Security run output

Status
Not open for further replies.
Goose

Goose

Dabbler
Joined
Oct 4, 2014
Messages
25
I have seen a couple of posts on this but I'm really stumped by this one. I have this in my email this morning:-

Failed password for root from 192.168.0.30 port 49636 ssh2

Pretty standard fat fingered output except I wasn't in the house at the time and I'm the only one here that has even heard of SSH. Then add the IP address is outside the DHCP range available and it all gets a bit odd.

Is there any chance that the IP address reported is incorrect? If it was .3 then I could perhaps understand it...
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Goose said:
I have seen a couple of posts on this but I'm really stumped by this one. I have this in my email this morning:-

Failed password for root from 192.168.0.30 port 49636 ssh2

Pretty standard fat fingered output except I wasn't in the house at the time and I'm the only one here that has even heard of SSH. Then add the IP address is outside the DHCP range available and it all gets a bit odd.

Is there any chance that the IP address reported is incorrect? If it was .3 then I could perhaps understand it...
Click to expand...

See if the host is online and run a zenmap scan against it. This will give you OS, hostname, services running, and will help you identify the computer. Since you only have a single attempt, I doubt it was malicious.
 
Goose

Goose

Dabbler
Joined
Oct 4, 2014
Messages
25
I would agree that a single attempt isn't likely to be too much to worry about but it is still suspicious. I don't suppose FreeNAS would store the MAC address of the host that was on 192.168.0.30 at the time would it? Where are theses security reports stored as a mater of interest?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Goose said:
I would agree that a single attempt isn't likely to be too much to worry about but it is still suspicious. I don't suppose FreeNAS would store the MAC address of the host that was on 192.168.0.30 at the time would it? Where are theses security reports stored as a mater of interest?
Click to expand...

You can type "arp -a" in the CLI and display current arp entries on the FreeNAS server. For login attempts through ssh you can view /var/log/auth.log
 
Goose

Goose

Dabbler
Joined
Oct 4, 2014
Messages
25
The arp cache looks to have timed out and the auth.log file contains nothing about the alleged login attempt from 192.168.0.30!
 
Status
Not open for further replies.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Security run output"

Similar threads

Avro
  • Locked
False 'security run output' emails?
Replies
4
Views
1K
Avro
Avro
Clinderw
  • Locked
Security Run Output Email
Replies
0
Views
732
Clinderw
Clinderw
F
  • Locked
Understanding Security Run Output
Replies
3
Views
2K
Fiatt
F
joeduffy
  • Locked
ARP Message Daily Run Output Question
Replies
6
Views
1K
Jailer
Jailer
D
  • Locked
freenas.local daily security run output - login failures
Replies
10
Views
5K
Chris Moore
Chris Moore
Top