Unwanted login attempts

  • Dear all,
    it's a general security question:
    I've noticed in boot logs messages, that many unauthorized login attempts are reaching my OMV, and rejected because of unknown user/passwd


    What is question me, is that these attempts are on exotic ports (for example 34280), and I don't understand how it is possible , since my OMV is behind a router, with only the port for Web GUI redirected...


    how the 34280 port can reach my OMV ???


    thanks for your lights

    • Offizieller Beitrag

    how the 34280 port can reach my OMV ???

    It only can if it is coming from the internal network or you have a misconfiguration in your router.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • I do not know. You may have errors somewhere in the device's configurations. Start using the correct network traffic policy for your machines.
    Are you sure that connections come from outside lan? Are you sure you have a properly configured router? What are your firewall rules on an omv machine?

  • Yes, they all come from outside the LAN.
    here is an extract of my auth.log:


    My router is an ISP box, with port translation to my OMV machine for only the needed ports.


    ssh is not configured to listen on all ports...so I don't understand messages such as: Invalid user nagios from 142.93.163.218 port 37108


    I have no firewall rules defined in my OMV. perhaps should I?
    Thanks


  • 142.93.163.218 appears as "SSH Bruteforce Attack" and similar. The beginning of activity is recorded around March 2019.
    139.59.78.70 SSH_BRUTEFORCER / SSH_WORM / SSH_SCANNER_HIGH. The beginning of activity is recorded around May 2018.
    37108 Well.... source and destination ports situation


    Typical BS, nothing new. Snort and Suricata eat it for breakfast.


    I will say the firewall "yes" others will say "no". First of all, network traffic comes to omv, so ... If you have a current system and secured then they can knock.
    If you can not isolate the NAS from the world, then maybe a pfsense, opnsense, ipfire or commercial untangle. And if not then fw on NAS .... but it does not mean that these packages will not reach your interface.


    Although there is also nothing to worry about. Put yourself some honeypot you will see the level of network traffic :)

  • Thank you for your responses...
    it' when I installed fail2ban that I noticed this ...


    my last question is more general/naive about SSHd /networking
    why sshd answers to a request on another port than its listening port?? (


    thanks

  • Thank you for your responses...
    it' when I installed fail2ban that I noticed this ...


    my last question is more general/naive about SSHd /networking
    why sshd answers to a request on another port than its listening port?? (


    thanks


    This has nothing to do with sshd. This is just how the ip traffic works (in a big simplification).
    You will find a lot of online documentation that will fully explain it to you with a better language than I am able to do.


    A example. On your pc you run firefox and you connect to google.com so you'll see more or less such a state
    - TCP OUT
    - Source 192.168.1.13:53268
    - Destination 216.58.204.142:443


    As for the sshd itself, exposure to the world does not create a tragedy. It is simply one of those services that are usually available. It is important that you have up-to-date and correctly configured services.
    If you are in a situation that you have to put ssh on the world then


    - Do not allow direct login as root, only sudo / su by a regular user.
    - If you can, change the port where sshd listens from 22 to something more unusual.
    - If you can, block all traffic to sshd and allow only specified IP.
    - F2B only limits the number of attempts and not the mere fact of their occurrence.
    - Use really strong passwords and care for them and their secretiveness, or use keys and store them appropriately.
    - You can think of IDS if you want to join tin foil hat society.


    Generally, it is not important whether it is sshd or some web server. Everything that is publicly exposed will sooner or later have a knock on the door. Will it be an ordinary port scan or an attempt to log in or use an exploit.
    For this it is so important to have current software and correct configurations. IDS does raise the tightness but even the best IDS does not do miracles on 0day.


    You can also hide sshd and connect to your server using openvpn or use something like zerotier. But then, instead of sshd, you have another service put out into the world. So....

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!