shushi1010 Posted February 21, 2022 Share Posted February 21, 2022 On Feb 20 there were 52259 invalid login attempts. This could either be yourself attempting to login to your server (SSH / Telnet) with the wrong user or password, or you could be actively be the victim of hack attacks. A common cause of this would be placing your server within your routers DMZ, or improperly forwarding ports. This is a major issue and needs to be addressed IMMEDIATELY NOTE: Because this check is done against the logged entries in the syslog, the only way to clear it is to either increase the number of allowed invalid logins per day (if determined that it is not a hack attempt) or to reset your server. It is not recommended under any circumstance to ignore this error any ideas what I need to do to protect the server? overse-diagnostics-20220221-1004.zip Quote Link to comment
trurl Posted February 21, 2022 Share Posted February 21, 2022 Looks like these are coming from your LAN. Did you look at syslog to see if you can figure out what is going on? Quote Link to comment
ChatNoir Posted February 21, 2022 Share Posted February 21, 2022 If it comes from your LAN, you need to figure what machine it is and check whether something on it is scanning the network (security software) or actually compromised. Quote Link to comment
ConnerVT Posted February 21, 2022 Share Posted February 21, 2022 Looks to be a dictionary attack - User names come alphabetically. Never put a server, especially the ports which give root level access, open to the Internet without bulletproof layers of protection. Quote Link to comment
shushi1010 Posted February 21, 2022 Author Share Posted February 21, 2022 Thanks for your reply. I found the attack came from my router. After I replaced the router, the attack stopped Quote Link to comment
shushi1010 Posted February 22, 2022 Author Share Posted February 22, 2022 6 hours ago, ConnerVT said: Netgear? No, it's ASUS RT-AX86U 1 Quote Link to comment
ConnerVT Posted February 22, 2022 Share Posted February 22, 2022 (edited) Interesting. Thanks for that. The reason I asked is that Netgear ARMOR (their router security scanner) has been the subject of several similar threads. Your syslog looked a bit different (login attempt methodology), but if replacing the router eliminated it (and it doesn't return) you may likely found the source. If you would like, you could look through the RT-AX86U setup screens, and see if turning on/off security packages in the AiProtection tabs eliminates the issue. I quick look at the User manual states that it turns on a number of protection packages when you run their security scan. Edited February 22, 2022 by ConnerVT speeling Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.