Internet abuse letter received when running PI-Hole

JackB · November 16, 2017, 6:53pm

I got an "Internet abuse message" letter when running PI-Hole (user pi):

Oct 16 14:20:18 bc sshd[16379]: Invalid user pi from 83.128.185.07 port 34120
Oct 16 14:20:18 bc sshd[16380]: Invalid user pi from 83.128.185.07 port 34122
Oct 16 14:20:18 bc sshd[16379]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=83.128.185.07
Oct 16 14:20:18 bc sshd[16380]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=83.128.185.07
Oct 16 14:20:20 bc sshd[16379]: Failed password for invalid user pi from 83.128.185.07 port 34120 ssh2
Oct 16 14:20:20 bc sshd[16379]: Connection closed by 83.128.185.07 port 34120 [preauth]
Oct 16 14:20:20 bc sshd[16380]: Failed password for invalid user pi from 83.128.185.07 port 34122 ssh2
Oct 16 14:20:20 bc sshd[16380]: Connection closed by 83.128.185.07 port 34122 [preauth]

Why would this happen?

Hope somebody can help me out.

PromoFaux · November 16, 2017, 7:15pm

What was the nature of your "Internet abuse message" letter?

From your log snippet there it looks like someone is trying to log into your Raspberry pi over SSH. I'm guessing it's probably not a much of a stretch to assume you also have port 53 forwarded to your pi, too, for DNS.

If that is the case you're running an open resolver and there are many reasons as to why you really shouldn't be doing that (even people that know what they're doing tend not to). I'm not going to go into details here as there are many posts on this very forum, as well as accross the internet, explaining why it's a bad idea.

Was the letter from your ISP? ISPs, especially for non-business ones, tend to frown on that type of activity.

JackB · November 17, 2017, 12:35am

Thanks for your reply.
Yes, the letter was from the ISP.
The website "http://openresolverproject.org/" gives a blank page, so no information.

I found this information

iptables seems not installed at all.

Mcat12 · November 17, 2017, 1:59am

Have you port forwarded your Pi-hole via the router, or is it connected on a DMZ?

JackB · November 17, 2017, 4:14pm

Hi No, I havent't a port forward in the router (Linksys E3200), and it is not connected to a DMZ.
This router doesn't seem to have a mechanism to block traffic on certain ports, as far I can see.
Is it possible to block this traffic in the router?

borpin · November 17, 2017, 6:38pm

Use Shields Up! from GRC to test what ports you have open. If they are not all green, you have some fixing to do (assuming you are not running something you actually want anyone to access).

I made an error in my firewall setup and had Port 53 open.

deHakkelaar · November 17, 2017, 6:39pm

Below link does a nice port scan targeting your public IP address to see if anything open:

https://www.grc.com/x/ne.dll?bh0bkyd2

Or if the link is localized, proceed to "Shields Up" service:

https://www.grc.com

Kaspersky ? What are they doing ?

http://83.128.185.7.ipaddress.com/

deHakkelaar · November 17, 2017, 6:40pm

@borpin, you beat me by seconds

system · February 9, 2018, 7:18pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.