0

First of all, sorry if all of this seems a bit stupid, but my field of expertise is software development, not security. So, here is what happened.

1/ The breach

I did something I really shouldn't have. Namely, I redirected my external network port 22 to my raspberry pi, thinking my password was strong enough to protect me. The main goal was to remotely work on my dev whenever I wasn't home.

2/ The attack

Yesterday, my father told me he couldn't send any emails anymore. Sadly I didn't think about taking a screenshot of the error message, but the basic line was: "This IP address has been blocked because it was trying to perform ssh bruteforce on port 22". My opinion is that a bot scanned my network, saw my port 22 was open, logged in my pi by bruteforce, and once logged in the pi, tried to bruteforce other devices from mine. Am I correct on this one? As noted in the comment, it may not be the case but here are my reasons to think it was:

  1. The rasPi is the only device accepting ssh connection from the internet (in fact, it's the only device accepting ssh connection at all)
  2. The only others open ports on my router are 80 and 8080. Both redirecting to the rasPi
  3. When we discovered the issue, I unplugged the Pi, rebooted the router and all worked fine. It may be worth noting that when we rebooted the router, it made some sort of "quarantine" stating "you'll be connecting to Orange (French ISP) network in 5 minutes", that's the first time I see this message.

3/ The recovery

This is the main part of my question: what actions should I take now to recover? Since yesterday, my pi is unplugged, both power and ethernet, and all my port redirection have been shut down. We don't see any suspicious trafic anymore, but is there any risk that my entire network has been compromised? Can I reuse the pi as it is with more security mesures? Should I wipe it out and start from fresh? Should I worry about the data on my desktop computer/smartphone or my family ones?

Thanks a lot.

TL;DR

What should I do if a device on my home network has been used by a third party to perform bruteforce over the internet?

F.Carette
  • 101
  • 2
  • 2
    Nuke the pi from orbit and recreate. The likelihood of the pi infecting other devices depends entirely on the other device's vulnerabilities. Wannacry could infect other machines on the network. – schroeder Nov 30 '18 at 09:24
  • I think it is a bit too fast jumping from the error message to the conclusion that specifically your RasPi is attacking other systems. The source of the attacks could be also any other networked system in your local network, including the router itself. – Steffen Ullrich Nov 30 '18 at 09:39
  • @SteffenUllrich I totally agree that it could be fast jumping, as I said, I'm not really good with security issues. The reason I think it's the Pi is because it's the only device on my network allowing ssh connection, and the error message clearly specified an ssh bruteforce attempt on default ssh port. It's also the only device which had any port redirection from router. I'll edit that in the question – F.Carette Nov 30 '18 at 09:44
  • @F.Carette: the error message you've described is about outgoing SSH from your network which is unrelated to the incoming SSH you allow. – Steffen Ullrich Nov 30 '18 at 09:51
  • @SteffenUllrich Sure, I got that it was from an outgoing ssh. I just assumed that if they try to "get out" using ssh on default port, they probably "got in" the same way. I may be wrong on this one though – F.Carette Nov 30 '18 at 09:53

1 Answers1

2

First at all try to limit the number of devices that you have . if you want when the attacker got into your device perform the following command

cat /var/log/auth.log | grep 'Accepted'

check if attacker already added user into your box

cut -d: -f1 /etc/passwd

as well try to use strong passwords , btw maybe your ssh services itself is already vulnerable ! so it's not about your password ! if you're using "libssh" as ssh services there's recently exploit released for authentication bypass as well it maybe from your other services exposed to the internet

wazehell
  • 21
  • 1