[tor-relays] Tor stop / reboot by itself + weird logs (hacking?)
Sean Greenslade
sean at seangreenslade.com
Thu Nov 7 15:35:45 UTC 2019
On November 6, 2019 10:44:58 AM PST, David Strappazon <david.strappazon at protonmail.com> wrote:
>Hello everyone,
>
>i'm running a bridge on a raspberry Pi 3B+ on Kali Linux.
>
>Everything looks fine but after checking the logs i noticed that the
>service rebooted by itself in the middle on the night:
>
>Nov 06 03:51:09.000 [notice] Interrupt: we have stopped accepting new
>connections, and will shut down in 30 seconds. Interrupt again to exit
>now.
>Nov 06 03:51:10.000 [notice] Delaying directory fetches: We are
>hibernating or shutting down.
>Nov 06 03:51:39.000 [notice] Clean shutdown finished. Exiting.
>etc...
>
>Then after that, it works again (will check tonight /tomorrow if it
>reboots again).
>
>I'm trying to find why it is rebooting but without success. I checked
>all logs possible and also notice this in journalctl -xe:
>
>nov. 06 19:37:58 kali-pi sshd[15920]: Failed password for root from
>XXXXX port 37494 ssh2
>nov. 06 19:38:03 kali-pi sshd[15920]: Failed password for root from
>XXXX port 37494 ssh2
>nov. 06 19:38:08 kali-pi sshd[15920]: Failed password for root from
>XXXXX port 37494 ssh2
>nov. 06 19:38:13 kali-pi sshd[15920]: Failed password for root from
>XXXXX port 37494 ssh2
>nov. 06 19:38:18 kali-pi sshd[15920]: Failed password for root from
>XXXXX port 37494 ssh2
>nov. 06 19:38:18 kali-pi sshd[15920]: error: maximum authentication
>attempts exceeded for root from 21>
>nov. 06 19:38:18 kali-pi sshd[15920]: Disconnecting authenticating user
>root 2XXXX port 37494: >
>nov. 06 19:38:18 kali-pi sshd[15920]: PAM 5 more authentication
>failures; logname= uid=0 euid=0 tty=ss>
>nov. 06 19:38:18 kali-pi sshd[15920]: PAM service(sshd) ignoring max
>retries; 6 > 3
>nov. 06 19:38:21 kali-pi sshd[15950]: pam_unix(sshd:auth):
>authentication failure; logname= uid=0 euid>
>nov. 06 19:38:22 kali-pi sshd[15953]: pam_unix(sshd:auth):
>authentication failure; logname= uid=0 euid>
>nov. 06 19:38:23 kali-pi sshd[15950]: Failed password for root from
>XXXX port 64786 ssh2
>nov. 06 19:38:23 kali-pi sshd[15953]: Failed password for root from
>XXXXX port 6739 ssh2
>
>There's two different IP that i don't know. A whois says it's a Chinese
>provider...
>
>Should i consider that someone is trying to break into my home network?
>
>Sent with [ProtonMail](https://protonmail.com) Secure Email.
Hi, David. This sort of ssh brute-force / dictionary attack is simply a fact of life if you have any internet-facing server, especially SSH. There are a few things you can do:
- Ensure you have changed all default passwords to strong ones
- Ensure the root user is disabled in sshd_config
- Make your local user a custom username (not the default user that comes with your distro)
- Disable password auth and use public key auth instead
- Switch sshd to a non-standard port (e.g. 2222 instead of 22)
Some people also use something like fail2ban, but I personally don't think it's worthwhile (especially if you use public key auth only).
As for your mystery restart, it looks like tor received an external shutdown request from systemd. You'll need to look elsewhere for the source of that restart. Try inspecting the unfiltered system logs about a minute before the restart.
--Sean
More information about the tor-relays
mailing list