Finding strange ip addresses connecting via SSH

    • OMV 1.0
    • Resolved

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Finding strange ip addresses connecting via SSH

      In looking at my SSH log in the webgui (Services->SSH) I have found some strange ip addresses that look to have been connecting to my OMV.

      I don't know if I have a problem here, so I need some advice. Under Currently logged in users it says: no users connected.
      Under connections, it previously showed several connections to (from?) my OMV, as in 192.168.0.0-->117.21.191.207:port. There were four listings with similar Chinese IPs.
      Does this mean that my OMV is connecting to this ip, or this ip is connecting to my OMV? Either way, I am concerned, but not sure what it means or what to do about it. It looks like they aren't there at the moment, but when I saw them I was concerned. Help or advice?

      EDIT:
      I have closed my SSH port which was forwarded through my router, and changed all passwords. Not seeing these ips anymore. What other safeguards should I take since I don't know how long there has been unauthorized access?
      OMV 3.0.91 (Erasmus)
      Lenovo TS140

      The post was edited 1 time, last by siryounger ().

    • Finding strange ip addresses connecting via SSH

      Or use fail2ban, there are a new plugin openmediavault-fail2ban. ;)
      Open Media Vault 2.2.6 (Stone burner) in Prod
      Open Media Vault 3.0.32 (Erasmus) in Test

      openmedivault Docker Container
      https://github.com/prbond/openmedivault-dockerfile

      Dev :
      openmediavault-fail2ban 1.1.5 for OMV2.X
      openmediavault-fail2ban 1.3.0 for OMV3.X
      https://github.com/prbond/openmediavault-fail2ban
      https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-fail2ban
    • siryounger wrote:

      What other safeguards should I take since I don't know how long there has been unauthorized access?


      I would format the OS drive, re-install OMV. Next time open a higher port in the router to fwd to internal 22. Don't use password authentication, use public key authentication. Don't use the user root, authorize another one with limited shell, then become root once logged
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • subzero79 wrote:

      I would format the OS drive, re-install OMV. Next time open a higher port in the router to fwd to internal 22. Don't use password authentication, use public key authentication. Don't use the user root, authorize another one with limited shell, then become root once logged


      ^This.

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.