Hi there - I’m running the latest version of Umbrel on a Raspberry PI 4 with an 16GB MCSD and 1 TB SSD. I recently updated the wifi network in my home to use Netgear Orbi wifi 6 mesh network to get better coverage in my home. I have the umbrel hooked up to an ethernet port on the main router.
When I setup the network it came with security software called Netgear Armor - and it scans the network devices for potential security threats and can block them. So far nothing on my network has been problematic except that I’ve got 12 unique notifications of malware and phishing originating from my umbrel node (raspberry pi) but this software says it is blocking it.
Attack
Detected a suspicious remote location 91.123.158.251 attempted a connection to umbrel and blocked that connection.
So I’m not sure I’ve something in my root image on the raspberry pi has been compromised or if this is related to legitimate traffic that the umbrel is doing on TOR that Netgear may not like and how do I resolve it. Maybe I just flash the whole thing, format the SD and update firmware for the raspberry pi?
I have just installed this week the latest version of umbrel os, and after security tests i see the device reaching out to known listed malware/log4j targets, i will investigate this further:
1 - stopping all apps (I had around 4 running)
2 - starting and checking apps individually
My questions:
1 - Does Umbrel or anyone checks the base os for security concearns?
2 - Does Umbrel or anyone checks the apps on matketplace?
Oh, if that’s true, it sounds serious… Could you provide more info about the issue what you have found, please? What addresses it’s reaching out? Or maybe you’ve found more about it already? Any suspicious apps/processes? Thank you.
Thank you for the info. As for now I can confirm a sporadic traffic from my Umbrel targeting port 7777 somewhere, but it looks like a normal I2P traffic which my Bitcoin node is using. Nothing else on the mentioned ports detected so far. Umbrel 1.4.2. Will update if I spot anything new.
I advise a check of the ips against know log4j malware lists,
and maybe you can help with the more important questions:
1 - Does Umbrel or anyone checks the base os for security concerns?
2 - Does Umbrel or anyone checks the apps on marketplace?
Unfortunately I can’t help with the questions you brought up here. I’m just a common user. The project is opensource so in theory anyone can do the necessary checks. I believe the developers do, but yeah, maybe it’s just my false beliefs..
I did. Its like the raspberry pi where you need to regenenerate ssh keys.
I did notice something odd with the kernel based firewall as there are netfilter and iptables entries. Which its common practice to use one or the otherbut not both as it can cause conflicts.
I installed UFW and allowed out, but only accept the umbrel web gui port on incoming.
But I don’t have the umbrel ip forwarded because its not really required for a private bitcoin node. Nor it speeds up sync.
But I’m in the process of moving the node to a different machine and just running the pool and other docker programs on it.
I’ll have to check to see if there are iptables/nftables for forwarded entries on those portsplus look up what services are using those ports.
7777 is an AWS db connect port. But other software uses it too.
I moved my block files to a Linux machine so I can run node on that and put Umbrel on a sealed network and I only have ckpool running on it. It hasn’t flagged anything. But others say the copy of bitcoin node is doing that.
But since this is a docker program container I am not going to allow it internet access. It doesn’t even need that for ckpool to run, just have to talk to the bitcoin node.
I also removed the donation part in ckpool since the guy is not building the source code correctly and don’t state what kernel + distribution works on compiling.
