FreeNAS-11.1-U7, hacking atemps

D

dakinet

Cadet
Joined
Nov 2, 2020
Messages
7
Hi im new here,
today while im looking on terminal messages i notice many login atemps on my freenas. Im listing only few here, actualy there is 17 word pages of log with login atemps.
Can somebody explain me what is going on and how to protect myself please
Best Regards



Code:
Nov 17 12:57:58 ssv_server proftpd[79638]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER ftp (Login failed): Incorrect password
Nov 17 12:57:58 ssv_server proftpd[79638]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
Nov 17 12:58:03 ssv_server proftpd[79641]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER ftp (Login failed): Incorrect password
Nov 17 12:58:03 ssv_server proftpd[79641]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
Nov 17 12:58:08 ssv_server proftpd[79707]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER ftp (Login failed): Incorrect password
Nov 17 12:58:08 ssv_server proftpd[79707]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
Nov 17 12:58:11 ssv_server proftpd[79709]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER ftp (Login failed): Incorrect password

Nov 17 13:04:37 ssv_server proftpd[81111]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER user: no such user found from 103.219.39.218 [103.219.39.218] to ::ffff:192.168.100.250:21
Nov 17 13:04:37 ssv_server proftpd[81111]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused


Nov 17 13:06:39 ssv_server proftpd[81481]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER user: no such user found from 103.219.39.218 [103.219.39.218] to ::ffff:192.168.100.250:21
Nov 17 13:06:39 ssv_server proftpd[81481]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
Nov 17 13:06:46 ssv_server proftpd[81508]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER user: no such user found from 103.219.39.218 [103.219.39.218] to ::ffff:192.168.100.250:21
Nov 17 13:06:46 ssv_server proftpd[81508]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
Nov 17 13:06:58 ssv_server proftpd[81523]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER user: no such user found from 103.219.39.218 [103.219.39.218] to ::ffff:192.168.100.250:21
Nov 17 13:06:58 ssv_server proftpd[81523]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
Nov 17 13:06:59 ssv_server proftpd[81526]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER user: no such user found from 103.219.39.218 [103.219.39.218] to ::ffff:192.168.100.250:21
Nov 17 13:06:59 ssv_server proftpd[81526]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused


Nov 17 13:19:29 ssv_server proftpd[84220]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER www-data: no such user found from 103.219.39.218 [103.219.39.218] to ::ffff:192.168.100.250:21
Nov 17 13:19:29 ssv_server proftpd[84220]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
Nov 17 13:19:35 ssv_server proftpd[84230]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER www-data: no such user found from 103.219.39.218 [103.219.39.218] to ::ffff:192.168.100.250:21
Nov 17 13:19:35 ssv_server proftpd[84230]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
Nov 17 13:19:40 ssv_server proftpd[84261]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER www-data: no such user found from 103.219.39.218 [103.219.39.218] to ::ffff:192.168.100.250:21
Nov 17 13:19:40 ssv_server proftpd[84261]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
Nov 17 13:19:42 ssv_server proftpd[84263]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - USER www-data: no such user found from 103.219.39.218 [103.219.39.218] to ::ffff:192.168.100.250:21
Nov 17 13:19:42 ssv_server proftpd[84263]: 127.0.0.1 (103.219.39.218[103.219.39.218]) - Maximum login attempts (1) exceeded, connection refused
 
Ericloewe

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
Please don't crosspost.

As for your problem, don't expose your *FTP server to the internet.
 
D

dakinet

Cadet
Joined
Nov 2, 2020
Messages
7
Hi, thanks for replay, i have mikrotik router after cable modem and on MT i have firewall that block all incoming ports. Also i have port forward that incoming port 2121 redirect to port 21 to server. Atacker ip (103.219.39.218) comes from china. I block port 2121 from outside connections.

Idont know if problem is solved? I must see event log, where i can find event log on freenas?
 
D

dakinet

Cadet
Joined
Nov 2, 2020
Messages
7
Now IM receiving messages
Code:
Nov 18 00:00:00 sdi_server newsyslog[18798]: logfile turned over due to size>200K
Nov 18 00:00:00 sdi_server syslog-ng[63558]: Configuration reload request received, reloading configuration;
Nov 18 08:33:24 sdi_server proftpd[4939]: 127.0.0.1 (192.168.100.200[192.168.100.200]) - USER ServerSideRequestForgeryCheckUsername: no such user found from 192.168.100.200 [192.168.100.200] to ::ffff:192.168.100.250:21
Nov 18 08:33:24 sdi_server proftpd[4939]: 127.0.0.1 (192.168.100.200[192.168.100.200]) - Maximum login attempts (1) exceeded, connection refused
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
D

dakinet

Cadet
Joined
Nov 2, 2020
Messages
7
Here is what i have in /var/log/ folder:
freenas_log.jpg
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
So? There is your event log. You asked where to find that. You have to look at the individual files ...
 
D

dakinet

Cadet
Joined
Nov 2, 2020
Messages
7
i will check in file "httpd-access.log" maybe is there. Thank you.
Can freenas send email with attached event log, maybe once per month or per week?
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
Why would you expect ftpd to log in httpd-access.log? Two separate programs.
I'd look in messages, auth.log and xferlog or simply use grep ...
 
Ericloewe

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
dakinet said:
Also i have port forward that incoming port 2121 redirect to port 21 to server.
Click to expand...
dakinet said:
I block port 2121 from outside connections.
Click to expand...
These two don't make much sense together. You either forward a port or block it, generally you don't do both (unless you're whitelisting IPs?).
 
You must log in or register to reply here.

Similar threads

EsTaF
  • Locked
SOLVED proftpd "unable to use '~/'"
Replies
1
Views
8K
EsTaF
EsTaF
zey
  • Locked
SOLVED Intermittent loss of connection
Replies
5
Views
4K
zey
zey
M
  • Locked
FTP create directory: Operation not permitted
Replies
7
Views
5K
SweetAndLow
SweetAndLow
J
  • Locked
Can't access GUI or SSH, cleared via reboot...Need help
Replies
4
Views
1K
zoomzoom
zoomzoom
M
11.3 Anonymous FTP 331 Password Required for anonymous
Replies
1
Views
3K
MrBucket101
M
Top