You opened up ssh to the internet?
Are you from Finland and Oy Crea Nova Hosting Solution Ltd is your ISP?
You opened up ssh to the internet?
Are you from Finland and Oy Crea Nova Hosting Solution Ltd is your ISP?
Nope, as said i only connect to my NAS locally or via Wireguard container that's hosted on OMV itself. I'm not in Finland.
EDIT: Also checked latest handshakes for my Wireguard peers and there is nothing wrong there. So i actually have no clue how/why i'm receiving attempts on my ssh port that's not exposed to the internet 
From the Fail2Ban logs i still see attempts now:
2022-02-13 15:37:59,242 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 15:37:59
2022-02-13 15:37:59,542 fail2ban.actions [19528]: WARNING [ssh] 185.204.1.184 already banned
2022-02-13 15:57:01,552 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 15:57:01
2022-02-13 15:57:01,553 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 15:57:01
2022-02-13 15:57:04,160 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 15:57:03
2022-02-13 15:57:04,462 fail2ban.actions [19528]: WARNING [ssh] 185.204.1.184 already banned
2022-02-13 16:10:40,745 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 16:10:40
2022-02-13 16:10:40,746 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 16:10:40
2022-02-13 16:10:42,750 fail2ban.filter [19528]: INFO [ssh] Found 185.204.1.184 - 2022-02-13 16:10:42
2022-02-13 16:10:43,532 fail2ban.actions [19528]: WARNING [ssh] 185.204.1.184 already bannedAlso found this:
https://www.abuseipdb.com/check/185.204.1.184
https://www.abuseipdb.com/check/185.212.149.206
I can actually ping both the ips i mentioned in my first post.
I mean, i would expect to find someone trying to force my ssh, but it's not public... how possible? I'm ignoring somehow how fail2ban works?
Are you 100% sure that something is not leaking somewhere? Show firewall logs how the traffic on the interface looks like...
Are you 100% sure that something is not leaking somewhere? Show firewall logs how the traffic on the interface looks like...
How can i grab them?
How are you verifying that your sshd is not exposed to the internet?
How are you verifying that your sshd is not exposed to the internet?
Cause i had it in the past. I had the port forwarded to the outside. But now since a long time i have that disabled and only access locally. I also tried to access from outside on the port and it is inaccessible.
Checked again now, i only have opened ports on my router for SFTP, Wireguard, qBittorrent. The ports forwarded are different from the one i use for ssh ofc.
How can i grab them?
From where you set them up.
You might as well have something leaking around vpn or something jumping around the loopback. We can play guessing for a long time.
Look at the firewall rules to make sure everything is ok and make sure the container routing with vpn is properly filtered.
And set up your logs and listen for another case.
From where you set them up.
You might as well have something leaking around vpn or something jumping around the loopback. We can play guessing for a long time.
Look at the firewall rules to make sure everything is ok and make sure the container routing with vpn is properly filtered.
And set up your logs and listen for another case.
I think i need some guidance here. I have not touched firewall manually. I just access ssh locally as usual. For the other sevices i mentioned in my previous post i have instead port forwarded the ports on my router.
Screenshot attached, my firewall tab is empty.
What does this command show:
sudo cat /var/log/auth.log | grep sshd
What does this command show:
sudo cat /var/log/auth.log | grep sshd
Someone is trying to use ssh but without PKA the attempts all fail. I hid my username and PKA key.
Why i see a different port every time? I don't know, the SSH tunneling that i have enabled in OMV (TCP forwarding)?
The below indicates a problem with your sshd, likely the initial host key generation did not complete. You should research that error and fix it. But this may or may not be related to your problem. Is there a DSA PRIVATE KEY in that file?
Feb 13 09:07:51 DK sshd[30610]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
The source port number used by the connecting host will be different and is entirely unpredicatble.
The below indicates a problem with your sshd, likely the initial host key generation did not complete. You should research that error and fix it. But this may or may not be related to your problem. Is there a DSA PRIVATE KEY in that file?
Feb 13 09:07:51 DK sshd[30610]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
The source port number used by the connecting host will be different and is entirely unpredicatble.
I do not have that file.
Here is the content:
steakhutzeee@DK:/etc/ssh$ ll
total 592
-rw-r--r-- 1 root root 565189 Jan 31 2020 moduli
-rw-r--r-- 1 root root 820 Apr 8 2021 omv_sftp_config
-rw-r--r-- 1 root root 1580 Jan 31 2020 ssh_config
-rw------- 1 root root 505 Jul 30 2020 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 176 Jul 30 2020 ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 Jul 30 2020 ssh_host_ed25519_key
-rw-r--r-- 1 root root 96 Jul 30 2020 ssh_host_ed25519_key.pub
-rw------- 1 root root 1823 Jul 30 2020 ssh_host_rsa_key
-rw-r--r-- 1 root root 396 Jul 30 2020 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 754 Jun 18 2021 sshd_config
-rw-r--r-- 1 root root 3235 Jul 30 2020 sshd_config.ucf-dist
steakhutzeee@DK:/etc/ssh$
I actually never used any DSA keys, with Putty i created the key i use to ssh that is an RSA key.
Can i check the port these ips are trying to login on?
Start blocking everything and only allow selected traffic on fw.
Cut off port access and only allow local IP ... for starters. The problem is bigger because you are exposed in one way or another and you have no control over the box.
netstat -tunlp
Look what might be listening
tcpdump host 185.204.1.184
Look at the network traffic for that specific hostile ip's
The use of this key is not up to you. It is automatically generated by the server the first time it starts.
Google the error message and solve it.
Unless you change the port sshd runs on it accepts connections to TCP port 22. Telnet to that port and see if you get the banner.
The use of this key is not up to you. It is automatically generated by the server the first time it starts.
Google the error message and solve it.
Unless you change the port sshd runs on it accepts connections to TCP port 22. Telnet to that port and see if you get the banner.
Uhm but I changed ssh port to another one, and fail2ban is also listening on that port
I have port 22 set nowhere.
EDIT: Checked with both ssh and telnet on port 22. Connection refused.
Checking that error now.
EDIT: Did "sudo dpkg-reconfigure openssh-server" and now i have the missing key generated:
-rw-r--r-- 1 root root 565189 Jan 31 2020 moduli
-rw-r--r-- 1 root root 820 Apr 8 2021 omv_sftp_config
-rw-r--r-- 1 root root 1580 Jan 31 2020 ssh_config
-rw------- 1 root root 1373 Feb 13 18:17 ssh_host_dsa_key
-rw-r--r-- 1 root root 597 Feb 13 18:17 ssh_host_dsa_key.pub
-rw------- 1 root root 505 Jul 30 2020 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 176 Jul 30 2020 ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 Jul 30 2020 ssh_host_ed25519_key
-rw-r--r-- 1 root root 96 Jul 30 2020 ssh_host_ed25519_key.pub
-rw------- 1 root root 1823 Jul 30 2020 ssh_host_rsa_key
-rw-r--r-- 1 root root 396 Jul 30 2020 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 754 Jun 18 2021 sshd_config
-rw-r--r-- 1 root root 3248 Feb 13 18:17 sshd_config.ucf-dist
The error seems to be gone, thank you!
Anyway i still see login attempts in fail2ban logs 
Alles anzeigenStart blocking everything and only allow selected traffic on fw.
Cut off port access and only allow local IP ... for starters. The problem is bigger because you are exposed in one way or another and you have no control over the box.
netstat -tunlp
Look what might be listening
tcpdump host 185.204.1.184Look at the network traffic for that specific hostile ip's
Is it ok to post the output of netstat here or i should hide something?
Seems nothing is captured for that host.
Is it ok to post the output of netstat here or i should hide something?
If you are shy about your system... 
If you are shy about your system...
Oh i really do not know... i suppose it's not a good idea so do not know how to let you know of the outcome.
Actually tcpdump was listening on the wrong interface i think. I started on the right one, i suppose.
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!
