4

I have a Raspberry Pi running Debian Jessie. I have pi-hole installed to block ad-serving domains (https://pi-hole.net). Going through the logs, I noticed a lot of queries from a Chinese domain.

lsof -i shows me the following list that I feel is suspected:

COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd  1742  root  3u  IPv4  16960  0t0  TCP raspberrypi:ssh->116.31.116.47:50600 (ESTABLISHED)
sshd  1743  sshd  3u  IPv4  16960  0t0  TCP raspberrypi:ssh->116.31.116.47:50600 (ESTABLISHED)
sshd  1774  root  3u  IPv4  16990  0t0  TCP raspberrypi:ssh->183.214.141.105:56265 (ESTABLISHED)
sshd  1775  sshd  3u  IPv4  16990  0t0  TCP raspberrypi:ssh->183.214.141.105:56265 (ESTABLISHED)
sshd  1869  root  3u  IPv4  17068  0t0  TCP raspberrypi:ssh->116.31.116.47:33525 (ESTABLISHED)
sshd  1870  sshd  3u  IPv4  17068  0t0  TCP raspberrypi:ssh->116.31.116.47:33525 (ESTABLISHED)
sshd  1910  root  3u  IPv4  17122  0t0  TCP raspberrypi:ssh->116.31.116.47:35816 (ESTABLISHED)
sshd  1911  sshd  3u  IPv4  17122  0t0  TCP raspberrypi:ssh->116.31.116.47:35816 (ESTABLISHED)
sshd  1931  root  3u  IPv4  17158  0t0  TCP raspberrypi:ssh->116.31.116.47:49492 (ESTABLISHED)
sshd  1932  sshd  3u  IPv4  17158  0t0  TCP raspberrypi:ssh->116.31.116.47:49492 (ESTABLISHED)
sshd  1935  root  3u  IPv4  17163  0t0  TCP raspberrypi:ssh->183.214.141.105:23828 (ESTABLISHED)
sshd  1936  sshd  3u  IPv4  17163  0t0  TCP raspberrypi:ssh->183.214.141.105:23828 (ESTABLISHED)
sshd  1937  root  3u  IPv4  17168  0t0  TCP raspberrypi:ssh->116.31.116.47:53628 (ESTABLISHED)
sshd  1938  sshd  3u  IPv4  17168  0t0  TCP raspberrypi:ssh->116.31.116.47:53628 (ESTABLISHED)
sshd  1940  root  3u  IPv4  17176  0t0  TCP raspberrypi:ssh->116.31.116.47:57858 (ESTABLISHED)
sshd  1941  sshd  3u  IPv4  17176  0t0  TCP raspberrypi:ssh->116.31.116.47:57858 (ESTABLISHED)
sshd  1944  root  3u  IPv4  17194  0t0  TCP raspberrypi:ssh->183.214.141.105:28355 (ESTABLISHED)
sshd  1945  sshd  3u  IPv4  17194  0t0  TCP raspberrypi:ssh->183.214.141.105:28355 (ESTABLISHED)

I already changed my password, restarted my Pi and checked for any unknown users (which there were none). How do I proceed making my Pi secure again?

Improve this question

3 Answers 3

Reset to default
6

There may or may not be a security breach.

It may just be an idiot trying to brute force crack passwords. If they connect, try a password, it fails, they don't try another or close the connection then you can see these connections which will eventually be closed by the sshd.

/var/log/auth.log

should have some information on the login attempts. the last command may show you successful logins.

Improve this answer
5
  • Thanks, this was very helpful. Indeed it looked like a brute force attack. One of the first things I have done now is install fail2ban (iot-projects.com/…). I'll furthermore consider single packet authorization and blocking incoming Chinese and Russian IP addresses at my router.
    – Vincent
    Commented Jan 12, 2017 at 4:42
  • You might find sites like ipdeny.com/ipblocks helpful.
    – icarus
    Commented Jan 12, 2017 at 5:14
  • I do not got that file on arch nor fedora
    – aurelien
    Commented Jan 12, 2017 at 9:14
  • @nixda what additional information are you looking for
    – icarus
    Commented Dec 23, 2023 at 1:46
  • Fail2ban is helpful, and will slow down the attacks, but even better would be to scrape the fail2ban logs and permanently firewall the offending subnets. Or just close ssh to outside access entirely and only whitelist subnets you care about. Or set up port knocking.
    – user10489
    Commented Dec 25, 2023 at 14:33
1
+50

As icarus already mention, it is not possible to know for sure if there was a security breach on your server. If lsof -i or ss -tulpn show an established connection from your host (from ssh/22 port) to a suspicious IP, you might consider starting from scratch.

last is useful to see successful logins, but you might be interested on lastb

sudo lastb  # Show a list of all last logged in users
sudo lastb --since YYYY-MM-DD  # Show a list of all last logged in users since a given time

Some security advices I didn't see on the other answers:

Improve this answer
0

To make your raspberrypi secure you should disable password login on ssh server. Only use public key authentication (this can't be brute forced).

for that first copy your ssh public key your pi.

Then under /etc/ssh/sshd_config.d put securepi.conf which should have these lines:

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM no

and restart ssh server.

I don't like to directly edit /etc/ssh/sshd_config because changes are hard to track and reverse but in case of a file under sshd_config.d you just have to delete the file to reverse the changes.

Two more suggestions:

  1. Use cloudflare tunnels instead of opening a port, It will prevent DDOS and similar attacks.
  2. Only allow connection from specific IPs using firewall rules.
Improve this answer
3
  • While this is a good idea, it won't stop the brute force login attempts. Just having the port open will attract brute force attacks that use up your bandwidth.
    – user10489
    Commented Dec 25, 2023 at 14:32
  • brute forcing public key authentication is impractical, just imagine time and computing power required.
    – Hemant Kumar Meena
    Commented Dec 26, 2023 at 2:34
  • Brute force attacks are guaranteed if your port is open and not firewalled. successful brute force attacks are impractical. Think DoS attack, not access attack..
    – user10489
    Commented Dec 26, 2023 at 8:22

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .