On November 6, 2019 10:44:58 AM PST, David Strappazon david.strappazon@protonmail.com wrote:
Hello everyone,
i'm running a bridge on a raspberry Pi 3B+ on Kali Linux.
Everything looks fine but after checking the logs i noticed that the service rebooted by itself in the middle on the night:
Nov 06 03:51:09.000 [notice] Interrupt: we have stopped accepting new connections, and will shut down in 30 seconds. Interrupt again to exit now. Nov 06 03:51:10.000 [notice] Delaying directory fetches: We are hibernating or shutting down. Nov 06 03:51:39.000 [notice] Clean shutdown finished. Exiting. etc...
Then after that, it works again (will check tonight /tomorrow if it reboots again).
I'm trying to find why it is rebooting but without success. I checked all logs possible and also notice this in journalctl -xe:
nov. 06 19:37:58 kali-pi sshd[15920]: Failed password for root from XXXXX port 37494 ssh2 nov. 06 19:38:03 kali-pi sshd[15920]: Failed password for root from XXXX port 37494 ssh2 nov. 06 19:38:08 kali-pi sshd[15920]: Failed password for root from XXXXX port 37494 ssh2 nov. 06 19:38:13 kali-pi sshd[15920]: Failed password for root from XXXXX port 37494 ssh2 nov. 06 19:38:18 kali-pi sshd[15920]: Failed password for root from XXXXX port 37494 ssh2 nov. 06 19:38:18 kali-pi sshd[15920]: error: maximum authentication attempts exceeded for root from 21> nov. 06 19:38:18 kali-pi sshd[15920]: Disconnecting authenticating user root 2XXXX port 37494: > nov. 06 19:38:18 kali-pi sshd[15920]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ss> nov. 06 19:38:18 kali-pi sshd[15920]: PAM service(sshd) ignoring max retries; 6 > 3 nov. 06 19:38:21 kali-pi sshd[15950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid> nov. 06 19:38:22 kali-pi sshd[15953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid> nov. 06 19:38:23 kali-pi sshd[15950]: Failed password for root from XXXX port 64786 ssh2 nov. 06 19:38:23 kali-pi sshd[15953]: Failed password for root from XXXXX port 6739 ssh2
There's two different IP that i don't know. A whois says it's a Chinese provider...
Should i consider that someone is trying to break into my home network?
Sent with [ProtonMail](https://protonmail.com) Secure Email.
Hi, David. This sort of ssh brute-force / dictionary attack is simply a fact of life if you have any internet-facing server, especially SSH. There are a few things you can do: - Ensure you have changed all default passwords to strong ones - Ensure the root user is disabled in sshd_config - Make your local user a custom username (not the default user that comes with your distro) - Disable password auth and use public key auth instead - Switch sshd to a non-standard port (e.g. 2222 instead of 22)
Some people also use something like fail2ban, but I personally don't think it's worthwhile (especially if you use public key auth only).
As for your mystery restart, it looks like tor received an external shutdown request from systemd. You'll need to look elsewhere for the source of that restart. Try inspecting the unfiltered system logs about a minute before the restart.
--Sean