linux client keep trying to connect to freenas

ghostwolf59

ghostwolf59

Contributor
Joined
Mar 2, 2013
Messages
165
My son recently installed Linux Mint where I noticed the system keep trying to connect to freenas (without my son doing anything)
I then asked him to blow away Linix Mint and install Ubuntu 18.04.3 (that he did yesterday) - This morning I received the following freenas security report where his new install also keep trying using a number of ports.

Now scratching my head why this is happening and how I can prevent his client from trying to connect.

No background processes have been setup on his Ubuntu installation

I also have a question about a folder that shows up on his client (both Linux Mint and Ubuntu) "Freenas remote login" folder that shows up when he goes into the network list - I dont have remote login activated on freenas, nor can I find a folder on the freenas system under that name - What is this???

- The user "computer2" is my sons ubuntu standard user account not defined within freenas
- The other account I masked off IS indeed a valid freenas user account.

freenas.local login failures:
Jan 30 13:45:50 freenas sshd[50488]: Failed password for invalid user c***h*s from 192.168.2.183 port 40438 ssh2
Jan 30 13:45:50 freenas sshd[50488]: Failed password for invalid user c***h*s from 192.168.2.183 port 40438 ssh2
Jan 30 13:46:02 freenas sshd[50486]: Connection closed by invalid user computer2 192.168.2.183 port 40436 [preauth]
Jan 30 13:46:02 freenas sshd[50488]: Connection closed by invalid user c***h*s 192.168.2.183 port 40438 [preauth]
Jan 30 19:08:22 freenas sshd[62625]: Failed password for invalid user c***h*s from 192.168.2.183 port 40664 ssh2
Jan 30 19:08:22 freenas sshd[62625]: Failed password for invalid user c***h*s from 192.168.2.183 port 40664 ssh2
Jan 30 19:08:39 freenas sshd[62625]: Connection closed by invalid user c***h*s 192.168.2.183 port 40664 [preauth]
Jan 30 19:08:39 freenas sshd[62623]: Connection closed by invalid user computer2 192.168.2.183 port 40662 [preauth]
Jan 30 19:08:40 freenas sshd[62631]: Failed password for invalid user c***h*s from 192.168.2.183 port 40670 ssh2
Jan 30 19:08:40 freenas sshd[62631]: Failed password for invalid user c***h*s from 192.168.2.183 port 40670 ssh2
Jan 30 19:08:40 freenas sshd[62633]: Failed password for invalid user c***h*s from 192.168.2.183 port 40672 ssh2
Jan 30 19:08:40 freenas sshd[62633]: Failed password for invalid user c***h*s from 192.168.2.183 port 40672 ssh2
Jan 30 19:08:45 freenas sshd[62633]: Connection closed by invalid user c***h*s 192.168.2.183 port 40672 [preauth]
Jan 30 19:08:45 freenas sshd[62629]: Connection closed by invalid user computer2 192.168.2.183 port 40668 [preauth]
Jan 30 19:08:47 freenas sshd[62627]: Connection closed by invalid user computer2 192.168.2.183 port 40666 [preauth]
Jan 30 19:08:47 freenas sshd[62631]: Connection closed by invalid user c***h*s 192.168.2.183 port 40670 [preauth]
Jan 30 19:09:24 freenas sshd[62662]: Failed password for invalid user c***h*s from 192.168.2.183 port 40678 ssh2
Jan 30 19:09:24 freenas sshd[62662]: Failed password for invalid user c***h*s from 192.168.2.183 port 40678 ssh2
Jan 30 19:09:29 freenas sshd[62660]: Connection closed by invalid user computer2 192.168.2.183 port 40676 [preauth]
Jan 30 19:09:29 freenas sshd[62662]: Connection closed by invalid user c***h*s 192.168.2.183 port 40678 [preauth]
Jan 30 19:24:34 freenas sshd[63210]: Failed password for invalid user c***h*s from 192.168.2.183 port 56616 ssh2
Jan 30 19:24:34 freenas sshd[63210]: Failed password for invalid user c***h*s from 192.168.2.183 port 56616 ssh2
Jan 30 19:24:45 freenas sshd[63210]: Connection closed by invalid user c***h*s 192.168.2.183 port 56616 [preauth]
Jan 30 19:24:45 freenas sshd[63208]: Connection closed by invalid user computer2 192.168.2.183 port 56614 [preauth]
Jan 30 19:24:54 freenas sshd[63244]: Failed password for invalid user c***h*s from 192.168.2.183 port 56620 ssh2
Jan 30 19:24:54 freenas sshd[63244]: Failed password for invalid user c***h*s from 192.168.2.183 port 56620 ssh2
Jan 30 19:25:00 freenas sshd[63244]: Connection closed by invalid user c***h*s 192.168.2.183 port 56620 [preauth]
Jan 30 19:25:00 freenas sshd[63242]: Connection closed by invalid user computer2 192.168.2.183 port 56618 [preauth]
Jan 30 19:25:08 freenas sshd[63262]: Failed password for invalid user c***h*s from 192.168.2.183 port 56626 ssh2
Jan 30 19:25:08 freenas sshd[63262]: Failed password for invalid user c***h*s from 192.168.2.183 port 56626 ssh2
Jan 30 19:25:17 freenas sshd[63260]: Connection closed by invalid user computer2 192.168.2.183 port 56624 [preauth]
Jan 30 19:25:17 freenas sshd[63262]: Connection closed by invalid user c***h*s 192.168.2.183 port 56626 [preauth]

-- End of security output --
 
sretalla

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
You might want to install a honeypot for sshd at that IP address and see what you get. It looks to me like perhaps there's something on your network that's using that IP to bounce off.
 
ghostwolf59

ghostwolf59

Contributor
Joined
Mar 2, 2013
Messages
165
sretalla said:
You might want to install a honeypot for sshd at that IP address and see what you get. It looks to me like perhaps there's something on your network that's using that IP to bounce off.
Click to expand...

honeypot for sshd *do I install this on freenas or on the client itself?

Other than knowing what client it is I have no idea exactly what it tries to access - various port numbers does not really say where its trying to go
 
sretalla

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
You could try installing this first on the suspect linux machine:
github.com

GitHub - amv42/sshd-honeypot

Contribute to amv42/sshd-honeypot development by creating an account on GitHub.
github.com github.com

If that shows that something else is getting access to it, then you have your answer. If not, you will need to look at options for honeypots on FreeNAS to catch it on the second hop.
 
ghostwolf59

ghostwolf59

Contributor
Joined
Mar 2, 2013
Messages
165
sretalla said:
You could try installing this first on the suspect linux machine:
github.com

GitHub - amv42/sshd-honeypot

Contribute to amv42/sshd-honeypot development by creating an account on GitHub.
github.com github.com

If that shows that something else is getting access to it, then you have your answer. If not, you will need to look at options for honeypots on FreeNAS to catch it on the second hop.
Click to expand...

**** Sorry*** Ignore what I wrote - appears he havent read or understood whats said within the link you provided ;)

Is there a good tutorial on how to set it up on ubuntu ?- my son struggle with this atm (being new to linux as a whole) and I am rusty and never dealt with honeypot.
He followed a youtube clip showing the setup, but whats shown on the clip does not translate to his machine when running commands *youtube terminal window show info - his terminal window is just blank running the same *whatever command he's running as root user* - sorry for lack of info on what he's doing - Really asking for a good tutorial that could assist him with the setup of honeypot
 
Last edited:
You must log in or register to reply here.

Similar threads

kaipee
  • Locked
Failed password for invalid user
Replies
16
Views
9K
gary_1
G
B
  • Locked
Is someone trying to hack into my FreeNAS???
2 3
Replies
48
Views
12K
joeschmuck
joeschmuck
drgonzo3000
SOLVED freenas.local login failures: from Avast Antivirus
Replies
4
Views
1K
drgonzo3000
drgonzo3000
V
  • Locked
SOLVED Unusual Authentication Activity in Security Logs
Replies
13
Views
6K
Redcoat
Redcoat
D
  • Locked
freenas.local daily security run output - login failures
Replies
10
Views
5K
Chris Moore
Chris Moore
Top