Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Untanglit
    Join Date
    Dec 2020
    Posts
    28

    Default unauthorised access to server.

    I've got a weird situation. Logged into my IPMI interface on the system running Untangle, and noticed 62 events in the access logs. They all show sshd login failures for an IPs in Thailand. https://imgur.com/oq0UvcV
    There are also warning about PAM service(sshd) ignoring max retries.
    I can't see how an external IP is getting access like this.

    The IPMI interface is it's own ethernet port with it's own IP address, connected to the lan switch. The server is running on the P11C-M/4L motherboard.

  2. #2
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,275

    Default

    How is the IPMI connected to the Internet?

    I have seen a few of them that looks for DHCP so if you have your WAN cable with a Active DHCP form your ISP connected to the wrong interface you would be publishing the IPMI to the internet and thats bad :-)

    But in short we have to little info to tell you why..

    What IP do the IPMI have and what devices is between it and the internet.

  3. #3
    Untanglit
    Join Date
    Dec 2020
    Posts
    28

    Default

    Couldn't sleep last night and eventually came to the same thought. The IPMI is connected to the local LAN switch, which itself is entirely behind Untangle (UT). The IPMI IP is 172.16.101.5 assigned via DHCP reservation in UT.
    My WAN IP as reported by UT and a "whats my ip" google search is xx.xx.225.61. Interestingly in the IPMI under it's "Shared LAN" which I believe is the same ethernet port used to connect the UT box to the modem, it's showing an IP of xx.xx.226.235. So that's weird. I tried connecting to that new WAN IP in chrome on my laptop to see if the IPMI interface loaded but it didn't work. It sometimes loads the "This page is not secure" warning caused by invalid SSL certs which I see when I connect to 172.16.101.5, but when I click proceed, nothing. So something is there, some webpage, but I guess UT or something is dropping the connection. Maybe it's a routing issue for this specific IP?

    I guess the big question is. What is a "Shared LAN"?
    If I recall, it's possible to use just 1 ethernet cable to connect to this server for access to both the IPMI interface and the host via the Shared LAN. Some sort of bridge?

  4. #4
    Untangler
    Join Date
    Jun 2016
    Posts
    30

    Default

    Yeah, you have to go into Bios and change the behavior of the IPMI port. Sounds like this is Supermicro. The default is for the IPMI port to failover to the first interface (usually the WAN port). So perhaps the connection to the dedicated port is intermittent or something like that causing it occasionally to pick up an IP via DHCP.

  5. #5
    Untanglit
    Join Date
    Dec 2020
    Posts
    28

    Default

    Quote Originally Posted by Garrett Brown View Post
    Yeah, you have to go into Bios and change the behavior of the IPMI port. Sounds like this is Supermicro. The default is for the IPMI port to failover to the first interface (usually the WAN port). So perhaps the connection to the dedicated port is intermittent or something like that causing it occasionally to pick up an IP via DHCP.
    It's an ASUS RS100-E10-PI2 server. The connection should be solid, but I'll look into it. This seems like a VERY bad design to have it on by default, no? It's exposing the IPMI to the internet unprotected!

  6. #6
    Untangler
    Join Date
    May 2008
    Posts
    464

    Default

    Move your interfaces so the first interface is lan not wan.

  7. #7
    Untanglit
    Join Date
    Dec 2020
    Posts
    28

    Default

    Tried to do this today and ran into some issues. Then I went into the existing internal interface and checked the "Is WAN Interface" box, set the IPv4 to DHCP, and clicked done, then save. Then went to the old External interface, unchecked the WAN box, and set the IPv4 config to static and set the address. When I went to save, it said there was an address conflict. Sure enough the new WAN interface was still set to static and had the internal lan/gateway IP set.
    I tried restarting the machine, but no luck. Eventually I got the new LAN interface to get it's IP set, but the new WAN interface would not get an IP from the modem. Called the ISP they revoked and reset the DHCP leases, still no luck. What am I doing wrong?

    Also as an aside, the "Remap Interface" tool is misleading. I think the name should instead be "Reorder Interfaces".

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    You've made extra work for yourself...

    When you configure an interface on Untangle, you're configuring a virtual interface. That is, Internal, External, Interface 3, etc. Your configuration is linked to these, and they are separate from the physical interfaces so you can change the physical interfaces as needed.

    Interface maps determine what virtual interface is assigned to what physical interface (eth0, eth1, etc).

    If you want to swap Internal and External, you hit that remap button, and drag / drop them into their new assignments on the appropriate physical interface and click save. No other configuration change is required, Untangle will simply reconfigure the NIC how you asked it to. Which is why it's "Remap" and not "Reorder". Because this reality means you can juggle any number of interfaces into any number of assignment slots.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untanglit
    Join Date
    Dec 2020
    Posts
    28

    Default

    Ah that's good to know. The Support page for Remap Interfaces makes it sound like it doesn't work that way.
    You are not able to change an external interface to an internal interface in this way, however. This type of change will have to be done manually, by editing each interface.
    https://support.untangle.com/hc/en-u...ed%20correctly.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    Quote Originally Posted by dvdwsn View Post
    Ah that's good to know. The Support page for Remap Interfaces makes it sound like it doesn't work that way.

    https://support.untangle.com/hc/en-u...ed%20correctly.
    Oh it works! I'm not sure what this article is on about because they're just interfaces and yes you can move them!

    There is however a rub... you can't remap REMOTELY. Because you're mucking with the interfaces that provide the connectivity to the admin UI, you're going to need to perform the remap from the browser on the physical console of Untangle itself. If you attempt to do otherwise, you'll lock yourself out.
    dvdwsn likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2