Strangers trying to connect to server

mariusl · 15 December 2021 09:33

Hi,
I just installed emoncms on a VPS and out of interest I looked at the log file just to see that there are many attempts from ip’s to connect to my server. Mostly from China and Brazil. Is this normal and how do I make sure that they are not successful?

Vster · 15 December 2021 14:10

Connect how? Via SSH or via the web interface?

mariusl · 15 December 2021 17:19

Through the web interface I think. Always four attempts like these

This is from the log file. And this

Robert.Wall · 15 December 2021 18:31

Brazil Brasilia Linkwap Internet Fibra Optica for the first example, China Chengdu Chinanet Sichuan Province Network for the second.

This is why you (or anyone) should always ensure your API Key never appears on the forum, always replace it with “MY API KEY” or something like that.

Unfortunately, you’ve got to expect low life from anywhere in the world to try to take advantage of anything they possibly can.

mariusl · 15 December 2021 19:50

Hi Robert, that is the two that I also traced. I just wonder what could they possibly gain by connecting as device to Emoncms?
What are the real dangers from these, I want to call them something worse than low life’s, to the system?

MyForest · 15 December 2021 20:40

Hey @mariusl

It’s pretty normal. The websites I run all get attacked like this all the time.

There is something vaguely interesting about your case. The log entry you are seeing is from this line of code:

github.com

emoncms/emoncms/blob/4d317e33aaba9410ec9a3371f2e05af05c3373ea/index.php#L133

    
      
              }
          }
          
          
$device = false;
          if ($apikey) {
              $session = $user->apikey_session($apikey);
              if (empty($session)) {
                    header($_SERVER["SERVER_PROTOCOL"]." 401 Unauthorized");
                    header('WWW-Authenticate: Bearer realm="API KEY", error="invalid_apikey", error_description="Invalid API key"');
                    print "Invalid API key";
                    $log->error("Invalid API key | ".$_SERVER["REMOTE_ADDR"]);
                    exit();
              }
          } elseif ($devicekey && (@include "Modules/device/device_model.php")) {
              $device = new Device($mysqli, $redis);
              $session = $device->devicekey_session($devicekey);
              if (empty($session)) {
                    header($_SERVER["SERVER_PROTOCOL"]." 401 Unauthorized");
                    header('WWW-Authenticate: Bearer realm="Device KEY", error="invalid_devicekey", error_description="Invalid device key"');
                    print "Invalid device key";
                    $log->error("Invalid device key");

So the good news is that they are being denied access and you are returning a 401.

What’s slightly odd is that to get to that bit of code it needs an $apikey to be set and you can see a bit further up in that file that would mean they would need to be sending that in the query string or other parameters.

As @Robert.Wall says, it’s possible they are following links that included an API key at some point which has been rotated so it’s no longer working. It’s unusual for bad people to send things that are specific to a particular application, such as an apikey, but it does happen.

So, take the error log entry as a good sign, they are being bounced. It would be worse if they were just getting in and doing stuff of course.

You may simply want to alter your API key every so often just for peace of mind. That’s quite common practice with things you care about. We certainly do that on our systems if there are signs it might be compromised - but I don’t see that here.

David

TrystanLea · 15 December 2021 23:08

Yes that is odd… It is quite unusual for what must be mostly automated attack attempts to try anything that actually relates to the emoncms, usually you see lots of attempts at random script names that might in another application yield something they are after but doesn’t actually exist in emoncms… Or login attempts with common usernames and passwords…

Are you logs full of this @mariusl ?

Also somewhat surprised that you’re getting this on a new install. Maybe it’s a hosting provider that gets a lot of attack attempts? I’ve noticed some servers can end up getting a lot more interest than others…

Robert.Wall · 15 December 2021 23:51

Do you really mean

or could that code see anything as a bad APIkey and report a 401 error?

I run a website for a friend. It could easily be a WordPress site but it isn’t, it’s handwritten. That gets requests for WordPress files which hold WordPress login credentials - which of course don’t exist.

MyForest · 16 December 2021 02:41

Thanks for questioning @Robert.Wall, please always do that.

In this if block you can see it’s setting $apikey in a couple of scenarios where it finds an apikey being provided in the GET / POST (typically in the querystring, but knowing PHP slightly, it could be in other ways too). Without it finding those then $apikey will stay false and you can’t get into the block of code that logs the “Invalid API key” error.

github.com

emoncms/emoncms/blob/4d317e33aaba9410ec9a3371f2e05af05c3373ea/index.php#L105


      
                  db_schema_setup($mysqli, load_db_schema(), true);
              }
          }
          
          // 3) User sessions
          require("Modules/user/user_model.php");
          $user = new User($mysqli, $redis);
          
          $apikey = false;
          $devicekey = false;
          if (isset($_GET['apikey'])) {
              $apikey = $_GET['apikey'];
          } elseif (isset($_POST['apikey'])) {
              $apikey = $_POST['apikey'];
          } elseif (isset($_GET['devicekey'])) {
              $devicekey = $_GET['devicekey'];
          } elseif (isset($_POST['devicekey'])) {
              $devicekey = $_POST['devicekey'];
          } elseif (isset($_SERVER["HTTP_AUTHORIZATION"])) {
              // Support passing apikey on Authorization header per rfc6750, like example:
              //      GET /resource HTTP/1.1

Oh yes, those are fun. We especially enjoy seeing the ones from the penetration testers we hire. As you can imagine, the Log4Shell ones are causing the most interest this week.

Robert.Wall · 16 December 2021 13:19

Of course, without this snip to know where $apikey came from, I was hoping that would be the case, but I’ve come across instances where things like that have been assumed, but it turned out not to be like that.

[N.B. I’m a paid up, card-carrying cynic. ]

mariusl · 16 December 2021 19:40

There is quite a bit of that going on but nothing for the the last 24 hours

dnwigley · 17 December 2021 10:33

I have a NAS drive that is constantly under attack. There are bots on the web that look for common things connected and makes attempt to hack through know vulnerabilities. I have had seen it also in a couple of joomla sites I used to run, I bought a firewalla https://firewalla.com blue model and that reports and blocks attempts to get at whatever you have on your lan. And on a side quest and not for the faint of heart I have installed PFSense router with Snort (Great name) but I have yet to drop the firewalla as I don’t know what I am doing with Snort and no time to read the manual!

stephen · 19 December 2021 23:15

@dnwigley just use country filtering . some of my servers were being being hammered 1- 2 million attempts a day from all over the world country and it went to practically nill . snort not too hard to setup - just install your snort key - check which definitions you want . after you download those then just select what to watch for bots, compromised, virus, spyware etc . then once you start filling in with reports just select which ones to ignore and which to block. - pfsense is better but if you are not so familiar OPNsense would be easier just reflash your pfsense hardware with opnsense it setups up country blocking and IDS ( snort like) for you, much much easier then Pfsense does… or if you are a little more adventurous openwrt and openwrt you can flash to many off the self routers - I just finished building an opewrt router for a ~ 200Mbps connection that share cost with my neighbour . openwrt router with built in NordVPN and VPN pass through ports on the router ( as I do not know what stuff my neighbour does this way i am protected a little bit from their blow back)