Pages & Pages Of FTP Login Attempts


mbc0

Recommended Posts

Hi,

 

I have absolutely thousands of login attempts (different IP's & Usernames) is this people trying to login to my box? is there a way of stopping this?

 

Here is just a very small snippet of my syslog

 

Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: error: Could not get shadow information for NOUSER (Errors)

Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: Failed none for invalid user administrator from 212.129.8.144 port 50339 ssh2

Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: Failed password for invalid user administrator from 212.129.8.144 port 50339 ssh2

Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth]

Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: Disconnected from 212.129.8.144 [preauth]

Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Invalid user admin from 212.129.8.144

Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: input_userauth_request: invalid user admin [preauth]

Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: error: Could not get shadow information for NOUSER (Errors)

Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Failed none for invalid user admin from 212.129.8.144 port 50571 ssh2

Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Failed password for invalid user admin from 212.129.8.144 port 50571 ssh2

Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth]

Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Disconnected from 212.129.8.144 [preauth]

Apr 30 08:29:08 UNRAIDSERVER sshd[13750]: Invalid user Bedford from 212.129.8.144

Apr 30 08:29:08 UNRAIDSERVER sshd[13750]: input_userauth_request: invalid user Bedford [preauth]

Apr 30 08:29:08 UNRAIDSERVER sshd[13750]: error: Could not get shadow information for NOUSER (Errors)

Apr 30 08:29:08 UNRAIDSERVER sshd[13750]: Failed none for invalid user Bedford from 212.129.8.144 port 51496 ssh2

Apr 30 08:29:09 UNRAIDSERVER sshd[13750]: Failed password for invalid user Bedford from 212.129.8.144 port 51496 ssh2

Apr 30 08:29:09 UNRAIDSERVER sshd[13750]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth]

Apr 30 08:29:09 UNRAIDSERVER sshd[13750]: Disconnected from 212.129.8.144 [preauth]

Apr 30 08:29:09 UNRAIDSERVER sshd[13756]: Invalid user support from 212.129.8.144

Apr 30 08:29:09 UNRAIDSERVER sshd[13756]: input_userauth_request: invalid user support [preauth]

Apr 30 08:29:09 UNRAIDSERVER sshd[13756]: error: Could not get shadow information for NOUSER (Errors)

Apr 30 08:29:09 UNRAIDSERVER sshd[13756]: Failed none for invalid user support from 212.129.8.144 port 52039 ssh2

Apr 30 08:29:10 UNRAIDSERVER sshd[13756]: Failed password for invalid user support from 212.129.8.144 port 52039 ssh2

Apr 30 08:29:10 UNRAIDSERVER sshd[13756]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth]

Apr 30 08:29:10 UNRAIDSERVER sshd[13756]: Disconnected from 212.129.8.144 [preauth]

Apr 30 08:29:10 UNRAIDSERVER sshd[13762]: Invalid user alex from 212.129.8.144

Apr 30 08:29:10 UNRAIDSERVER sshd[13762]: input_userauth_request: invalid user alex [preauth]

Apr 30 08:29:10 UNRAIDSERVER sshd[13762]: error: Could not get shadow information for NOUSER (Errors)

Apr 30 08:29:10 UNRAIDSERVER sshd[13762]: Failed none for invalid user alex from 212.129.8.144 port 52618 ssh2

Apr 30 08:29:11 UNRAIDSERVER sshd[13762]: Failed password for invalid user alex from 212.129.8.144 port 52618 ssh2

Apr 30 08:29:11 UNRAIDSERVER sshd[13762]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth]

Apr 30 08:29:11 UNRAIDSERVER sshd[13762]: Disconnected from 212.129.8.144 [preauth]

Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Invalid user steve from 212.129.8.144

Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: input_userauth_request: invalid user steve [preauth]

Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: error: Could not get shadow information for NOUSER (Errors)

Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Failed none for invalid user steve from 212.129.8.144 port 52965 ssh2

Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Failed password for invalid user steve from 212.129.8.144 port 52965 ssh2

Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth]

Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Disconnected from 212.129.8.144 [preauth]

Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Invalid user admin from 212.129.8.144

Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: input_userauth_request: invalid user admin [preauth]

Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: error: Could not get shadow information for NOUSER (Errors)

Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Failed none for invalid user admin from 212.129.8.144 port 53582 ssh2

Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Failed password for invalid user admin from 212.129.8.144 port 53582 ssh2

Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth]

Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Disconnected from 212.129.8.144 [preauth]

Apr 30 08:29:45 UNRAIDSERVER sshd[13845]: Did not receive identification string from 91.201.236.158

Apr 30 08:32:33 UNRAIDSERVER in.telnetd[14186]: connect from 211.36.150.53 (211.36.150.53) (Routine)

Apr 30 08:33:16 UNRAIDSERVER telnetd[14186]: ttloop: peer died: EOF (Logins)

Apr 30 08:33:28 UNRAIDSERVER sshd[14294]: Did not receive identification string from 116.109.136.190

Apr 30 08:33:29 UNRAIDSERVER sshd[14299]: Accepted none for root from 116.109.136.190 port 50268 ssh2

Apr 30 08:35:48 UNRAIDSERVER sshd[14586]: Did not receive identification string from 222.255.174.32

Apr 30 08:35:49 UNRAIDSERVER sshd[14591]: fatal: Unable to negotiate with 222.255.174.32: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related)

Apr 30 08:39:46 UNRAIDSERVER sshd[15067]: Accepted none for root from 125.88.177.94 port 26703 ssh2

Apr 30 08:39:46 UNRAIDSERVER sshd[15067]: Received disconnect from 125.88.177.94: 11:

Apr 30 08:39:46 UNRAIDSERVER sshd[15067]: Disconnected from 125.88.177.94

Apr 30 08:41:06 UNRAIDSERVER sshd[15248]: Connection closed by 91.201.236.158 [preauth]

Apr 30 08:45:19 UNRAIDSERVER in.telnetd[15758]: connect from 101.18.32.100 (101.18.32.100) (Routine)

Apr 30 08:46:00 UNRAIDSERVER telnetd[15758]: ttloop: read: Connection reset by peer (Logins)

Apr 30 08:49:15 UNRAIDSERVER sshd[16234]: Failed password for root from 202.126.93.18 port 9224 ssh2

Apr 30 08:49:15 UNRAIDSERVER sshd[16234]: Connection closed by 202.126.93.18 [preauth]

Apr 30 08:53:05 UNRAIDSERVER sshd[16703]: Did not receive identification string from 51.174.39.167

Apr 30 08:54:25 UNRAIDSERVER sshd[16867]: Connection reset by 107.155.198.85 [preauth]

Apr 30 09:02:22 UNRAIDSERVER in.telnetd[17829]: connect from 220.132.155.121 (220.132.155.121) (Routine)

Apr 30 09:03:01 UNRAIDSERVER telnetd[17829]: ttloop: read: Connection reset by peer (Logins)

Apr 30 09:08:21 UNRAIDSERVER in.telnetd[18561]: connect from 124.107.175.18 (124.107.175.18) (Routine)

Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: Invalid user guest from 202.126.93.18

Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: input_userauth_request: invalid user guest [preauth]

Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: error: Could not get shadow information for NOUSER (Errors)

Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: Failed password for invalid user guest from 202.126.93.18 port 9224 ssh2

Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: Connection closed by 202.126.93.18 [preauth]

Apr 30 09:12:26 UNRAIDSERVER sshd[19068]: Did not receive identification string from 222.255.174.32

Apr 30 09:12:27 UNRAIDSERVER sshd[19071]: fatal: Unable to negotiate with 222.255.174.32: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related)

Apr 30 09:16:53 UNRAIDSERVER emhttp: read_line: read_line: CR without LF (Other emhttp)

Apr 30 09:18:03 UNRAIDSERVER sshd[19754]: Did not receive identification string from 222.255.174.31

Apr 30 09:18:05 UNRAIDSERVER sshd[19757]: fatal: Unable to negotiate with 222.255.174.31: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related)

Apr 30 09:18:49 UNRAIDSERVER in.telnetd[19852]: connect from 223.93.147.99 (223.93.147.99) (Routine)

Apr 30 09:19:28 UNRAIDSERVER telnetd[19852]: ttloop: read: Connection reset by peer (Logins)

Apr 30 09:20:30 UNRAIDSERVER in.telnetd[20057]: connect from 221.193.179.227 (221.193.179.227) (Routine)

Apr 30 09:21:10 UNRAIDSERVER telnetd[20057]: ttloop: read: Connection reset by peer (Logins)

Apr 30 09:21:42 UNRAIDSERVER sshd[20200]: Failed password for root from 107.155.198.88 port 51444 ssh2

Apr 30 09:21:43 UNRAIDSERVER sshd[20200]: Received disconnect from 107.155.198.88: 11: User exit [preauth]

Apr 30 09:21:43 UNRAIDSERVER sshd[20200]: Disconnected from 107.155.198.88 [preauth]

Apr 30 09:28:55 UNRAIDSERVER sshd[21077]: Invalid user test from 202.126.93.18

Apr 30 09:28:55 UNRAIDSERVER sshd[21077]: input_userauth_request: invalid user test [preauth]

Apr 30 09:28:55 UNRAIDSERVER sshd[21077]: error: Could not get shadow information for NOUSER (Errors)

Link to comment

Yeah, sorry to be the bearers of bad news but the internet is not a safe place.  What you're seeing is expected - you are being hacked.  Worse, unRAID is not a hardened OS and it is not suitable for direct exposure on the Internet so you're really at risk.  You need to get your server behind a firewall.  After you've done that, consider implementing a VPN for your remote access.

Link to comment

Uhh these are SSH login attempts. It's a bruteforce attack. Where is the problem? You do have a sufficiently complex username with a sufficiently complex password that aren't dictionary words, yes?

 

Let them try to log in. Who cares? And wasn't there a plugin that automatically sets the hosts on a blacklist for exactly this kind of behaviour?

 

The question here isn't whether unRAID is hardened. If only port 22 is forwarded, the only question is whether the SSH server is secure.

Link to comment

Yeah, sorry to be the bearers of bad news but the internet is not a safe place.  What you're seeing is expected - you are being hacked.  Worse, unRAID is not a hardened OS and it is not suitable for direct exposure on the Internet so you're really at risk.  You need to get your server behind a firewall.  After you've done that, consider implementing a VPN for your remote access.

 

He's not being hacked, this is very common if you expose port 22 (ssh) to the internet.  It is an automated attack trying to get into the server, as long as you disable password (and root login) and use private/public keys he will be fine.

 

I suppose you could implement fail2ban or other such programs out there to reduce the number of attempts.  But this is a common occurrence these days, as long as your ssh server is sufficiently secure they can brute-force all they want.

 

So just disable password login info here, and use private keys to login info here, and you'll be fine.

Link to comment

 

He's not being hacked, this is very common if you expose port 22 (ssh) to the internet.  It is an automated attack trying to get into the server, as long as you disable password (and root login) and use private/public keys he will be fine.

 

Interesting way to put it... he isn't being hacked, it's just that people (actually automated scripts) are trying to attack his system but...

 

You are correct that you can make it harder for them to use automated systems to break into your server, but here is the most important point....

 

unRAID doesn't disable password login by default and doesn't use private public key log in by default... so the reason people say... don't do this is because we don't like to assume that they have done this...

 

Not to mention that there are smarter safer ways to go about this.

Link to comment

Thanks jonathanm, do you mean not putting myself in the position by not having my unRAID server connected to the outside world?

 

No, what we're saying is don't open the ports for FTP and SSH on your firewall.  If you need to access your machine from outside your LAN then setup a VPN.

Link to comment

Ok, so ftp disabled, rebooted, checked disabled but still loads of attempted logins? help anyone please?

 

May  3 08:59:04 UNRAIDSERVER telnetd[30208]: ttloop: peer died: EOF (Logins)

May  3 09:12:13 UNRAIDSERVER sshd[31812]: Did not receive identification string from 222.255.174.31

May  3 09:12:14 UNRAIDSERVER sshd[31815]: fatal: Unable to negotiate with 222.255.174.31: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related)

May  3 09:12:42 UNRAIDSERVER sshd[31871]: Failed password for root from 107.155.198.94 port 65482 ssh2

May  3 09:12:43 UNRAIDSERVER sshd[31871]: Received disconnect from 107.155.198.94: 11: User exit [preauth]

May  3 09:12:43 UNRAIDSERVER sshd[31871]: Disconnected from 107.155.198.94 [preauth]

May  3 09:28:51 UNRAIDSERVER sshd[1423]: Failed password for root from 113.22.62.255 port 64378 ssh2

May  3 09:28:57 UNRAIDSERVER sshd[1423]: Connection reset by 113.22.62.255 [preauth]

May  3 09:36:33 UNRAIDSERVER sshd[2382]: Connection closed by 122.144.196.177 [preauth]

May  3 09:37:08 UNRAIDSERVER sshd[2449]: Accepted none for root from 125.88.177.94 port 36655 ssh2

May  3 09:37:08 UNRAIDSERVER sshd[2449]: Received disconnect from 125.88.177.94: 11:

May  3 09:37:08 UNRAIDSERVER sshd[2449]: Disconnected from 125.88.177.94

May  3 09:37:56 UNRAIDSERVER sshd[2556]: Failed password for root from 107.155.198.80 port 51640 ssh2

May  3 09:37:58 UNRAIDSERVER sshd[2556]: Received disconnect from 107.155.198.80: 11: User exit [preauth]

May  3 09:37:58 UNRAIDSERVER sshd[2556]: Disconnected from 107.155.198.80 [preauth]

May  3 09:39:31 UNRAIDSERVER in.telnetd[2837]: connect from 60.184.101.43 (60.184.101.43) (Routine)

May  3 09:40:16 UNRAIDSERVER telnetd[2837]: ttloop: read: Connection reset by peer (Logins)

May  3 09:42:31 UNRAIDSERVER sshd[3206]: Did not receive identification string from 125.212.232.120

May  3 09:42:35 UNRAIDSERVER sshd[3209]: Invalid user ubnt from 125.212.232.120

May  3 09:42:35 UNRAIDSERVER sshd[3209]: input_userauth_request: invalid user ubnt [preauth]

May  3 09:42:35 UNRAIDSERVER sshd[3209]: error: Could not get shadow information for NOUSER (Errors)

May  3 09:42:35 UNRAIDSERVER sshd[3209]: Failed none for invalid user ubnt from 125.212.232.120 port 62364 ssh2

May  3 09:42:35 UNRAIDSERVER sshd[3209]: Failed password for invalid user ubnt from 125.212.232.120 port 62364 ssh2

May  3 09:42:36 UNRAIDSERVER sshd[3209]: error: Received disconnect from 125.212.232.120: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] (Errors)

May  3 09:42:36 UNRAIDSERVER sshd[3209]: Disconnected from 125.212.232.120 [preauth]

May  3 09:42:39 UNRAIDSERVER sshd[3221]: Invalid user admin from 125.212.232.120

May  3 09:42:39 UNRAIDSERVER sshd[3221]: input_userauth_request: invalid user admin [preauth]

May  3 09:42:39 UNRAIDSERVER sshd[3221]: error: Could not get shadow information for NOUSER (Errors)

May  3 09:42:39 UNRAIDSERVER sshd[3221]: Failed none for invalid user admin from 125.212.232.120 port 63071 ssh2

May  3 09:42:40 UNRAIDSERVER sshd[3221]: Failed password for invalid user admin from 125.212.232.120 port 63071 ssh2

May  3 09:42:40 UNRAIDSERVER sshd[3221]: error: Received disconnect from 125.212.232.120: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] (Errors)

May  3 09:42:40 UNRAIDSERVER sshd[3221]: Disconnected from 125.212.232.120 [preauth]

May  3 09:42:42 UNRAIDSERVER sshd[3233]: Accepted none for root from 125.212.232.120 port 63647 ssh2

May  3 09:55:53 UNRAIDSERVER in.telnetd[4850]: connect from 61.216.13.22 (61.216.13.22) (Routine)

May  3 09:56:00 UNRAIDSERVER telnetd[4850]: ttloop: peer died: EOF (Logins)

May  3 10:02:53 UNRAIDSERVER sshd[5689]: Failed password for root from 113.22.62.255 port 51291 ssh2

May  3 10:02:56 UNRAIDSERVER sshd[5689]: Connection reset by 113.22.62.255 [preauth]

May  3 10:08:15 UNRAIDSERVER sshd[6348]: Did not receive identification string from 222.255.174.32

May  3 10:08:16 UNRAIDSERVER sshd[6351]: fatal: Unable to negotiate with 222.255.174.32: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related)

May  3 10:14:57 UNRAIDSERVER in.telnetd[7162]: connect from 95.38.145.56 (95.38.145.56) (Routine)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.