August 20, 201312 yr I recently set up a VPN for my unRaid server and noticed in my logs today (first time VPN being left connected overnight) I had multiple telnet attempts from a few IP addresses that are from Taiwan and Vietnam to name a couple. What are they, are they malicious attempts or simply probes from the VPN? The IPs are not on my subnet assigned by the VPN and there is no log of invalid password attempt, so it does look like a port probe. Why would I be getting port probes from IPs from these countries over my VPN? Using HMA VPN Pro. Aug 19 23:59:55 Tower in.telnetd[10651]: connect from 175.182.76.144 (175.182.76.144) (Routine) Aug 19 23:59:55 Tower telnetd[10651]: ttloop: peer died: EOF (Logins) Aug 20 00:15:25 Tower in.telnetd[23155]: connect from 220.134.216.166 (220.134.216.166) (Routine) Aug 20 00:15:25 Tower telnetd[23155]: ttloop: peer died: EOF (Logins) Aug 20 00:24:21 Tower in.telnetd[30276]: connect from 175.182.76.144 (175.182.76.144) (Routine) Aug 20 00:24:24 Tower telnetd[30276]: ttloop: peer died: EOF (Logins) Aug 20 00:39:16 Tower in.telnetd[10044]: connect from 123.19.208.193 (123.19.208.193) (Routine) Aug 20 00:39:16 Tower telnetd[10044]: ttloop: peer died: EOF (Logins) Aug 20 07:52:05 Tower in.telnetd[9306]: connect from 88.250.84.91 (88.250.84.91) (Routine) Aug 20 07:52:05 Tower telnetd[9306]: ttloop: peer died: EOF (Logins) Aug 20 07:58:19 Tower in.telnetd[14340]: connect from 88.250.84.91 (88.250.84.91) (Routine) Aug 20 07:58:21 Tower telnetd[14340]: ttloop: peer died: EOF (Logins) Aug 20 10:19:01 Tower in.telnetd[29194]: connect from 183.178.134.25 (183.178.134.25) (Routine) Aug 20 10:19:02 Tower telnetd[29194]: ttloop: peer died: EOF (Logins) Aug 20 10:25:17 Tower in.telnetd[1738]: connect from 183.178.134.25 (183.178.134.25) (Routine) Aug 20 10:25:19 Tower telnetd[1738]: ttloop: peer died: EOF (Logins)
August 21, 201312 yr i would set up a rule to block them anyway, maybe even whitelist only certain external ips.
August 21, 201312 yr I'm puzzled why there would be these probes over a VPN. A VPN is from one point to another, There should only be visibility from either side of the VPN. If these addresses are outside of the VPN, then something is wrong. I.E. Firewall somewhere open. Could it be on your side? Or the remote side? I have my SSH port exposed to the internet, but I also DENY everything and only ALLOW what I expect to connect. I would recommend the same be done with /etc/hosts.allow and /etc/host.deny for any service that you do not want open to the world. You can also do a /etc/hosts.deny ALL: ALL then set up /etc/hosts.allow sshd: ip ip ip telnetd: ip ip ip vsftpd: ip ip ip Where the ip are the addresses you want to allow through.
August 21, 201312 yr Author I contacted the VPN provider (hidemyass.com) and they do not have a NAT service on their VPN, their response: Thank you for contacting the HMA! Customer support team. At the moment we don't offer NAT service with our VPN, however your internet traffic is secured and protected over our VPN servers. If you wish to additional layer of protection on your machine, please take a look at the following page for additional information on how to configure firewall: http://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans So basically it is secure client to server, but for the most part wide open on their end which is no different than pluging my server directly into my dsl modem as far as security goes (DMZ). With no iptables or any other method of firewalling on unRAID available, using the openvpn plugin on unRAID is a bad idea for me. I have the ASUS Dark Knight router with Tomato so I will be moving openvpn to it and setting up iptables on it to firewall/NAT and restrict it to my unRAID box.
Archived
This topic is now archived and is closed to further replies.