial leverage by exploiting unsecure systems. There is nothing you or I can do, except to attempt to keep our Internet exposed systems updated, and hardened.

Is this something I should worry about? No, not really, except to make sure that we consistently update software, and take preventative measures where necessary to keep our systems and networks secure. These include, but are not limited to, good passwords, frequent backups, good IPsec, filesystem and network sanitation, careful user vetting, and continued self education to be aware of the known issues, present threats, and how to fix/patch them.

What do I need to do? One suggestion I have is to take your FBX off of the DMZ, or other direct exposure to the Internet, and use port forwarding on your Internet facing router to open only the ports you need exposed for your FBX services. I know that this is not necessarily the Freedombox default/recommended approach, but it works well for me.

I do that, because I was having such a problem with (primarily) large volumes of Chinese brute force attacks against my FBX, and other services on servers I have operated in the past. After I did that configuration change alone, it essentially stopped all of the unwanted traffic to my FBX, and I was still able to use my FBX services outside my LAN normally.

Just understand that things are not going to change, unless attackers have nothing to exploit, which is highly unlikely at this point. Asking for help was a great step on your part. Also, educating yourself with regard to security on the public facing server(s) you administer will be tantamount to your success with keeping said servers from getting hacked. That risk will always exist, as long as you have that/those servers exposed to the Internet.

Just keep in mind, Freedombox is very secure, it is designed with IPsec in mind, it is based on Debian, which IMHO, is one of the most secure operating systems in the world, so more than likely, your system has not been seriously compromised, and you should not worry too much, just keep an eye on things, and make sure to keep asking questions! Remember this: for every bad actor on the Internet, there are 5 or 10 people that are here to help/do the right thing/be good/not be evil!

1 Like
3

What problem did you face? How did you see these were brute force attacks?

I am asking because I am a naive guy running a Freedombox at home (ejabberd, coturn, radicale and quassel) with the related ports accessible from internet (including SSH but I deactivated login by password) and I am checking nothing besides that the Freedombox is functional and that my backups worked.

It happened that my Freedombox was unresponsive and I had to take the power off, clean the SD card and reboot but perhaps only twice in the last 6 months. Apart from that, no issue.

4

Hello Avron,
I logged onto my router/modem and viewed the logs under advanced and found multiple denial of service attacks (DOS). Since each DOS attack came from different IP addresses over a short period I assumed was a coordinated distributed DOS or DDOS. The log had messages like this:

[DoS attack: FW.WANATTACK DROP] source: 45.93.201.119, port: 65534, Jan 21 19:33:31

A couple of things one could do is blacklist the IP addresses and or force close the port on the router.

5

mtinman,
Thanks, I appreciate the insights. My passwords are strong, purchased a current router, only port forward for services as DMZ is just asking for trouble, and I’m using a VPN for attached devices. I did not activate a backup schedule since nearly every crash prior to the new router occurred over night when backup and updates.are scheduled so I’m a little gun shy. It doesn’t take long to re-upload my web pages but as I become more comfortable with the security of the new router, I’ll try adding automated backups and adding other services in a few weeks. To get a little conspiratorial, I suppose it is possible for Nation States to shut down FBX’s as they constitute an affront to control of the masses.

6

So it is on your routeur, not on the Freedombox.

Now, I am only using the routeur from my ISP and I can’t see any log. I recently ordered a routeur on which libreCMC is supported. If I get it eventually (I am in Europe and ordered it from US, I could not find any from Europe), I’ll put it between my ISP’s device and my home network, then I could get some clue.

7

Yes, look at the the router logs to see who is attacking and when, not the FreedomBox. In the US, generally ISP routers can be reached through a browser at 192.168.1.1 or 192.168.0.1 and the user name and password can be found on the router. Once you logon, poke around to see where the logs are. You may need to contact the ISP to see how to get into your router.

8

Avron,

First of all, I started getting so much traffic on my home Internet connection, that it was noticeably “bogging down” my attempts at using Internet based services, but not my LAN. I checked my server logs, and found out that a couple days after I put the Freedombox on the DMZ, I started getting attempts to log into ssh, ftp, and many other services as root, and other users like mysql_root, admin, etc. from IP addresses in China, North Korea, and Vietnam. Within 7 days, I was seeing bandwidth saturation from the attempts. after 9 days, I had to come up with a solution, as my family could no longer use the Internet because of all the repeated, automated, attempts at breaking in to my freedombox. I had seen this before (especially since around 2004-2006 on), when I used to blog from a home based web server using Wordpress. Residential Internet connections are not meant to handle that kind of traffic, and go down fast in the event of DDOS, or brute force saturation attacks.

Do you know if it was a hardware, software, or some other issue? Definitely check system logs after these events to try to isolate the problem, or at least find clues to what may have caused it. And yes, Freedombox does tend to be pretty low maintenance, depending on hardware, and software installation complexity level. For the most part, if I don’t mess with things, it does just fine, and if I do mess with things, and bork something, I can usually find the help I need to fix things here, and elsewhere.

9

doliver10,

You can schedule the backups for any time of day, and you can just run a backup immediately by clicking the +Create Backup button in the System/Backups page. it does not take very long, as it just backs up application settings, not data, AFAIK. And yes, I do believe Nation States would be the ones investing the most time, effort, and money to squelch the voices of their “citizens”.

1 Like
10

I am afraid this is a very stupid question, but how do you disable SSH password login on FB?

11

In System->Serveur Secure Shell (SSH)->Configuration there is a check box for that.

But you need to first go to the administration page of the user you wish to connect as and copy to the “Authorized SSH keys” the public key of a key pair that you generated on the computer you wish to connect from.

12

Since I got a new router/modem the DOS and DDOS attacks have continued, but I think they have been blocked by the router and my FreedomBox has not gone crashed in over a week. In the router logs I get scary messages like:

[LAN access from remote] from 146.88.240.4:35883 to 192.168.1.7:1194, Jan 28 03:17:30

My FreedomBox is 192.168.1.7, but attempts continue from around the world.

But I am encouraged that my little FreedomBox just might become useful again (since update from Buster to Bullseye). I may even try adding another app or two.

13

It did take me a while to figure out how to disable SSH password login of the FreedomBox, had to poke around for a while. What I have not been able to figure out is how to copy the Authorized SSH keys to my user account in cockpit.
Clicking of the user icon in the upper-left of the Cockpit app gives three options one of which is “SSH keys”. Clicking on that brings up a popup window:

“SSH keys
Use the following keys to authenticate against other systems Add key”

Clicking on “Add key” brings up a dialog box that says “Path to file” with an “Add” button.

How do I find the “Path to file”? I have tried several FB paths to various SSH folders, but nothing I’ve done works.

14

doliver10:

Here is the whois for that address:

whois 146.88.240.4

ARIN WHOIS data and services are subject to the Terms of Use

available at: Whois Terms of Use - American Registry for Internet Numbers

If you see inaccuracies in the results, please report at

Reporting a Whois Inaccuracy - American Registry for Internet Numbers

Copyright 1997-2022, American Registry for Internet Numbers, Ltd.

NetRange: 146.88.240.0 - 146.88.255.255
CIDR: 146.88.240.0/20
NetName: ARBORN
NetHandle: NET-146-88-240-0-1
Parent: NET146 (NET-146-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Arbor Networks, Inc. (ARBORN)
RegDate: 2016-10-27
Updated: 2021-12-14
Comment: NETSCOUT | Arbor Networks Research Scanner
Comment:
Comment: https://www.arbor-observatory.com/
Ref: https://rdap.arin.net/registry/ip/146.88.240.0

OrgName: Arbor Networks, Inc.
OrgId: ARBORN
Address: 2727 S. State St.
Address: Suite 200
City: Ann Arbor
StateProv: MI
PostalCode: 48104
Country: US
RegDate: 2001-01-24
Updated: 2011-09-24
Ref: https://rdap.arin.net/registry/entity/ARBORN

OrgAbuseHandle: HOSTM187-ARIN
OrgAbuseName: hostmaster
OrgAbusePhone: +1-734-327-0000
OrgAbuseEmail: hostmaster@arbor.net
OrgAbuseRef: https://rdap.arin.net/registry/entity/HOSTM187-ARIN

OrgTechHandle: HOSTM187-ARIN
OrgTechName: hostmaster
OrgTechPhone: +1-734-327-0000
OrgTechEmail: hostmaster@arbor.net
OrgTechRef: https://rdap.arin.net/registry/entity/HOSTM187-ARIN

RAbuseHandle: ASERT-ARIN
RAbuseName: ASERT Abuse
RAbusePhone: +1-734-327-0000
RAbuseEmail: asert-abuse@netscout.com
RAbuseRef: https://rdap.arin.net/registry/entity/ASERT-ARIN

ARIN WHOIS data and services are subject to the Terms of Use

available at: Whois Terms of Use - American Registry for Internet Numbers

If you see inaccuracies in the results, please report at

Reporting a Whois Inaccuracy - American Registry for Internet Numbers

Copyright 1997-2022, American Registry for Internet Numbers, Ltd.

I will post a reply tomorrow to answer your following question about ssh keys, as I was just getting ready to go to bed when I read this post…

15

doliver10:

The key you are looking for is the id_rsa.pub, found in your /home/.ssh directory. it may be hidden from view by your gui, which in my case, is Gnome, so I just hit the CTRL-D keys, and viola! it shows up when I look in the previously hidden .ssh directory. DO NOT USE the id_rsa file, this is your private key!

By default, Cockpit should find it, and give you the option to use it, but sometimes it might be looking somewhere else, depending on where you had the system carat when you last looked for a local file to upload/download on your computer - browsers like to do dumb stuff like that.

If you do not have one (a ssh key) yet, you can generate one by following directions found at: https://devconnected.com/how-to-set-up-ssh-keys-on-debian-10-buster/
Make sure to read the article before generating a key, there are many options, and they are important enough not to overlook and “plan ahead” for future usage…

Also, do you have any users besides your seIf on your FBX? Maybe you allowed users to create accounts on it? I know that some of the Default settings can allow for this to happen. What user names are the attackers using? That should give you a clue as to what they are going after… If you have any more questions (which I’m sure you will), you know where to find me! :slight_smile:
One last suggestion for today: If you don’t have whois installed to your computer, do it now, it really helps to find the source of the attacks more easily, and report them.

16

I am convinced that my 10+ year old router allowed attacks on the FreedomBox that crashed it regularly. Since the installation of a new model router I have had zero FreedomBox crashes. This may be why many are still experiencing “unstable” performance on their FreedomBox servers.

The attacks continue. Initially all the attacks were on ports 80 and 443 (http and https) and directed to the FreedomBox but recently, the attacks have shifted to a UPnP port 9010 to an IP address that is NOT a device on my network at a rate of one every few seconds. In my new router, the UPnP was enabled by default which exposed several ports, among them was port 9010. Interestingly the NSA developed Ghidra, a backdoor software to exploit this open port and allow access to networks that have this port open. Disabling UPnP in the router has quieted things down considerably.

Port 9010
Port 90101400×702 66.8 KB

. .

17

Did you open the link? It does not appear these are attacks, but rather research scans.

It does looks like you can opt out of the scans:

Can I opt-out of these scans?

If you wish to opt out, please contact asert-abuse@netscout.com with the prefixes that you would like us to add to our scanning blacklist and we will update our systems as soon as possible.
Alternatively, if you have the ability to whitelist then you could add 146.88.240.0/24 to your whitelist which is our scanning address space.

18

To add the key, go to System->Users and groups, select the user for which you want to add the key, there is a text field “Authorized SSH keys”, you put your cursor there and paste your public key, input your current password in the last field of the form, then click on “apply changes”.

Like you, I never managed to do anything with the other menu that you tried.

Another way would be to use scp to copy your public key file to ~/.ssh/authorized_keys on the freedombox. In general, I prefer not to do such kind of manual thing when there is a way to handle this with the freedombox web interface (I mean plinth, not cockpit).

19

Well, I looked for this file and isn’t there. I used “ls -a” for both the home and my user folder and that file is not there. I also tried “find / -name id_rsa.pub” which searches the whole system for the file and I can’t find it on my system. However when I use plinth and go to system> Secure Shell (SSH) Server the keys are there. And interestingly when I use Cockpit and go to “Overview” under “Configuration” and click on “Show fingerprints”, the keys are different. Are one set of these the private and the other public. In any event, I can’t find the location of the files keys.

20

You are trying with Cockpit, this never worked for me.

What worked is in the main plinth menu, when clicking to modify the user. Did you try that? Before posting my last reply, I tested what I wrote to add one more key and ssh to the freedombox using it (since my memory was weak) and it worked.