Someone is trying to hack my Subsonic server

[maclark7029]

Hi,

For the last week or so, the Subsonic Logs have this message every 10 seconds:

[1/24/15 9:58:23 PM EST]INFORESTRequestParameterProcessingFilterAuthentication failed for user admin

I tried shutting down for a couple days, but the jerk just came back. It was suggested I use Wireshark to identify the IP address of the hacker and block at the firewall.

Can Wireshark be installed in Freenas or is there an equivalent program?

Can anyone provide help with identifying the IP address of the jerk trying to hack my server?

I'm currently running FreeNAS-9.3-STABLE-201412142326

Appreciate the help anyone can provide?

Mike

 

[cyberjock]

Hate to break it to you, but if you've got it facing the internet, what do you expect? This is *precisely* why we tell people to NOT make things forward facing. This is what VPNs are designed to protect.

You asked for it by making it forward facing, what do you expect?

To answer your question though, there is no wireshark for FreeNAS. There is tcpdump, and a little Googling will tell you how to use it.

But let me just point out that blocking the IP won't stop him. If he's truly interested then he'll just use a different IP. The *real* solution is to follow best practices for network security and not face the internet to begin with.

What's really cool is that I bet your jail isn't being kept up to date and such (hint: if it was being kept up to date properly you'd be a wizard and you'd be the guy laughing at the guy asking if wireshark exists for FreeBSD), so you probably are taking other risks that won't even appear in logs. How great is that! In fact, I'd be somewhat surprised if you haven't already been compromised.

Most people don't come in here because someone is trying to log into your server. They come in here because they've already proven to have a compromised jail and want to know just how much damage the attacker may have been able to get away with.

 

[maclark7029]

No, it wasn't unexpected and I'm actually surprised its taken over a year for someone to find it. It's the only public facing web server I have running. Yes, I know about vpn and I personally use it for some applications. But its beyond the ability of my family, whom I share remote access with. So, I do what I can.

Thank you for the tip about tcpdump and looking at my jail. I'm glad you find this funny and I was able to make you laugh.

 

[cyberjock]

Oh, I don't laugh or find this funny. I find it disappointing that someone would take security so nonchalantly that they'd do what you did.

 

[maclark7029]

So, using tcpdump it turns out that I was doing it to myself. I forgot I had the subsonic app on my phone logging in as admin, which I set up as a test when I first started using Subsonic. Since then, I've started using Ultrasonic with a user account and forgot to remove the admin login in the Subsonic app. It only started because I changed my admin password, as any security minded person does occasionally.

I'm not nonchalant about security, but I am perhaps a little uneducated. I do what I can with what I know and am able to do. Not everyone has years of experience or can call themselves a "cyberjock."

Anyway, sincerely thanks for the help.

Mike