This all started when my wife went to the post office to check the mail. She sent me a message on Riot asking:
"What did you order from China?"
"Nothing," I said, "unless that streaming box from China decided to come four months late..."
I had an issue with Aliexpress earlier this year where I had ordered a dual-boot streaming box (below) for my home theater setup. It sounded like a great deal, running Android and LibreElec so I could have my pick of apps to access local and streamed content from one device.
The only problem was that it never came. I ordered it back in March, and I waited with bated-breath. I know that AliExpress can take 4-6 weeks to get things state-side, so I was patient. But after 5 weeks with no shipping updates, my buyer protection was going to expire. I filed a claim, and the seller said:
"dear sir, since it is via the post , and need a little more time to receive it and it is on the way " -Seller
So I thought "Sure, I'll wait until my buyer protection is long gone for something that hasn't even shown up in the Chinese post office..." Not really, I filed a claim with AliExpress right away. Long-story-short, I got my money refunded. Then this week the product actually shows up! I did not expect that.
So I plugged it in when I got home from work and immediately got to playing with it. It was kinda slow, and seemed to be more useful for accessing local content on both the Android side and the Kodi-booting side. I don't have a lot of local videos, and only about 50Gb worth of local music files so I just turned it off and left it alone.
When I went to work the next day, I decided to do some server maintenance on my home server during a break. So I logged into cockpit, ran some updates and restarted some containers, then decided to check my logs to see how much my friends were using the VPN I set up for us all to use. That's when I saw all this activity!
I did not like the looks of it. And worst of all, it kept ticking along as more and more attempts poured in. After jotting down a few of the offending IPs I went to the web to do a whois search on the addresses: Beijing, China. I was being hacked by the
Chinese botnet! But not really, though.
My mind whirled around how this could be happening. Could it possibly get through to something? I don't have the root account setup for login on the server, just a list of sudoers. I also have a fairly complex passphrase that would take way-too-long for a botnet to get into. What was really bugging me was how these ports were getting forwarded. I know they weren't open in UFW (Linux firewall), and I was fairly certain that they weren't being forwarded from my router. I logged into my VPN to investigate further.
I was right. UFW was only accepting a few ports I specified and had a nice log of other blocked requests, NAT service was only setup for what I expected...how were they getting through? The Chinese box!
"Alex, can you unplug the streaming box?"
"Our server is getting inundated with requests for root access."
"And that means..."
"Something's trying to hack into our network."
My wife acted fast...but the requests persisted. If it wasn't the sketchy AliExpress #IoT device, how were the requests getting through? I called my ISP, they might be interested to know that this was happening. Maybe they could block requests from the offending addresses so that my server could relax a little bit.
Not really. They were really helpful, I like our local ISP and that they don't treat me like I know nothing. Even though, apparently, I knew nothing about network security. Brad suggested that I check to see if my DMZ host was turned on for my router Oh yeah, I turned that on a while back so I wouldn't have to forward everything. He also suggested that, just as a safety precaution, I disallow SSH access from external addresses. This wouldn't affect me personally, as I could use my VPN, but it would make sure that no SSH requests would hit the open port.
Overall......I got some important take-aways from the adventure:
- This kind of thing is normal. Most people don't notice it, and most of it gets blocked by your router.
- If you want to save your server some trouble, don't use a DMZ host. Just forward what ports you use.
- Use the firewall
- I should've been using a VPN years ago, and I'm so glad I have one now.
Maybe I'll have to make a new Kali install and test out my security now...I'm kind of enjoying the challenge of network security.