I’m not really sure what’s going on here. I recently opened up port 22 on my truenas scale box to the Internet so I could transfer some files directly to the box. I thought that I’d hardened sshd, or at least disabled root and password authentication. Then, this morning, I discovered the box had powered off overnight, and when I was able to get it turned back on I found that it’s IP address had changed–possibly because I forgot to set the DHCP server to maintain a constant IP for that box, which I fixed.
Then I discovered that the truenas box was binding a second IP address on the same eno1 interface, and running a sshd (which was allowing cleartext passwords ) on that second IP address (i.e. when I “ssh user@secondIP” I get a password prompt. I dug a little deeper and found that this second IP address apparently showed up about the same time I got the truenas box running, so I don’t think my initial “I’ve been hacked!!” panic was warranted, nor does it seem to be solar flare related. Even weirder is that the command “ip address” shows the main IP address bound to the eno1, but there is no mention whatsoever of the sneaky secret second IP address. I only discovered it thanks to some good network monitoring tools on my switch!
Does anyone know why truenas is, apparently out of the box clean installation, sneakily running a second IP address on the main, and only, connected network interface, not documenting this in “ip address” accessible database, and running an OPEN sshd on this secret IP?
Or am I seeing something else entirely and misreading the situation?
FWIW, I should be on the latest non-beta Train of SCALE. I just clean installed it in mid April. This is my first rodeo with truenas.
Can you show the additional configuration on eno1 you’re talking about?
Yeah… no! Do not do that. Use a VPN connection to gain access to your machine. Best practice would be to run the VPN on your router. Since I have a friend also using a VPN to connect to one of my servers, I run wireguard on virtualized pfsense on my server. Opening a port for wireguard should be very safe from my research.
I don’t know which logs to look for on top of my head but I’m sure there’s a log that should show ssh logins.
Possible.
Also possible.
Until you get to the root of the issue id probably advise you to take down the NAS from your local network.
cat /var/log/auth.log | grep ssh2
If you’re also concerned about someone having logged in, a good place to check is ~/.zsh-histfile and ~/.bash_history for command execution logs
What is this ‘secret’ IP? I’m guessing you can check whether or not it was picked up by DHCP in your network logs (as you mentioned configuring a DHCP server). I can’t 100% remember how to check DHCP client logs in Linux, but cat /var/log/syslog | grep dhcp is probably a decent start.
Thanks y’all. Checking /var/log/auth.log was a good idea. Now I’m almost certain that, despite being HAMMERED by kiddies from mostly China, no one but me ever actually got in. Anyway, that wasn’t the point of this thread. The point is:
Why is truenas creating a second IP on the same eno1 ethernet port, and not recording this in ifconfig/ip address results, nor anywhere else I can think to look, but it is responding to two disparate IP addresses and is only connected to the one LAN via one single ethernet cable.
To answer your question, the main ip is 192.168.1.42, but I can ssh into a password prompt via 192.168.1.173, and I can see this DHCP slot taken by looking at my router’s DHCP table. This is a simplification of the situation.
The only other thing I can think is that maybe my ROUTER is being an idiot and reserving two IPs for the same MAC, routing to both of them, and this isn’t actually a truenas problem… but this has ONLY exhibited itself on the truenas box. Everyone else on the entire network, LAN, WAN, VLANs, etc, gets one IP per MAC.
I was hoping that this would be a “known problem” with a known solution. Thanks anyway!
Maybe a dumb question, but are you sure the 1.173 IP actually is going to your NAS? Because it seems more than a little unlikely that that interface would have that IP, but not report it with ip a.
But I suppose your NAS holds the answer to life, the universe, and everything, so you’d definitely want to be careful with it…
Your router should show the Mac addresses for both reservations. Check that.
I don’t know that you can set the authentication method per Network interface. So I to get it right, on your main IP it’s authentication via ssh keys and on the other via password?
Set a static IP for truenas and reboot your router, see if both IPs are still directing to your NAS.
Does the DHCP server have a MAC associated with that IP that you can see connected to one of the interfaces on your machine?
From TrueNAS, see if it’s aware of it via ip nei sh | grep 192.168.1.173 and see what MAC it returns. If it really is the same MAC as eno1 then it’s very odd, maybe some bug with your DHCP server not properly clearing the initial lease from TrueNAS?
You could also just set the SSH service to listen on 192.168.1.42 specifically, instead of 0.0.0.0.
) on that second IP address (i.e. when I “ssh user@secondIP” I get a password prompt. I dug a little deeper and found that this second IP address apparently showed up about the same time I got the truenas box running, so I don’t think my initial “I’ve been hacked!!” panic was warranted, nor does it seem to be solar flare related. Even weirder is that the command “ip address” shows the main IP address bound to the eno1, but there is no mention whatsoever of the sneaky secret second IP address. I only discovered it thanks to some good network monitoring tools on my switch!