Ernst wrote: ↑
Sun May 26, 2019 6:57 am
jcalmeida79 wrote: ↑
Sun May 26, 2019 12:52 am
3 years later, I'm having the some issue. Can anyone give any hint?
My system was working fine until I noticed it was out of space. It seems someone was heavily trying to ssh into my pi with a brute force approach, and my /var/log/auth.log and var/log/btmp files were huge.
This was what I did:
- Deleted all .1 files and all .gz also (probably bad idea).
- Changed the ssh port from 22 to 1025, by editing /etc/ssh/sshd_config file
- Tried to change my pi user's password to anything different than "raspberry", but I think I got the read-only error, but I'm not sure
I booted the pi and started getting the same errors as Bdevil.
I can only get in the pi with the Single User Mode. In the meantime I truncated the files with "> auth.log" and "> btmp".
What do you guys think I should check/do to fix my pi (3B+ running raspbian lite)?
You have a few important points in your post:
[*] It seems someone was heavily trying to ssh into my pi with a brute force approach, and my /var/log/auth.log and var/log/btmp files were huge
[*] Changed the ssh port from 22 to 1025, by editing /etc/ssh/sshd_config file
[*] Tried to change my pi user's password to anything different than "raspberry"
Together it points to it that you have not secured the Pi but you may have been using it in an unfriendly environment and the it may have been hacked.
The ONLY ACCEPTABLE solution is to start with a new card using a new installation, this time make sure that the password is changed and disable password authentication for ssh, use keys instead.
If the problem is caused by something else then we will not be able to help because you have destroyed evidence.
For future posts, you must provide information if you need our assistance meaning which model Pi, what operating system release, network connection, etc. If this Pi has been running for three years and has not been upgrade then now the time has arrived to do so. But if this is a Pi3B+ I wonder where the three years come from.
First of all, thank you for your reply.
Just a few things to clarify what I might have missed in my previous post, that you mention in your reply:
[*] My Pi is the 3B+, as I stated at the end. I should have mentioned it as soon as I started the post.
[*] My system hasn't been running for 3 years. I'm not the original poster, I just replied here, because I was having the same issue the OP had 3 years ago. It's been running for 5/6 months
[*] My operating system is Raspbian Lite. I mention it where I mention the Pi version. I didn't mention the specific release version though, and don't really know what it is at the moment. Only that it was installed fresh in December
[*] It's connected to my home network with wifi with port forwarding in my router for ssh port 22, for me to manage it when I'm out
By the way, before I truncated the pi, I investigated the auth.log and btmp files. I'm almost certain it hasn't been hacked. I removed the port forward when I was working on it and did several boots with no problems. Only after when I removed the .1 and .gz files, changed the ports and tried to change de password for the pi user, the pi didn't boot. I ended being the hacker
I'm resisting on doing a fresh install, because I have my home automation system there, that I created myself using nodejs and homebridge. I'm afraid I might not have the latest version of it backed up.
If I can't restore the Login Services, any idea how to remove it from the Pi? I tried the ext4fuse but it says "Partition doesn't contain EXT4 filesystem".