Data collection at project.turris.cz broken since manual upgrde to 5.1.4(HBS)

Hello,

since the upgrade I did 23rd December, data collection at project.turris.cz does not work any more. I did accept the data collection again in the corresponding section but still not work. My Honeypot on HaaS also shows no new data. I haven’t found any article how to either fix that or configure from scratch? Can you help please or point to some article for help (either English or Czech).

Thanks a lot.

I forgot to mention, it was upgrade from 3.x done with no issues according the how to.

what exactly do you mean “does not work”?
is your ipset “turris-sn-dynfw-block” empty? (check via ssh).

do you have empty counters in iptables rules that use “match-set turris-sn-dynfw-block”?

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_wan_src_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set turris-sn-dynfw-block src ctstate NEW /* !sentinel: dynamic firewall block */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  348 15537 zone_wan_src_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set turris-sn-dynfw-block src mark match ! 0x10/0x10 ctstate NEW /* !sentinel: dynamic firewall block */

if so, can you check if sentinel-dynfw-ipset and sentinel-dynfw-client are enabled in luci/system/startup?

I had to enable and start them manually in order for them to work.

I’d be glad if you could check and verify if it helps.

Hello fantomas,

I don’t have those records in iptables. Based on what you wrote I did check in LuCi UI the startup and I see I have all there disabled:

bcp38
sentinel-dynfw-client
kresd
ahcpd
luci_statistics
relayd
mosquitto
dev-detect
sentinel-proxy
socat
lxc-auto
bootcount
sentinel-minipot

I assume I need to enable: sentinel-proxy, sentinel-minipot, sentinel-dynfw-client, so I did and rebooted. After that I found my Internet connection not working. I found out it completely messed up my Interface config. I tried rollback to my last snapshot but did not helped. In reForis I had to assign WAN and all LAN interfaces back to appropriate section (Radio interfaces were for some reason OK, lucky for me).

I’ve reenabled again those three services in LuCi and now I can see in IPtables those records you mention. After some SSH attempts to honeypot first one show 0 pkts and bytes and second one has some counts, jus like you shared above. But still not working as expected I guess. I cant login to honeypot, it refuses all connections on ssh.

Any thoughts?

you know, I have this router since Indiegogo campaign, I haven’t check or plaid with honeypot since I set that up years ago. I don’t remember how did I select the alternate port for honeypot etc. I have my putty sessions saved:
Omnia access from LAN: TCP 22
Honeypot from LAN: TCP 58732
Honepot from WAN: TCP 22

I have a port forwarding set for WAN 22 to LAN 58732 (it worked before).
I just don’t know if in 5.x it still works the same way or might need to change / delete some stuff here.

Also, I did the upgrade 23rd. I noticed that in project.turris.cz I see " Last update of the data was on Dec. 23, 2020" … but in HaaS webpage I see last logged “attask” was 2020-12-14, … so the honeypot stopped working some days before I even touch it.

i think that haas-proxy is responsible for SSH honeypot.

sentinel-dynfw-client should be responsible for filling the firewall with IPs of abusers.
looks like sentinel-dynfw-ipset disappeared in the meantime.

As @fantomas correctly says, haas-proxy manages honeypot https://haas.nic.cz/
Sentinel takes care of the dynamic firewall. On 5.1.4 there is a known problem and already solved on HBK (5.1.5 testing), which inhibits the automatic activation and start of the services installed via reForis. To solve the problem on 5.1.4 and be sure to have everything working, just follow the official Data Collection activation guide https://docs.turris.cz/basics/collect/setup/ (see installation via ssh). By installing from ssh the Sentinel services will be enabled and started correctly. For the haas-proxy service (which controls the honeypot) remember to execute in addition to /etc/init.d/haas-proxy start, also /etc/init.d/haas-proxy enable, otherwise the honeypot will not work at reboot the router.

but what does it mean?

Anyway, I think I will wait if new data will appear tomorrow in project.turris.cz.

Regarding the honeypot, I think I either need to change the port for Honeypot and redirect SSH 22 to it, … OR I need to change the management SSH port for turris itself to some alternate port. However I haven’t found “how to” for changing either of them.

Turris documentation after all these years still sucks. There are no clear instructions for basic stuff, some of those basics are even missing in a GUI (in all three of them). If you are not a Linux geek, to figure out yourself, you are crewed. I can’t play that much and potentially destroy my router. I need it functional. I like it and hate it in the same time.

From version 4.x of Turris OS the data collection is no longer linked to the page you mentioned (https://project.turris.cz/), i.e. you can no longer check the statistics from that page. In fact, in the new version of the operating system there is no longer a section for registering with the turris project, enabling the data collection.

1 Like

I see, so I can remove my router from project.turris.cz and I can unregister from the project completely. Thanks a lot for this info!

So now I’ll just try to fix the HaaS.
I did try also the mentioned via SSH guide + the additional commands, but still same result. I got connection refused.
I’m pretty sure it has something to do with my honeypot configuration from 3.x (port redirection etc.)

Meanwhile, does the WAN connection work for you? Try sshing router’s public IP address. If you don’t have a public IP address even if it is dynamic, Honeypot would be totally useless. In case it works from WAN, try to remember what you did to perform the port redirect (https://openwrt.org/docs/guide-user/firewall/firewall_configuration) and cancel the redirect. What’s the use of accessing a honeypot on the LAN?

You don’t need to register through web interface.
IIRC I have registered manually through https://haas.nic.cz/
while I had TOS 5.x installed, so at least my SSH honeypot is working and I can look up attempts from the net.