Finding strange ip addresses connecting via SSH

  • In looking at my SSH log in the webgui (Services->SSH) I have found some strange ip addresses that look to have been connecting to my OMV.


    I don't know if I have a problem here, so I need some advice. Under Currently logged in users it says: no users connected.
    Under connections, it previously showed several connections to (from?) my OMV, as in 192.168.0.0-->117.21.191.207:port. There were four listings with similar Chinese IPs.
    Does this mean that my OMV is connecting to this ip, or this ip is connecting to my OMV? Either way, I am concerned, but not sure what it means or what to do about it. It looks like they aren't there at the moment, but when I saw them I was concerned. Help or advice?


    EDIT:
    I have closed my SSH port which was forwarded through my router, and changed all passwords. Not seeing these ips anymore. What other safeguards should I take since I don't know how long there has been unauthorized access?

    OMV 4.1.35-1 (Arrakis)
    Lenovo TS140

    Docker-Plex

    Einmal editiert, zuletzt von siryounger ()

  • If your ssh is listening at standard port 22 to the whole world, chances are good, that you are visited by lotta people in seconds :P

    --
    Get a Rose Tattoo...


    HP t5740 with Expansion and USB3, Inateck Case w/ 3TB WD-Green
    OMV 5.5.23-1 Usul i386|4.19.0-9-686-pae

  • Or use fail2ban, there are a new plugin openmediavault-fail2ban. ;)

    • Offizieller Beitrag

    What other safeguards should I take since I don't know how long there has been unauthorized access?


    I would format the OS drive, re-install OMV. Next time open a higher port in the router to fwd to internal 22. Don't use password authentication, use public key authentication. Don't use the user root, authorize another one with limited shell, then become root once logged

  • I would format the OS drive, re-install OMV. Next time open a higher port in the router to fwd to internal 22. Don't use password authentication, use public key authentication. Don't use the user root, authorize another one with limited shell, then become root once logged


    ^This.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!