Unwanted login attempts

    • OMV 4.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Unwanted login attempts

      Dear all,
      it's a general security question:
      I've noticed in boot logs messages, that many unauthorized login attempts are reaching my OMV, and rejected because of unknown user/passwd

      What is question me, is that these attempts are on exotic ports (for example 34280), and I don't understand how it is possible , since my OMV is behind a router, with only the port for Web GUI redirected...

      how the 34280 port can reach my OMV ???

      thanks for your lights
    • moreje wrote:

      how the 34280 port can reach my OMV ???
      It only can if it is coming from the internal network or you have a misconfiguration in your router.
      omv 4.1.22 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Yes, they all come from outside the LAN.
      here is an extract of my auth.log:

      Source Code

      1. Apr 9 07:53:52 OMV-JEROME sshd[10864]: Invalid user nagios from 142.93.163.218 port 37108
      2. Apr 9 07:53:52 OMV-JEROME sshd[10864]: input_userauth_request: invalid user nagios [preauth]
      3. Apr 9 07:53:52 OMV-JEROME sshd[10864]: pam_unix(sshd:auth): check pass; user unknown
      4. Apr 9 07:53:52 OMV-JEROME sshd[10864]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=142.93.163.218
      5. Apr 9 07:53:55 OMV-JEROME sshd[10864]: Failed password for invalid user nagios from 142.93.163.218 port 37108 ssh2
      6. Apr 9 07:53:55 OMV-JEROME sshd[10864]: Received disconnect from 142.93.163.218 port 37108:11: Normal Shutdown, Thank you for playing [preauth]
      7. Apr 9 07:53:55 OMV-JEROME sshd[10864]: Disconnected from 142.93.163.218 port 37108 [preauth]
      8. Apr 9 07:53:55 OMV-JEROME sshd[10876]: rexec line 7: Deprecated option KeyRegenerationInterval
      9. Apr 9 07:53:55 OMV-JEROME sshd[10876]: rexec line 8: Deprecated option ServerKeyBits
      10. Apr 9 07:53:55 OMV-JEROME sshd[10876]: rexec line 13: Deprecated option RSAAuthentication
      11. Apr 9 07:53:55 OMV-JEROME sshd[10876]: rexec line 16: Deprecated option RhostsRSAAuthentication
      12. Apr 9 07:53:56 OMV-JEROME sshd[10876]: reprocess config line 13: Deprecated option RSAAuthentication
      13. Apr 9 07:53:56 OMV-JEROME sshd[10876]: reprocess config line 16: Deprecated option RhostsRSAAuthentication
      14. Apr 9 07:53:56 OMV-JEROME sshd[10876]: User root from 139.59.78.70 not allowed because none of user's groups are listed in AllowGroups
      15. Apr 9 07:53:56 OMV-JEROME sshd[10876]: input_userauth_request: invalid user root [preauth]
      16. Apr 9 07:53:57 OMV-JEROME sshd[10876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.78.70 user=root
      17. Apr 9 07:53:58 OMV-JEROME sshd[10876]: Failed password for invalid user root from 139.59.78.70 port 55382 ssh2
      18. Apr 9 07:53:59 OMV-JEROME sshd[10876]: Received disconnect from 139.59.78.70 port 55382:11: Normal Shutdown, Thank you for playing [preauth]
      19. Apr 9 07:53:59 OMV-JEROME sshd[10876]: Disconnected from 139.59.78.70 port 55382 [preauth]
      Display All
      My router is an ISP box, with port translation to my OMV machine for only the needed ports.

      ssh is not configured to listen on all ports...so I don't understand messages such as: Invalid user nagios from 142.93.163.218 port 37108

      I have no firewall rules defined in my OMV. perhaps should I?
      Thanks
    • moreje wrote:

      Yes, they all come from outside the LAN.
      here is an extract of my auth.log:

      Source Code

      1. Apr 9 07:53:52 OMV-JEROME sshd[10864]: Invalid user nagios from 142.93.163.218 port 37108
      2. Apr 9 07:53:52 OMV-JEROME sshd[10864]: input_userauth_request: invalid user nagios [preauth]
      3. Apr 9 07:53:52 OMV-JEROME sshd[10864]: pam_unix(sshd:auth): check pass; user unknown
      4. Apr 9 07:53:52 OMV-JEROME sshd[10864]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=142.93.163.218
      5. Apr 9 07:53:55 OMV-JEROME sshd[10864]: Failed password for invalid user nagios from 142.93.163.218 port 37108 ssh2
      6. Apr 9 07:53:55 OMV-JEROME sshd[10864]: Received disconnect from 142.93.163.218 port 37108:11: Normal Shutdown, Thank you for playing [preauth]
      7. Apr 9 07:53:55 OMV-JEROME sshd[10864]: Disconnected from 142.93.163.218 port 37108 [preauth]
      8. Apr 9 07:53:55 OMV-JEROME sshd[10876]: rexec line 7: Deprecated option KeyRegenerationInterval
      9. Apr 9 07:53:55 OMV-JEROME sshd[10876]: rexec line 8: Deprecated option ServerKeyBits
      10. Apr 9 07:53:55 OMV-JEROME sshd[10876]: rexec line 13: Deprecated option RSAAuthentication
      11. Apr 9 07:53:55 OMV-JEROME sshd[10876]: rexec line 16: Deprecated option RhostsRSAAuthentication
      12. Apr 9 07:53:56 OMV-JEROME sshd[10876]: reprocess config line 13: Deprecated option RSAAuthentication
      13. Apr 9 07:53:56 OMV-JEROME sshd[10876]: reprocess config line 16: Deprecated option RhostsRSAAuthentication
      14. Apr 9 07:53:56 OMV-JEROME sshd[10876]: User root from 139.59.78.70 not allowed because none of user's groups are listed in AllowGroups
      15. Apr 9 07:53:56 OMV-JEROME sshd[10876]: input_userauth_request: invalid user root [preauth]
      16. Apr 9 07:53:57 OMV-JEROME sshd[10876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.78.70 user=root
      17. Apr 9 07:53:58 OMV-JEROME sshd[10876]: Failed password for invalid user root from 139.59.78.70 port 55382 ssh2
      18. Apr 9 07:53:59 OMV-JEROME sshd[10876]: Received disconnect from 139.59.78.70 port 55382:11: Normal Shutdown, Thank you for playing [preauth]
      19. Apr 9 07:53:59 OMV-JEROME sshd[10876]: Disconnected from 139.59.78.70 port 55382 [preauth]
      Display All
      My router is an ISP box, with port translation to my OMV machine for only the needed ports.

      ssh is not configured to listen on all ports...so I don't understand messages such as: Invalid user nagios from 142.93.163.218 port 37108

      I have no firewall rules defined in my OMV. perhaps should I?
      Thanks

      142.93.163.218 appears as "SSH Bruteforce Attack" and similar. The beginning of activity is recorded around March 2019.
      139.59.78.70 SSH_BRUTEFORCER / SSH_WORM / SSH_SCANNER_HIGH. The beginning of activity is recorded around May 2018.
      37108 Well.... source and destination ports situation

      Typical BS, nothing new. Snort and Suricata eat it for breakfast.

      I will say the firewall "yes" others will say "no". First of all, network traffic comes to omv, so ... If you have a current system and secured then they can knock.
      If you can not isolate the NAS from the world, then maybe a pfsense, opnsense, ipfire or commercial untangle. And if not then fw on NAS .... but it does not mean that these packages will not reach your interface.

      Although there is also nothing to worry about. Put yourself some honeypot you will see the level of network traffic :)

      The post was edited 1 time, last by JohnStiles ().

    • moreje wrote:

      Thank you for your responses...
      it' when I installed fail2ban that I noticed this ...

      my last question is more general/naive about SSHd /networking
      why sshd answers to a request on another port than its listening port?? (

      thanks

      This has nothing to do with sshd. This is just how the ip traffic works (in a big simplification).
      You will find a lot of online documentation that will fully explain it to you with a better language than I am able to do.

      A example. On your pc you run firefox and you connect to google.com so you'll see more or less such a state
      - TCP OUT
      - Source 192.168.1.13:53268
      - Destination 216.58.204.142:443

      As for the sshd itself, exposure to the world does not create a tragedy. It is simply one of those services that are usually available. It is important that you have up-to-date and correctly configured services.
      If you are in a situation that you have to put ssh on the world then

      - Do not allow direct login as root, only sudo / su by a regular user.
      - If you can, change the port where sshd listens from 22 to something more unusual.
      - If you can, block all traffic to sshd and allow only specified IP.
      - F2B only limits the number of attempts and not the mere fact of their occurrence.
      - Use really strong passwords and care for them and their secretiveness, or use keys and store them appropriately.
      - You can think of IDS if you want to join tin foil hat society.

      Generally, it is not important whether it is sshd or some web server. Everything that is publicly exposed will sooner or later have a knock on the door. Will it be an ordinary port scan or an attempt to log in or use an exploit.
      For this it is so important to have current software and correct configurations. IDS does raise the tightness but even the best IDS does not do miracles on 0day.

      You can also hide sshd and connect to your server using openvpn or use something like zerotier. But then, instead of sshd, you have another service put out into the world. So....