• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Fedora Server setup and Fending off Blat Attacks Help?

Joined
Oct 20, 2009
Messages
2,873 (0.55/day)
Location
Corpus Christi, Texas
System Name FumoffuFumoffu
Processor Intel i7 4770K
Motherboard Gigabyte Z87X -UD3H
Cooling Corsair H100i
Memory 16GB DDR3 1600 Crucial Ballistix
Video Card(s) Sapphire AMD Radeon HD 7970 OC
Storage 1- WD 500GB 1- Samsung F2 1.5TB 1- Crucial M4 128GB SSD 1-256GB ADATA XPG SX900 ASX900S3 SSD
Display(s) Hanns-G HZ281HPB 27.5'' 3ms Full HD 1920x1200 WideScreen LCD Monitor
Case Corsair Graphite Series 600T
Audio Device(s) Creative Soundblaster X-Fi Titanium
Power Supply Corsair HX 750W Gold
Software Windows 7 Pro x64
Hey guys,

So I was running a Debian 8.x server for my media collection (emby). I could remote SSH in and access my media library via Emby from any web connection after logging in.

Recently, my Debian install took a nose dive after an update. So I decided to switch to Fedora 24 server. I also found out from my ISP that the reason my network keeps dropping on me is that someone has been attempting to Brute-Force my SSH server as well as being hit by a Blat Attack (DoS attack) several times a day.

As my server is setup now with SELinux (Permissive - for Sonarr and Nzbget), I can no longer remotely login to SSH nor to my Cockpit or Emby servers.

I want to know what you guys recommend I setup my SSH with for security and remote access. I have of course changed the SSH port and disabled Root login. I have considered trying to do the 3 or 4 factor SSH authentication method but am unsure if I should just carry a thumb drive around with the keys on it or not.

I also have Fail2ban installed and configured.

Would someone like to walk me through setting up remote access and security for my server?

The following Services and ports need remote access:

  • Emby Server - Port 8096
  • Cockpit Manager - Port 9090
  • Sonarr Daemon - Port 8989
  • Nzbget Daemon - Port 6789
  • SSH - Port TBD
  • No-IP Client for DDNS
The server is headless.

Another potential service and port I am considering setting up is HTPC Manager - port 8085

I appreciate the assistance. I really hope I can kill off this Blat Attack and Brute Force attack annoyance.
 
Last edited:

Kursah

Super Moderator
Staff member
Joined
Oct 15, 2006
Messages
14,664 (2.30/day)
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 (2022 Upgrade) - Ryzen+ Edition | Gaming Laptop (Lenovo Legion 5i Pro 2022)
Processor R7 5800X @ Stock | i7 12700H @ Stock
Motherboard Asus ROG Strix X370-F Gaming BIOS 6203| Legion 5i Pro NM-E231
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Cooling
Memory TEAMGROUP T-Force Vulcan Z 32GB (2x16) DDR4 4000 @ 3600 18-20-20-42 1.35v | 32GB DDR5 4800 (2x16)
Video Card(s) Palit GeForce RTX 4070 JetStream 12GB | CPU-based Intel Iris XE + RTX 3070 8GB 150W
Storage 4TB SP UD90 NVME, 960GB SATA SSD, 2TB HDD | 1TB Samsung OEM NVME SSD + 4TB Crucial P3 Plus NVME SSD
Display(s) Acer 28" 4K VG280K x2 | 16" 2560x1600 built-in
Case Corsair 600C - Stock Fans on Low | Stock Metal/Plastic
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + JVC HA-RX 700 (Equalizer APO + PeaceUI) | Bluetooth Earbuds (BX29)
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | 300W OEM (heavy use) or Lenovo Legion C135W GAN (light)
Mouse Logitech G502 | Logitech M330
Keyboard HyperX Alloy Core RGB | Built in Keyboard (Lenovo laptop KB FTW)
Software Windows 11 Pro x64 | Windows 11 Home x64
Well one option is to have your dynamic IP address changed, and to use Dynamic DNS for your WAN-side accessed services to that server. Then have your server or router update the DDNS service to reflect your IP address if/when it changes...if it is dynamic and not static. I use Afraid.org, its an excellent free service.

Frankly, you have a bullseye on your WAN. You could mask ports by using port forwarding and using different ports...say have a request come in at port 54321 that forwards to 8096 on the host/server that hosts the service using said port. That way the bot that's attacking SSH and other services isn't necessarily attacking those.

SSH over WAN is best accomplished with SSL, how you keep and manage the keys is of course up to you and how well you trust yourself and habits. Right now what you need to do IMHO is make your footprint small or nonexistent to the attacker so they'll move onto the next subject.

But I'd start by requesting a new dynamic IP refresh if a simple request from your router-side resolves the same IP, which is the case for many ISP's these days....at least in my area.

Again, I'd also consider using DDNS for your services so that you can have your IP changed and just use the URL:pORT to access said services. Should you ever question an issue here, DDNS services are easy and fast to disable, manually update, etc. Many allow multiple domain/subdomain options so you could have several subdomains pointing to your IP. I use Afraid.org for my DDNS service and OpenDNS for DNS filtering, and use DNS-O-MATIC to update both, which my Edgerouter Lite and PFSense routers both support reporting to when my WAN IP changes.

Then I would use totally different ports in a higher range that isn't in the more common 1-10,000 port range where many services run and operate...as suggested before have an outside port point to your local port.... i.e. use port 50500 to forward to 8989. That means you'll need to set the client outside of your network to send requests to port 50500 instead of 8989. This still doesn't keep those ports from being attacked...a scan may still show they're open and then they could be attacked again...but it is easy to change ports in the midst of an attack if your router is capable of handling such requests while mitigating what is essentially a buffer overflow attack.

I'm glad that it sounds like your LAN was not compromised, so good job there. Hopefully you can move forward maintaining access you need and getting rid of the pest that's causing a drag on your WAN link.
 
Joined
Oct 20, 2009
Messages
2,873 (0.55/day)
Location
Corpus Christi, Texas
System Name FumoffuFumoffu
Processor Intel i7 4770K
Motherboard Gigabyte Z87X -UD3H
Cooling Corsair H100i
Memory 16GB DDR3 1600 Crucial Ballistix
Video Card(s) Sapphire AMD Radeon HD 7970 OC
Storage 1- WD 500GB 1- Samsung F2 1.5TB 1- Crucial M4 128GB SSD 1-256GB ADATA XPG SX900 ASX900S3 SSD
Display(s) Hanns-G HZ281HPB 27.5'' 3ms Full HD 1920x1200 WideScreen LCD Monitor
Case Corsair Graphite Series 600T
Audio Device(s) Creative Soundblaster X-Fi Titanium
Power Supply Corsair HX 750W Gold
Software Windows 7 Pro x64
well I had disabled Root Remote login on SSH so the guy trying to brute force my SSH was attempting to login as Root over SSH all day, every day for a couple months. My router is setup to forward ssh to that server. Im not sure how I would setup 2 DDNS connections for one server box.
 

Kursah

Super Moderator
Staff member
Joined
Oct 15, 2006
Messages
14,664 (2.30/day)
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 (2022 Upgrade) - Ryzen+ Edition | Gaming Laptop (Lenovo Legion 5i Pro 2022)
Processor R7 5800X @ Stock | i7 12700H @ Stock
Motherboard Asus ROG Strix X370-F Gaming BIOS 6203| Legion 5i Pro NM-E231
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Cooling
Memory TEAMGROUP T-Force Vulcan Z 32GB (2x16) DDR4 4000 @ 3600 18-20-20-42 1.35v | 32GB DDR5 4800 (2x16)
Video Card(s) Palit GeForce RTX 4070 JetStream 12GB | CPU-based Intel Iris XE + RTX 3070 8GB 150W
Storage 4TB SP UD90 NVME, 960GB SATA SSD, 2TB HDD | 1TB Samsung OEM NVME SSD + 4TB Crucial P3 Plus NVME SSD
Display(s) Acer 28" 4K VG280K x2 | 16" 2560x1600 built-in
Case Corsair 600C - Stock Fans on Low | Stock Metal/Plastic
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + JVC HA-RX 700 (Equalizer APO + PeaceUI) | Bluetooth Earbuds (BX29)
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | 300W OEM (heavy use) or Lenovo Legion C135W GAN (light)
Mouse Logitech G502 | Logitech M330
Keyboard HyperX Alloy Core RGB | Built in Keyboard (Lenovo laptop KB FTW)
Software Windows 11 Pro x64 | Windows 11 Home x64
How familiar are you with DDNS services?

All a Dynamic DNS does is take a domain that you register to the service, or a free subdomain (for example: home.afraid.org), and set a DNS A-Record to point at your WAN IP address or desired IP address (if making manual entries). Then you can setup services to update the IP address record when that changes if your ISP gave you a dynamic IP address...hence the name Dynamic DNS.

You could register multiple domains from multiple services (Afraid.org, DuckDNS, DynDNS, etc) all to point at your IP address. You could even add them all to DNS-O-MATIC so that they all get the IP address change at the same time. Not that you need that. I retired my DuckDNS and only use my Afraid.org service now a days.

DynamicDNS is really handy when hosting services, servers, etc. I host a plex server, which one can access from Plex.tv or from my DDNS domain:32400 for example, or my Teamspeak server which is at my DDNS domain:54321 (which then forwards to 9987 on LAN).

I guess it depends on what you feel you really need. Leaving points of access open, it never hurts to mask them and have logging setup to see when something is happening you're not wanting to happen so you can mitigate it. Seems like you got the situation handled with SSH for now which is good.
 
Joined
Oct 20, 2009
Messages
2,873 (0.55/day)
Location
Corpus Christi, Texas
System Name FumoffuFumoffu
Processor Intel i7 4770K
Motherboard Gigabyte Z87X -UD3H
Cooling Corsair H100i
Memory 16GB DDR3 1600 Crucial Ballistix
Video Card(s) Sapphire AMD Radeon HD 7970 OC
Storage 1- WD 500GB 1- Samsung F2 1.5TB 1- Crucial M4 128GB SSD 1-256GB ADATA XPG SX900 ASX900S3 SSD
Display(s) Hanns-G HZ281HPB 27.5'' 3ms Full HD 1920x1200 WideScreen LCD Monitor
Case Corsair Graphite Series 600T
Audio Device(s) Creative Soundblaster X-Fi Titanium
Power Supply Corsair HX 750W Gold
Software Windows 7 Pro x64
except that I cant login to ssh from work. nor can I login to cockpit (9090) from work.
 

Kursah

Super Moderator
Staff member
Joined
Oct 15, 2006
Messages
14,664 (2.30/day)
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig 2018 (2022 Upgrade) - Ryzen+ Edition | Gaming Laptop (Lenovo Legion 5i Pro 2022)
Processor R7 5800X @ Stock | i7 12700H @ Stock
Motherboard Asus ROG Strix X370-F Gaming BIOS 6203| Legion 5i Pro NM-E231
Cooling Noctua NH-U14S Push-Pull + NT-H1 | Stock Cooling
Memory TEAMGROUP T-Force Vulcan Z 32GB (2x16) DDR4 4000 @ 3600 18-20-20-42 1.35v | 32GB DDR5 4800 (2x16)
Video Card(s) Palit GeForce RTX 4070 JetStream 12GB | CPU-based Intel Iris XE + RTX 3070 8GB 150W
Storage 4TB SP UD90 NVME, 960GB SATA SSD, 2TB HDD | 1TB Samsung OEM NVME SSD + 4TB Crucial P3 Plus NVME SSD
Display(s) Acer 28" 4K VG280K x2 | 16" 2560x1600 built-in
Case Corsair 600C - Stock Fans on Low | Stock Metal/Plastic
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + JVC HA-RX 700 (Equalizer APO + PeaceUI) | Bluetooth Earbuds (BX29)
Power Supply EVGA 750G2 Modular + APC Back-UPS Pro 1500 | 300W OEM (heavy use) or Lenovo Legion C135W GAN (light)
Mouse Logitech G502 | Logitech M330
Keyboard HyperX Alloy Core RGB | Built in Keyboard (Lenovo laptop KB FTW)
Software Windows 11 Pro x64 | Windows 11 Home x64
except that I cant login to ssh from work. nor can I login to cockpit (9090) from work.

Are those ports allowed from work in the first place? They could be blocked at the gateway firewall or be in-use from other services at your job site. Have you checked with your network admins to verify this? Are you even allowed to do this from work in the first place?

Have you opened them back up and set them up appropriately in the first place?

Have you gone through this process? http://www.tecmint.com/installation-of-fedora-23-server-and-administration-with-cockpit-tool/

Another thing you could do is setup an OpenVPN server and access that way. That's the method I like to use, fairly easy to setup in Linux as well as on many routers that support it. Then you can connect and its like you're on the network...granted it won't get you cockpit...well it could using LAN rather than WAN addresses and routing. Plus using decent levels of encryption is a good way to protect your traffic between your workstation at work and server at home. Then you don't need so many ports open to WAN.

https://fedoraproject.org/wiki/Openvpn

Then you can test your network config, access your home router and make changes, etc. through the VPN tunnel, and still be able to test Emby and other services that you want to have access via WAN. Later on, once you have it sorted, add DDNS into the mix if you ever feel the need.

:toast:
 
Joined
Oct 20, 2009
Messages
2,873 (0.55/day)
Location
Corpus Christi, Texas
System Name FumoffuFumoffu
Processor Intel i7 4770K
Motherboard Gigabyte Z87X -UD3H
Cooling Corsair H100i
Memory 16GB DDR3 1600 Crucial Ballistix
Video Card(s) Sapphire AMD Radeon HD 7970 OC
Storage 1- WD 500GB 1- Samsung F2 1.5TB 1- Crucial M4 128GB SSD 1-256GB ADATA XPG SX900 ASX900S3 SSD
Display(s) Hanns-G HZ281HPB 27.5'' 3ms Full HD 1920x1200 WideScreen LCD Monitor
Case Corsair Graphite Series 600T
Audio Device(s) Creative Soundblaster X-Fi Titanium
Power Supply Corsair HX 750W Gold
Software Windows 7 Pro x64
I was able to (and allowed) connect from work before I switched from Debian to Fedora.
 
Joined
Aug 17, 2016
Messages
831 (0.30/day)
System Name Gaming Desktop
Processor i7 6700k
Motherboard asus rog alpha
Cooling H110i
Memory Corsair Dominator 16gb DDR4 3200
Video Card(s) GTX 1080
Storage EVO 840 500gb, EVO 850 500gb, Perc 710 Raid WD RED 4tbx4
Case Corsair 500r
Power Supply Antec 850
Mouse Logitec G502
Keyboard a cheap dell
open vpn would be my 1st choice. the less exposed to the internet the better.
option 2 would be to tunnel everything through ssh.

make sure your port forward for ssh is correct on your firewall.
make sure your iptables/ipfw allows 0.0.0.0 to 22 tcp (or at least your works external ip range) on the Linux box
 
Joined
Oct 20, 2009
Messages
2,873 (0.55/day)
Location
Corpus Christi, Texas
System Name FumoffuFumoffu
Processor Intel i7 4770K
Motherboard Gigabyte Z87X -UD3H
Cooling Corsair H100i
Memory 16GB DDR3 1600 Crucial Ballistix
Video Card(s) Sapphire AMD Radeon HD 7970 OC
Storage 1- WD 500GB 1- Samsung F2 1.5TB 1- Crucial M4 128GB SSD 1-256GB ADATA XPG SX900 ASX900S3 SSD
Display(s) Hanns-G HZ281HPB 27.5'' 3ms Full HD 1920x1200 WideScreen LCD Monitor
Case Corsair Graphite Series 600T
Audio Device(s) Creative Soundblaster X-Fi Titanium
Power Supply Corsair HX 750W Gold
Software Windows 7 Pro x64
good point. I forgot to check the port on the router. I set the port in the upper thousands instead of 22.
 
Top