Weird authentication log

    • OMV 2.x
    • Weird authentication log

      Good morning,

      logging into my NAS this morning I found out it never did shut down. When I investigated the reasons I found out there are ssh connections always active. Ill paste a snippet of the authentication log which looks really weird to me.
      dpaste.com/16HHDSH
      This continues for about 600 pages of the log. Is someone trying to hack into my server? And if yes, how could I stop this? I am really worried here.
    • Have you opened up your SSH port to the web? If yes, close it. Or at least do this:

      [GUIDE] Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)
      OMV stoneburner | HP Microserver | 256GB Samsung 830 SSD for system | 4x 2TB in a RAID5
      OMV erasmus| Odroid XU4 | 5TB Data drive | 500GB Backup drive
    • Well but even if I do this it will not stop the connection attempts right? It will just make it harder for them to succeed. Who the hell does this actually.... seems like some programm just randomly targeting whatever it can find. Not like I have anything of real value for a stranger on there.

      EDIT: Well I closed the port and all of this stopped. Currently I do not really need to login from outside so it works for now. Still...fascinating someone would target a small private filehoster.

      The post was edited 1 time, last by Nutellaeis ().

    • The IP 176.57.141.56 is trying to access the WebIF with users who do not exist (it is a full name and an adress from germany!):

      Source Code

      1. % This is the RIPE Database query service.
      2. % The objects are in RPSL format.
      3. %
      4. % The RIPE Database is subject to Terms and Conditions.
      5. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
      6. % Note: this output has been filtered.
      7. % To receive output for a database update, use the "-B" flag.
      8. % Information related to '176.57.128.0 - 176.57.175.255'
      9. % Abuse contact for '176.57.128.0 - 176.57.175.255' is 'abuse@g-portal.de'
      10. inetnum: 176.57.128.0 - 176.57.175.255
      11. netname: OCIRIS-NET1
      12. descr: G-Portal.de - HQ Game- & Rootserver Hosting
      13. country: DE
      14. admin-c: TW2587-RIPE
      15. tech-c: TW2587-RIPE
      16. status: ASSIGNED PA
      17. mnt-by: MNT-GPORTAL
      18. created: 2013-11-28T23:41:46Z
      19. last-modified: 2013-11-28T23:41:46Z
      20. source: RIPE Filtered
      21. person: Roberto Omezzolli
      22. address: Willy-Buchauer-Ring 25
      23. address: 82256 Fuerstenfeldbruck
      24. phone: +49.69380766670
      25. fax-no: +49.69380766689
      26. abuse-mailbox: abuse@g-portal.de
      27. org: ORG-OG39-RIPE
      28. nic-hdl: TW2587-RIPE
      29. mnt-by: MNT-GPORTAL
      30. created: 2012-09-19T13:36:25Z
      31. last-modified: 2015-03-04T17:21:14Z
      32. source: RIPE Filtered
      33. % Information related to '176.57.128.0/18AS56876'
      34. route: 176.57.128.0/18
      35. descr: IP Routing via g-portal.de
      36. origin: AS56876
      37. mnt-by: MNT-GPORTAL
      38. created: 2011-09-26T16:15:07Z
      39. last-modified: 2015-05-06T09:50:17Z
      40. source: RIPE Filtered
      41. % This query was served by the RIPE Database Query Service version 1.82 (DB-2)
      Display All


      And the IP 43.229.53.20 is from Hongkong. He is trying to access your server by SSH.

      Brainfuck Source Code

      1. % whois.apnic.net
      2. % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
      3. % Information related to '43.229.52.0 - 43.229.55.255'
      4. inetnum: 43.229.52.0 - 43.229.55.255
      5. netname: HOTNETLIMITED-HK
      6. descr: HOT NET LIMITED
      7. descr: FLAT/RM A30, 9/F SILVERCORP
      8. descr: INT'L TOWER 707-713 NATHAN RD
      9. descr: MONGKOK KLN
      10. country: HK
      11. admin-c: HA260-AP
      12. tech-c: HA260-AP
      13. mnt-by: APNIC-HM
      14. mnt-lower: MAINT-HOTNETLIMITED-HK
      15. mnt-routes: MAINT-HOTNETLIMITED-HK
      16. mnt-irt: IRT-HOTNETLIMITED-HK
      17. status: ALLOCATED PORTABLE
      18. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      19. remarks: To report network abuse, please contact the IRT
      20. remarks: For troubleshooting, please contact tech-c and admin-c
      21. remarks: For assistance, please contact the APNIC Helpdesk
      22. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      23. changed: hm-changed@apnic.net 20150116
      24. changed: hm-changed@apnic.net 20150415
      25. changed: hm-changed@apnic.net 20150604
      26. source: APNIC
      27. irt: IRT-HOTNETLIMITED-HK
      28. address: FLAT/RM A30, 9/F SILVERCORP
      29. address: INT'L TOWER 707-713 NATHAN RD
      30. address: MONGKOK KLN
      31. e-mail: abuse63857@gmail.com
      32. abuse-mailbox: abuse63857@gmail.com
      33. admin-c: HA260-AP
      34. tech-c: HA260-AP
      35. auth: Filtered
      36. mnt-by: MAINT-HOTNETLIMITED-HK
      37. changed: hm-changed@apnic.net 20141021
      38. changed: hm-changed@apnic.net 20150604
      39. source: APNIC
      40. role: HOTNETLIMITED administrator
      41. address: FLAT/RM A30, 9/F SILVERCORP
      42. address: INT'L TOWER 707-713 NATHAN RD
      43. address: MONGKOK KLN
      44. country: HK
      45. phone: +852-53447023
      46. fax-no: +852-65971019
      47. e-mail: abuse63857@gmail.com
      48. admin-c: HA260-AP
      49. tech-c: HA260-AP
      50. nic-hdl: HA260-AP
      51. mnt-by: MAINT-HOTNETLIMITED-HK
      52. changed: hm-changed@apnic.net 20141021
      53. changed: hm-changed@apnic.net 20150604
      54. changed: hm-changed@apnic.net 20150610
      55. source: APNIC
      56. % This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)
      Display All



      The only thing you can do is harden your SSH password, use the Public Key Authentication and use another port.
      By the way, there are also the abuse Mails inside. So if you want to, you can also abuse them.
      OMV stoneburner | HP Microserver | 256GB Samsung 830 SSD for system | 4x 2TB in a RAID5
      OMV erasmus| Odroid XU4 | 5TB Data drive | 500GB Backup drive
    • Eine Mail an abuse@g-portal.de schicken, mitteilen dass dort Zugriffe stattfinden und um Vermeidung selbiger bitten. Diese werden dann den entsprechenden Server Mieter darauf hinweisen dass er das einzustellen hat.

      Gruß
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.
    • To be honest, I didn't even read that you said that. Also, I guess showing him the mail is better than him trying to find it himself.

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.