kaipee
Dabbler
- Joined
- Dec 20, 2014
- Messages
- 27
Hi guys,
I have been running my FreeNAS for about 4 years now but have recently noticed a lost of failed login attempts to SSH on random ports within my daily security run reports.
To be clear, my FreeNAS is behind my consumer router/firewall with UPnP disabled and port-forwarding enabled for very selected ports / services (none of these ports are the ones showing the the security notification).
Example
My question is, how are these requests reaching my FreeNAS server on port 52982 (for example) when this port is not open nor forwarded from my firewall?
Another quick question, what is the format of this email? (what does the number beside sshd inside [] relate to, a PID?
I have been adding some of the malicious IPs into ipfw for now (I know it shouldn't be added into the root filesystem).
I have been running my FreeNAS for about 4 years now but have recently noticed a lost of failed login attempts to SSH on random ports within my daily security run reports.
To be clear, my FreeNAS is behind my consumer router/firewall with UPnP disabled and port-forwarding enabled for very selected ports / services (none of these ports are the ones showing the the security notification).
Example
SERVER login failures:
Aug 31 00:10:54 SERVER sshd[8974]: Failed password for invalid user ts3 from 118.69.122.110 port 52982 ssh2
Aug 31 00:10:54 SERVER sshd[8974]: Connection closed by invalid user ts3 118.69.122.110 port 52982 [preauth]
Aug 31 00:22:54 SERVER sshd[10362]: Failed password for invalid user ts3 from 118.69.122.110 port 52438 ssh2
Aug 31 00:22:54 SERVER sshd[10362]: Connection closed by invalid user ts3 118.69.122.110 port 52438 [preauth]
Aug 31 00:34:54 SERVER sshd[11626]: Failed password for invalid user ts3 from 118.69.122.110 port 51888 ssh2
Aug 31 00:34:54 SERVER sshd[11626]: Connection closed by invalid user ts3 118.69.122.110 port 51888 [preauth]
Aug 31 00:46:56 SERVER sshd[12861]: Failed password for invalid user ts3 from 118.69.122.110 port 51334 ssh2
Aug 31 00:46:56 SERVER sshd[12861]: Connection closed by invalid user ts3 118.69.122.110 port 51334 [preauth]
Aug 31 01:02:56 SERVER sshd[14839]: Failed password for invalid user test from 118.69.122.110 port 50790 ssh2
Aug 31 01:02:56 SERVER sshd[14839]: Connection closed by invalid user test 118.69.122.110 port 50790 [preauth]
Aug 31 01:15:15 SERVER sshd[16135]: Failed password for invalid user postgres from 118.69.122.110 port 50240 ssh2
Aug 31 01:15:15 SERVER sshd[16135]: Connection closed by invalid user postgres 118.69.122.110 port 50240 [preauth]
Aug 31 01:30:24 SERVER sshd[17673]: Failed password for invalid user postgres from 118.69.122.110 port 49682 ssh2
Aug 31 01:30:25 SERVER sshd[17673]: Connection closed by invalid user postgres 118.69.122.110 port 49682 [preauth]
Aug 31 01:44:38 SERVER sshd[19244]: Failed password for invalid user postgres from 118.69.122.110 port 49132 ssh2
Aug 31 01:44:39 SERVER sshd[19244]: Connection closed by invalid user postgres 118.69.122.110 port 49132 [preauth]
Aug 31 01:57:15 SERVER sshd[20715]: Failed password for invalid user postgres from 118.69.122.110 port 48570 ssh2
Aug 31 01:57:15 SERVER sshd[20715]: Connection closed by invalid user postgres 118.69.122.110 port 48570 [preauth]
Aug 31 02:11:47 SERVER sshd[22350]: Failed password for invalid user postgres from 118.69.122.110 port 48022 ssh2
Aug 31 02:11:47 SERVER sshd[22350]: Connection closed by invalid user postgres 118.69.122.110 port 48022 [preauth]
Aug 31 02:24:20 SERVER sshd[23633]: Failed password for invalid user postgres from 118.69.122.110 port 47468 ssh2
Aug 31 02:24:20 SERVER sshd[23633]: Connection closed by invalid user postgres 118.69.122.110 port 47468 [preauth]
Aug 31 02:40:57 SERVER sshd[25269]: Failed password for invalid user mysql from 118.69.122.110 port 46920 ssh2
Aug 31 02:40:57 SERVER sshd[25269]: Connection closed by invalid user mysql 118.69.122.110 port 46920 [preauth]
Aug 31 02:55:34 SERVER sshd[27081]: Failed password for invalid user databse from 118.69.122.110 port 46374 ssh2
Aug 31 02:55:34 SERVER sshd[27081]: Connection closed by invalid user databse 118.69.122.110 port 46374 [preauth]
Aug 31 03:08:02 SERVER sshd[30934]: Failed password for invalid user vps from 118.69.122.110 port 45824 ssh2
Aug 31 03:08:03 SERVER sshd[30934]: Connection closed by invalid user vps 118.69.122.110 port 45824 [preauth]
Aug 31 03:20:40 SERVER sshd[32506]: Failed password for invalid user solr from 118.69.122.110 port 45268 ssh2
Aug 31 03:20:41 SERVER sshd[32506]: Connection closed by invalid user solr 118.69.122.110 port 45268 [preauth]
Aug 31 03:35:33 SERVER sshd[34498]: Failed password for invalid user zabbix from 118.69.122.110 port 44714 ssh2
Aug 31 03:35:33 SERVER sshd[34498]: Connection closed by invalid user zabbix 118.69.122.110 port 44714 [preauth]
Aug 31 03:48:17 SERVER sshd[36011]: Failed password for invalid user zabbix from 118.69.122.110 port 44170 ssh2
Aug 31 03:48:18 SERVER sshd[36011]: Connection closed by invalid user zabbix 118.69.122.110 port 44170 [preauth]
Aug 31 04:01:00 SERVER sshd[37703]: Failed password for invalid user vagrant from 118.69.122.110 port 43622 ssh2
Aug 31 04:01:00 SERVER sshd[37703]: Connection closed by invalid user vagrant 118.69.122.110 port 43622 [preauth]
Aug 31 04:13:30 SERVER sshd[39024]: Failed password for invalid user gpadmin from 118.69.122.110 port 43068 ssh2
Aug 31 04:13:31 SERVER sshd[39024]: Connection closed by invalid user gpadmin 118.69.122.110 port 43068 [preauth]
Aug 31 04:26:15 SERVER sshd[40316]: Failed password for invalid user testuser from 118.69.122.110 port 42518 ssh2
Aug 31 04:26:15 SERVER sshd[40316]: Connection closed by invalid user testuser 118.69.122.110 port 42518 [preauth]
Aug 31 04:39:07 SERVER sshd[41641]: Failed password for invalid user backup from 118.69.122.110 port 41970 ssh2
Aug 31 04:39:08 SERVER sshd[41641]: Connection closed by invalid user backup 118.69.122.110 port 41970 [preauth]
Aug 31 04:51:34 SERVER sshd[43062]: Failed password for invalid user default from 118.69.122.110 port 41424 ssh2
Aug 31 04:51:34 SERVER sshd[43062]: Connection closed by invalid user default 118.69.122.110 port 41424 [preauth]
Aug 31 05:04:00 SERVER sshd[44504]: Failed password for invalid user server from 118.69.122.110 port 40884 ssh2
Aug 31 05:04:00 SERVER sshd[44504]: Connection closed by invalid user server 118.69.122.110 port 40884 [preauth]
Aug 31 05:16:23 SERVER sshd[45786]: Failed password for invalid user mongo from 118.69.122.110 port 40328 ssh2
Aug 31 05:16:24 SERVER sshd[45786]: Connection closed by invalid user mongo 118.69.122.110 port 40328 [preauth]
Aug 31 05:28:53 SERVER sshd[47012]: Failed password for invalid user user from 118.69.122.110 port 39780 ssh2
Aug 31 05:28:54 SERVER sshd[47012]: Connection closed by invalid user user 118.69.122.110 port 39780 [preauth]
Aug 31 05:42:49 SERVER sshd[48452]: Failed password for invalid user tom from 118.69.122.110 port 39230 ssh2
Aug 31 05:42:49 SERVER sshd[48452]: Connection closed by invalid user tom 118.69.122.110 port 39230 [preauth]
Aug 31 05:55:12 SERVER sshd[50054]: Failed password for invalid user user1 from 118.69.122.110 port 38678 ssh2
Aug 31 05:55:12 SERVER sshd[50054]: Connection closed by invalid user user1 118.69.122.110 port 38678 [preauth]
Aug 31 06:07:38 SERVER sshd[51331]: Failed password for invalid user tomcat from 118.69.122.110 port 38136 ssh2
Aug 31 06:07:38 SERVER sshd[51331]: Connection closed by invalid user tomcat 118.69.122.110 port 38136 [preauth]
Aug 31 06:22:23 SERVER sshd[52947]: Failed password for invalid user orange from 118.69.122.110 port 37588 ssh2
Aug 31 06:22:23 SERVER sshd[52947]: Connection closed by invalid user orange 118.69.122.110 port 37588 [preauth]
Aug 31 06:34:51 SERVER sshd[54176]: Failed password for invalid user postfix from 118.69.122.110 port 37030 ssh2
Aug 31 06:34:51 SERVER sshd[54176]: Connection closed by invalid user postfix 118.69.122.110 port 37030 [preauth]
Aug 31 06:49:05 SERVER sshd[55581]: Failed password for invalid user spot from 118.69.122.110 port 36478 ssh2
Aug 31 06:49:05 SERVER sshd[55581]: Connection closed by invalid user spot 118.69.122.110 port 36478 [preauth]
Aug 31 07:04:00 SERVER sshd[57407]: Failed password for invalid user management from 118.69.122.110 port 35930 ssh2
Aug 31 07:04:00 SERVER sshd[57407]: Connection closed by invalid user management 118.69.122.110 port 35930 [preauth]
Aug 31 07:17:35 SERVER sshd[58800]: Failed password for invalid user mybase from 118.69.122.110 port 35378 ssh2
Aug 31 07:17:35 SERVER sshd[58800]: Connection closed by invalid user mybase 118.69.122.110 port 35378 [preauth]
Aug 31 07:30:35 SERVER sshd[60107]: Failed password for invalid user sqlbase from 118.69.122.110 port 34816 ssh2
Aug 31 07:30:35 SERVER sshd[60107]: Connection closed by invalid user sqlbase 118.69.122.110 port 34816 [preauth]
Aug 31 07:43:03 SERVER sshd[61322]: Failed password for invalid user user from 118.69.122.110 port 34266 ssh2
Aug 31 07:43:04 SERVER sshd[61322]: Connection closed by invalid user user 118.69.122.110 port 34266 [preauth]
Aug 31 07:56:32 SERVER sshd[63021]: Failed password for invalid user tomcat from 118.69.122.110 port 33714 ssh2
Aug 31 07:56:32 SERVER sshd[63021]: Connection closed by invalid user tomcat 118.69.122.110 port 33714 [preauth]
Aug 31 08:09:21 SERVER sshd[64335]: Failed password for invalid user tomcat from 118.69.122.110 port 33162 ssh2
Aug 31 08:09:21 SERVER sshd[64335]: Connection closed by invalid user tomcat 118.69.122.110 port 33162 [preauth]
Aug 31 08:21:57 SERVER sshd[65575]: Failed password for invalid user git from 118.69.122.110 port 60844 ssh2
Aug 31 08:21:57 SERVER sshd[65575]: Connection closed by invalid user git 118.69.122.110 port 60844 [preauth]
Aug 31 08:34:46 SERVER sshd[67038]: Failed password for invalid user git from 118.69.122.110 port 60294 ssh2
Aug 31 08:34:47 SERVER sshd[67038]: Connection closed by invalid user git 118.69.122.110 port 60294 [preauth]
Aug 31 08:47:20 SERVER sshd[68336]: Failed password for invalid user git from 118.69.122.110 port 59730 ssh2
Aug 31 08:47:21 SERVER sshd[68336]: Connection closed by invalid user git 118.69.122.110 port 59730 [preauth]
Aug 31 09:00:14 SERVER sshd[70011]: Failed password for invalid user tomcat from 118.69.122.110 port 59174 ssh2
Aug 31 09:00:14 SERVER sshd[70011]: Connection closed by invalid user tomcat 118.69.122.110 port 59174 [preauth]
Aug 31 09:15:45 SERVER sshd[71657]: Failed password for invalid user tomcat from 118.69.122.110 port 58626 ssh2
Aug 31 09:15:45 SERVER sshd[71657]: Connection closed by invalid user tomcat 118.69.122.110 port 58626 [preauth]
Aug 31 09:34:32 SERVER sshd[73809]: Failed password for invalid user tomcat from 118.69.122.110 port 58076 ssh2
Aug 31 09:34:33 SERVER sshd[73809]: Connection closed by invalid user tomcat 118.69.122.110 port 58076 [preauth]
Aug 31 09:54:59 SERVER sshd[76096]: Failed password for invalid user tomcat from 118.69.122.110 port 57526 ssh2
Aug 31 09:54:59 SERVER sshd[76096]: Connection closed by invalid user tomcat 118.69.122.110 port 57526 [preauth]
Aug 31 10:11:34 SERVER sshd[78275]: Failed password for invalid user tomcat from 118.69.122.110 port 56976 ssh2
Aug 31 10:11:35 SERVER sshd[78275]: Connection closed by invalid user tomcat 118.69.122.110 port 56976 [preauth]
Aug 31 10:31:58 SERVER sshd[80428]: Failed password for invalid user tomcat from 118.69.122.110 port 56430 ssh2
Aug 31 10:31:59 SERVER sshd[80428]: Connection closed by invalid user tomcat 118.69.122.110 port 56430 [preauth]
Aug 31 10:52:03 SERVER sshd[82861]: Failed password for invalid user tomcat from 118.69.122.110 port 55880 ssh2
Aug 31 10:52:03 SERVER sshd[82861]: Connection closed by invalid user tomcat 118.69.122.110 port 55880 [preauth]
Aug 31 11:12:34 SERVER sshd[85431]: Failed password for invalid user tomcat from 118.69.122.110 port 55330 ssh2
Aug 31 11:12:35 SERVER sshd[85431]: Connection closed by invalid user tomcat 118.69.122.110 port 55330 [preauth]
Aug 31 11:33:47 SERVER sshd[87824]: Failed password for invalid user tomcat from 118.69.122.110 port 54780 ssh2
Aug 31 11:33:47 SERVER sshd[87824]: Connection closed by invalid user tomcat 118.69.122.110 port 54780 [preauth]
Aug 31 11:49:23 SERVER sshd[89518]: Failed password for invalid user tomcat from 118.69.122.110 port 54232 ssh2
Aug 31 11:49:23 SERVER sshd[89518]: Connection closed by invalid user tomcat 118.69.122.110 port 54232 [preauth]
Aug 31 12:02:06 SERVER sshd[91287]: Failed password for invalid user centos from 118.69.122.110 port 53676 ssh2
Aug 31 12:02:06 SERVER sshd[91287]: Connection closed by invalid user centos 118.69.122.110 port 53676 [preauth]
Aug 31 12:14:53 SERVER sshd[92663]: Failed password for invalid user centos from 118.69.122.110 port 53122 ssh2
Aug 31 12:14:54 SERVER sshd[92663]: Connection closed by invalid user centos 118.69.122.110 port 53122 [preauth]
Aug 31 12:27:32 SERVER sshd[94087]: Failed password for invalid user centos from 118.69.122.110 port 52564 ssh2
Aug 31 12:27:33 SERVER sshd[94087]: Connection closed by invalid user centos 118.69.122.110 port 52564 [preauth]
Aug 31 12:40:14 SERVER sshd[95526]: Failed password for invalid user centos from 118.69.122.110 port 52008 ssh2
Aug 31 12:40:15 SERVER sshd[95526]: Connection closed by invalid user centos 118.69.122.110 port 52008 [preauth]
Aug 31 12:52:35 SERVER sshd[97022]: Failed password for invalid user centos from 118.69.122.110 port 51460 ssh2
Aug 31 12:52:36 SERVER sshd[97022]: Connection closed by invalid user centos 118.69.122.110 port 51460 [preauth]
Aug 31 13:05:09 SERVER sshd[98659]: Failed password for invalid user ts3server from 118.69.122.110 port 50906 ssh2
Aug 31 13:05:09 SERVER sshd[98659]: Connection closed by invalid user ts3server 118.69.122.110 port 50906 [preauth]
Aug 31 13:17:56 SERVER sshd[115]: Failed password for invalid user ts3server from 118.69.122.110 port 50352 ssh2
Aug 31 13:17:57 SERVER sshd[115]: Connection closed by invalid user ts3server 118.69.122.110 port 50352 [preauth]
Aug 31 13:30:27 SERVER sshd[1556]: Failed password for invalid user teamspeak3 from 118.69.122.110 port 49790 ssh2
Aug 31 13:30:27 SERVER sshd[1556]: Connection closed by invalid user teamspeak3 118.69.122.110 port 49790 [preauth]
Aug 31 13:44:18 SERVER sshd[3240]: Failed password for invalid user teamspeak3 from 118.69.122.110 port 49238 ssh2
Aug 31 13:44:19 SERVER sshd[3240]: Connection closed by invalid user teamspeak3 118.69.122.110 port 49238 [preauth]
Aug 31 13:56:44 SERVER sshd[4774]: Failed password for invalid user centos from 118.69.122.110 port 48676 ssh2
Aug 31 13:56:45 SERVER sshd[4774]: Connection closed by invalid user centos 118.69.122.110 port 48676 [preauth]
Aug 31 14:09:04 SERVER sshd[6160]: Failed password for invalid user centos from 118.69.122.110 port 48118 ssh2
Aug 31 14:09:05 SERVER sshd[6160]: Connection closed by invalid user centos 118.69.122.110 port 48118 [preauth]
-- End of security output --
My question is, how are these requests reaching my FreeNAS server on port 52982 (for example) when this port is not open nor forwarded from my firewall?
Another quick question, what is the format of this email? (what does the number beside sshd inside [] relate to, a PID?
I have been adding some of the malicious IPs into ipfw for now (I know it shouldn't be added into the root filesystem).