March 3, 20215 yr Hi there, someone else posted this a year ago, but the string didn't have a clear answer. what should I do with this warning?I On Mar 2 there were 301 invalid login attempts. This could either be yourself attempting to login to your server (SSH / Telnet) with the wrong user or password, or you could be actively be the victim of hack attacks. A common cause of this would be placing your server within your router's DMZ, or improperly forwarding ports. This is a major issue and needs to be addressed IMMEDIATELY NOTE: Because this check is done against the logged entries in the syslog, the only way to clear it is to either increase the number of allowed invalid logins per day (if determined that it is not a hack attempt) or to reset your server. It is not recommended under any circumstance to ignore this error
March 3, 20215 yr 1 minute ago, ssinseeme said: what should I do with this warning? Post your diagnostics so someone can see where the invalid logins originate.
March 3, 20215 yr Author who the F** is this guy?? i see in the Syslog multiple failed attempt. please see below attachment. what should i do?? error: Could not get shadow information for NOUSER Mar 2 13:00:53 Tower sshd[22552]: Failed none for invalid user admin from 10.0.1.137 port 51262 ssh2 Mar 2 13:00:53 Tower sshd[22552]: Failed password for invalid user admin from 10.0.1.137 port 51262 ssh2 Mar 2 13:00:53 Tower sshd[22552]: Connection closed by invalid user admin 10.0.1.137 port 51262 [preauth] Mar 2 13:00:57 Tower sshd[22566]: Invalid user admin from 10.0.1.137 port 51887..... syslog.txt
March 3, 20215 yr Community Expert Normally 10.* IP addresses are LAN. Something else on your network compromised?
March 3, 20215 yr Community Expert 28 minutes ago, Hoopster said: Post your diagnostics You only posted syslog. Tools - Diagnostics.
March 3, 20215 yr Author 10.0.1.137 is one of my desktop that I haven't use for a long time. somehow we lost power and that desktop turns on automatically i wonder if it was a virus?
March 3, 20215 yr Author can you guide me what else do you check other then syslog? to find out tower-diagnostics-20210302-2109.zip
March 3, 20215 yr Community Expert Other things in Diagnostics can make it a lot easier to work with syslog. Sometimes I never even look at syslog, other times I only look at syslog after looking at other things in Diagnostics. One thing in diagnostics that would be easy to find in this case was the IP address of your server (in system/ifconfig.txt) to check if it was the same subnet as the attacker.
March 3, 20215 yr Author Yes. But what should I do to prevent this attack from happening internally to my unraid. Like I said the IP I see in Sys was my old PC. should I ignor the warning ⚠️ now in unraid
March 3, 20215 yr Community Expert 17 minutes ago, ssinseeme said: 10.0.1.137 is one of my desktop that I haven't use for a long time. Why is it on your network if you don't use it?
March 3, 20215 yr Author It Was just seating in the basement doing nothing until todays power outage. What’s is all these ports with IP, I don’t have none of them open!! And how could my PC try to log in to my unraid server?? I don’t get it. It’s disconnected now. Did you see anything else on the system file?
March 3, 20215 yr Community Expert Since the "attacker" is on your LAN you are not protected from it by the firewall of your router. Possibly that PC is infected, or maybe it is allowing access from outside your LAN. Reboot your server to get your logs cleared, wait a while, then post new diagnostics.
March 3, 20215 yr Community Expert Have you ever installed a vulnerability scanner on that PC as another possible option, like nessus or something similar.
March 3, 20215 yr Author 2 hours ago, trurl said: Since the "attacker" is on your LAN you are not protected from it by the firewall of your router. Possibly that PC is infected, or maybe it is allowing access from outside your LAN. Reboot your server to get your logs cleared, wait a while, then post new diagnostics. I want to make sure by PC you means the old PC not the Unraid server right. i don’t know what you mean with “allowing access from outside LAN” i use LAN to access the internet. In case I use this old PC how do I prevent it from accessing my network mean my server and other computers. I want to use is only to access the internet. i will reboot the server and post the diagnostic. should I ignore that warning or just reboot.
March 3, 20215 yr Community Expert 12 minutes ago, ssinseeme said: by PC you means the old PC not the Unraid server right. right 13 minutes ago, ssinseeme said: i don’t know what you mean with “allowing access from outside LAN” Perhaps someone (or a bot) was using that old PC to gain access to your local network from outside. If you really want to use that old PC you should make sure it is clean before attaching it to your LAN.
March 3, 20215 yr 1 hour ago, ssinseeme said: i don’t know what you mean with “allowing access from outside LAN” This is probably unlikely, but did you ever enable Remote Desktop Connection or anything similar on that machine? That might include other remote control tools such as TeamViewer. They have legitimate uses, but only if you're in control of their use. You mentioned a power failure. Did that PC start up by itself afterwards? Another safe guard would be to check that PC's power settings in the BIOS. Unless you need it to power up automatically (if the PC was unused then it probably isn't) then I would set it to not power up when the AC power is applied. The behaviour on restoration of AC power is generally configured in e PC's BIOS settings. Normally you would have most machines set to stay powered off at that time, although a reasonable exception would be on machines such as your Unraid server that you might want to restart without supervision.
March 3, 20215 yr I got "hack attempts" from my desktop pc because of a network lan scanner so it really depends on what's connecting or why.
Archived
This topic is now archived and is closed to further replies.