Node root password changed by possible hacker

Mike_P · September 27, 2020, 10:12pm

my node root password has been changed by possible hacker
is there any back door access to override this and return to a password I know

I find it odd out of all the millions of devices on the internet my node aka dmr bridge had to be hacked

I guess my bad was leaving port 222 open to the outside world with the default password
kb3vpk was copying files as per reason left open

I would hate to have to redo this entire bridge all over again

KG5FQT · September 27, 2020, 10:48pm

If your ever able to log into a router and see the log of ip’s that are continuously trying to hit our ports, it’s very scary. Quite eye opening , and makes you tighten security down on anything. And I’ve always found the VoIP stuff just gets hit harder.

w0jrl · September 27, 2020, 10:55pm

Mike,
The easiest way, unfortunately, is to re-image the machine.
After rebuilding the box, please consider installing Fail2Ban. Fail2Ban is an intrusion detection system that helps to prevent brute force attackers from gaining access to your machine. To learn more about Fail2Ban, see https://github.com/fail2ban/fail2ban/.
If you need/want help installing Fail2Ban, please let me know.

73,
Jeremy [W0JRL]

Ke2n · September 27, 2020, 11:02pm

I had something similar happen (I think - no way to know for sure of course) to my HamVOIP system. My approach - in addition to using a 5-digit port number - was to add an additional user with sudoer privileges. If you are lucky and the only thing the bad guy does is change your root password, you have a second chance to get in. Time will tell I guess.

Ken

Mike_P · September 27, 2020, 11:11pm

thanks if I decide to do it allover again, Ill look you up 73

Mike_P · September 27, 2020, 11:13pm

thats all I can tell from the outside

whats the 5 digit port # do?

Ke2n · September 28, 2020, 12:26am

Makes it 100 times harder to guess than a 3-digit port.

Ken

David_Osborn · September 29, 2020, 2:44pm

Most, if not all, Linux distros have the means for the owner to change the root password by starting the system in single user mode.

For the Pi, this might help

http://mapledyne.com/ideas/2015/8/4/reset-lost-admin-password-for-raspberry-pi

David
GD4HOZ

N0NB · October 3, 2020, 1:47am

A couple of things I do on any computer running the SSH daemon is to set up a public key for authentication and when that is working I disable password authentication in /etc/ssh/sshd_config. I also do not install a key for root, only a normal user and then either use su -l or sudo to perform root tasks and make sure it has a strong password.

Changing the port more or less only thwarts the script kiddies. Anyone with nmap and a bit of patience will find any open port.

Ke2n · October 6, 2020, 2:40pm

in fact, I suspect the problem was that (somehow) disabling password authentication is what happened. You only need to remove one “#” symbol to make it impossible to do a remote root log-in ever again. That is why a second user id is a really good idea. The second user ID is not part of either of the repeater control packages …