Hardening/Securing Freedombox

Hi!

What are some general tips for hardening and securing our freedombox?

The reason I ask is because I might have already been breached(?) after I installed postfix/dovecat and samba without knowing much about it, and now I can see in my logs that I have several attempted connections…

Such as

7:22 PM
error: kex_protocol_error: type 20 seq 2 [preauth]
4:36 PM
lmtp(15402): Error: lmtp-server: conn unix:pid=15400,uid=111 [1]: rcpt root@freedombox.local: Failed to lookup user root@freedombox.local: Invalid settings in userdb: userdb returned 0 as uid dovecot
4:35 PM error: kex_exchange_identification: Connection closed by remote host sshd
4:06 PM lmtp(15271): Error: lmtp-server: conn unix:pid=15270,uid=111 [1]: rcpt root@freedombox.local: Failed to lookup user root@freedombox.local: Invalid settings in userdb: userdb returned 0 as uid
12:08 PM
error: maximum authentication attempts exceeded for root from 113.X.29 port 41016 ssh2 [preauth]
3:56 PM
error: kex_protocol_error: type 20 seq 2 [preauth]
3:13 PM
<q4ok7w>; lua; neural.lua:780: cannot get ANNs list from redis: Connection refused

These are also strange

I don’t know much about networking… but I can tell that someone attempted to login. Is their attempt via dovecat?

I configured a DMZ network, is this publicly available?

Also, this newly appeared in the logs;

September 20, 2023
Reboot
2:15 PM
Failed to start ssh.service - OpenBSD Secure Shell server.

I thought Freedombox ran a debian variant?

Is there a way to automate logging of attempted connections sent to an email?
This is to see successfully see logins on a third party, so that an attacker can’t clear their traces without knowing…

Greetings @ojo

Freedombox uses fail-to-ban which makes it difficult to get into. Fail to ban watches repeated connection attempts and when a threshold is met it will deny further connection attempts for several minutes from the attacker. This makes Freedombox difficult to penetrate by password guessing by creating a large time penalty for failed attempts. This is integrated with many if not all services.

Using let’s encrypt is another good step, and you may need to use dynamic dns to make this work. This gives you a globally valid SSL certificate which encrypts traffic and verifies your freedombox as the intended server.

SSH is a secure service which can be made more secure by disabling password authentication. The manual has steps to do this if you like ssh.

Maybe it is not impossible to break into freedombox, but it is not easy. If the connection attempts in the log scare you then read the fail-to-ban logs and see how many that stops. Ban messages make me smile.

3 Likes