Silly mistake... Verifying fix is sufficient?

[Yekul]

I have made a stupid mistake which FORTUNATELY I managed to snag because of dumb luck (my coral TPU inferences were very high). Could you please take a look at below and provide some suggestions. I think i've tidied things up a bit to prevent further issues but would appreciate any extra insight without too much 'the world is ending' where possible.

 

I closed out some dockers and CPU was being pegged to 100%. Checked logs and a flood of remote connections to port 22 (SSH) which I -stupidly- left open after some issues when moving house and forgot about.

 

Now I have disable SSH remote access, and it does seem as though all the incoming connections were on port 22. Had to end a task to get the CPU to return to normal. My password is very complex fortunately, so the odds of it being beaten by a login attempt like below seems... low? Or is there actually many more which the logs just don't record?

 

I do have my router forwarding connections from the wan to my unraid ip address for reverse proxy domains. I assume this is OK now SSH is disabled? Of course the reverse proxy has a unique username/password for external access.

 

I will say, i'm surprised there isn't a default action to block logins after x amount of failed attempts with a set time. However I do note the IP address is constantly changing. My regular login for Unraid is done through Wireguard or Unraid Remote.

 

Example of incoming connections below:
Jan 13 15:44:30 sshd[28347]: Connection closed by authenticating user root 170.64.214.0 port 46188 [preauth]
Jan 13 15:44:30 sshd[28431]: Connection from 170.64.214.0 port 46194 on 192.168.1.99 port 22 rdomain ""
Jan 13 15:44:32 sshd[28444]: Connection from 24.144.80.196 port 56214 on 192.168.1.99 port 22 rdomain ""
Jan 13 15:44:32 sshd[28447]: Connection from 101.251.197.238 port 35040 on 192.168.1.99 port 22 rdomain ""
Jan 13 15:44:32 sshd[28444]: Invalid user wangxh from 24.144.80.196 port 56214
Jan 13 15:44:32 sshd[28444]: pam_unix(sshd:auth): check pass; user unknown
Jan 13 15:44:32 sshd[28444]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=24.144.80.196
Jan 13 15:44:33 sshd[28474]: Connection from 121.46.20.110 port 59892 on 192.168.1.99 port 22 rdomain ""
Jan 13 15:44:33 sshd[28431]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=170.64.214.0  user=root
Jan 13 15:44:35 sshd[28447]: Invalid user fang from 101.251.197.238 port 35040
Jan 13 15:44:35 sshd[28447]: pam_unix(sshd:auth): check pass; user unknown
Jan 13 15:44:35 sshd[28447]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=101.251.197.238
Jan 13 15:44:35 sshd[28444]: Failed password for invalid user wangxh from 24.144.80.196 port 56214 ssh2
Jan 13 15:44:36 sshd[28444]: Received disconnect from 24.144.80.196 port 56214:11: Bye Bye [preauth]
Jan 13 15:44:36 sshd[28444]: Disconnected from invalid user wangxh 24.144.80.196 port 56214 [preauth]
Jan 13 15:44:36 sshd[28431]: Failed password for root from 170.64.214.0 port 46194 ssh2
Jan 13 15:44:37 sshd[28447]: Failed password for invalid user fang from 101.251.197.238 port 35040 ssh2
Jan 13 15:44:37 sshd[28447]: Received disconnect from 101.251.197.238 port 35040:11: Bye Bye [preauth]
Jan 13 15:44:37 sshd[28447]: Disconnected from invalid user fang 101.251.197.238 port 35040 [preauth]
Jan 13 15:44:38 sshd[28431]: Connection closed by authenticating user root 170.64.214.0 port 46194 [preauth]
Jan 13 15:44:38 sshd[28543]: Connection from 170.64.214.0 port 59152 on 192.168.1.99 port 22 rdomain ""
Jan 13 15:44:39 sshd[28543]: error: kex_exchange_identification: read: Connection reset by peer

[T0rqueWr3nch]

I assume you were forwarding port 22 on your router? You've turned that off now, correct? (I think that's what you're saying, but I want to double check).

 

The line that was most concerning to me was this one: 

Jan 13 15:44:30 sshd[28347]: Connection closed by authenticating user root 170.64.214.0 port 46188 [preauth]

But the preauth tag makes me think this SSH connection was never fully established and did not gain access to your system.

 

You didn't have any other ports open on your router did you?

 

If you want reassurance, I think you're most likely okay. Complex passwords help a lot. Logs don't capture everything, especially outbound stuff, but I don't want to worry you needlessly so we'll leave it at that.