mbc0 Posted April 30, 2016 Share Posted April 30, 2016 Hi, I have absolutely thousands of login attempts (different IP's & Usernames) is this people trying to login to my box? is there a way of stopping this? Here is just a very small snippet of my syslog Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: error: Could not get shadow information for NOUSER (Errors) Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: Failed none for invalid user administrator from 212.129.8.144 port 50339 ssh2 Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: Failed password for invalid user administrator from 212.129.8.144 port 50339 ssh2 Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth] Apr 30 08:29:05 UNRAIDSERVER sshd[13734]: Disconnected from 212.129.8.144 [preauth] Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Invalid user admin from 212.129.8.144 Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: input_userauth_request: invalid user admin [preauth] Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: error: Could not get shadow information for NOUSER (Errors) Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Failed none for invalid user admin from 212.129.8.144 port 50571 ssh2 Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Failed password for invalid user admin from 212.129.8.144 port 50571 ssh2 Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth] Apr 30 08:29:08 UNRAIDSERVER sshd[13744]: Disconnected from 212.129.8.144 [preauth] Apr 30 08:29:08 UNRAIDSERVER sshd[13750]: Invalid user Bedford from 212.129.8.144 Apr 30 08:29:08 UNRAIDSERVER sshd[13750]: input_userauth_request: invalid user Bedford [preauth] Apr 30 08:29:08 UNRAIDSERVER sshd[13750]: error: Could not get shadow information for NOUSER (Errors) Apr 30 08:29:08 UNRAIDSERVER sshd[13750]: Failed none for invalid user Bedford from 212.129.8.144 port 51496 ssh2 Apr 30 08:29:09 UNRAIDSERVER sshd[13750]: Failed password for invalid user Bedford from 212.129.8.144 port 51496 ssh2 Apr 30 08:29:09 UNRAIDSERVER sshd[13750]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth] Apr 30 08:29:09 UNRAIDSERVER sshd[13750]: Disconnected from 212.129.8.144 [preauth] Apr 30 08:29:09 UNRAIDSERVER sshd[13756]: Invalid user support from 212.129.8.144 Apr 30 08:29:09 UNRAIDSERVER sshd[13756]: input_userauth_request: invalid user support [preauth] Apr 30 08:29:09 UNRAIDSERVER sshd[13756]: error: Could not get shadow information for NOUSER (Errors) Apr 30 08:29:09 UNRAIDSERVER sshd[13756]: Failed none for invalid user support from 212.129.8.144 port 52039 ssh2 Apr 30 08:29:10 UNRAIDSERVER sshd[13756]: Failed password for invalid user support from 212.129.8.144 port 52039 ssh2 Apr 30 08:29:10 UNRAIDSERVER sshd[13756]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth] Apr 30 08:29:10 UNRAIDSERVER sshd[13756]: Disconnected from 212.129.8.144 [preauth] Apr 30 08:29:10 UNRAIDSERVER sshd[13762]: Invalid user alex from 212.129.8.144 Apr 30 08:29:10 UNRAIDSERVER sshd[13762]: input_userauth_request: invalid user alex [preauth] Apr 30 08:29:10 UNRAIDSERVER sshd[13762]: error: Could not get shadow information for NOUSER (Errors) Apr 30 08:29:10 UNRAIDSERVER sshd[13762]: Failed none for invalid user alex from 212.129.8.144 port 52618 ssh2 Apr 30 08:29:11 UNRAIDSERVER sshd[13762]: Failed password for invalid user alex from 212.129.8.144 port 52618 ssh2 Apr 30 08:29:11 UNRAIDSERVER sshd[13762]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth] Apr 30 08:29:11 UNRAIDSERVER sshd[13762]: Disconnected from 212.129.8.144 [preauth] Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Invalid user steve from 212.129.8.144 Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: input_userauth_request: invalid user steve [preauth] Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: error: Could not get shadow information for NOUSER (Errors) Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Failed none for invalid user steve from 212.129.8.144 port 52965 ssh2 Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Failed password for invalid user steve from 212.129.8.144 port 52965 ssh2 Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth] Apr 30 08:29:14 UNRAIDSERVER sshd[13772]: Disconnected from 212.129.8.144 [preauth] Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Invalid user admin from 212.129.8.144 Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: input_userauth_request: invalid user admin [preauth] Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: error: Could not get shadow information for NOUSER (Errors) Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Failed none for invalid user admin from 212.129.8.144 port 53582 ssh2 Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Failed password for invalid user admin from 212.129.8.144 port 53582 ssh2 Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Received disconnect from 212.129.8.144: 11: Closed due to user request. [preauth] Apr 30 08:29:15 UNRAIDSERVER sshd[13778]: Disconnected from 212.129.8.144 [preauth] Apr 30 08:29:45 UNRAIDSERVER sshd[13845]: Did not receive identification string from 91.201.236.158 Apr 30 08:32:33 UNRAIDSERVER in.telnetd[14186]: connect from 211.36.150.53 (211.36.150.53) (Routine) Apr 30 08:33:16 UNRAIDSERVER telnetd[14186]: ttloop: peer died: EOF (Logins) Apr 30 08:33:28 UNRAIDSERVER sshd[14294]: Did not receive identification string from 116.109.136.190 Apr 30 08:33:29 UNRAIDSERVER sshd[14299]: Accepted none for root from 116.109.136.190 port 50268 ssh2 Apr 30 08:35:48 UNRAIDSERVER sshd[14586]: Did not receive identification string from 222.255.174.32 Apr 30 08:35:49 UNRAIDSERVER sshd[14591]: fatal: Unable to negotiate with 222.255.174.32: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related) Apr 30 08:39:46 UNRAIDSERVER sshd[15067]: Accepted none for root from 125.88.177.94 port 26703 ssh2 Apr 30 08:39:46 UNRAIDSERVER sshd[15067]: Received disconnect from 125.88.177.94: 11: Apr 30 08:39:46 UNRAIDSERVER sshd[15067]: Disconnected from 125.88.177.94 Apr 30 08:41:06 UNRAIDSERVER sshd[15248]: Connection closed by 91.201.236.158 [preauth] Apr 30 08:45:19 UNRAIDSERVER in.telnetd[15758]: connect from 101.18.32.100 (101.18.32.100) (Routine) Apr 30 08:46:00 UNRAIDSERVER telnetd[15758]: ttloop: read: Connection reset by peer (Logins) Apr 30 08:49:15 UNRAIDSERVER sshd[16234]: Failed password for root from 202.126.93.18 port 9224 ssh2 Apr 30 08:49:15 UNRAIDSERVER sshd[16234]: Connection closed by 202.126.93.18 [preauth] Apr 30 08:53:05 UNRAIDSERVER sshd[16703]: Did not receive identification string from 51.174.39.167 Apr 30 08:54:25 UNRAIDSERVER sshd[16867]: Connection reset by 107.155.198.85 [preauth] Apr 30 09:02:22 UNRAIDSERVER in.telnetd[17829]: connect from 220.132.155.121 (220.132.155.121) (Routine) Apr 30 09:03:01 UNRAIDSERVER telnetd[17829]: ttloop: read: Connection reset by peer (Logins) Apr 30 09:08:21 UNRAIDSERVER in.telnetd[18561]: connect from 124.107.175.18 (124.107.175.18) (Routine) Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: Invalid user guest from 202.126.93.18 Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: input_userauth_request: invalid user guest [preauth] Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: error: Could not get shadow information for NOUSER (Errors) Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: Failed password for invalid user guest from 202.126.93.18 port 9224 ssh2 Apr 30 09:09:05 UNRAIDSERVER sshd[18646]: Connection closed by 202.126.93.18 [preauth] Apr 30 09:12:26 UNRAIDSERVER sshd[19068]: Did not receive identification string from 222.255.174.32 Apr 30 09:12:27 UNRAIDSERVER sshd[19071]: fatal: Unable to negotiate with 222.255.174.32: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related) Apr 30 09:16:53 UNRAIDSERVER emhttp: read_line: read_line: CR without LF (Other emhttp) Apr 30 09:18:03 UNRAIDSERVER sshd[19754]: Did not receive identification string from 222.255.174.31 Apr 30 09:18:05 UNRAIDSERVER sshd[19757]: fatal: Unable to negotiate with 222.255.174.31: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related) Apr 30 09:18:49 UNRAIDSERVER in.telnetd[19852]: connect from 223.93.147.99 (223.93.147.99) (Routine) Apr 30 09:19:28 UNRAIDSERVER telnetd[19852]: ttloop: read: Connection reset by peer (Logins) Apr 30 09:20:30 UNRAIDSERVER in.telnetd[20057]: connect from 221.193.179.227 (221.193.179.227) (Routine) Apr 30 09:21:10 UNRAIDSERVER telnetd[20057]: ttloop: read: Connection reset by peer (Logins) Apr 30 09:21:42 UNRAIDSERVER sshd[20200]: Failed password for root from 107.155.198.88 port 51444 ssh2 Apr 30 09:21:43 UNRAIDSERVER sshd[20200]: Received disconnect from 107.155.198.88: 11: User exit [preauth] Apr 30 09:21:43 UNRAIDSERVER sshd[20200]: Disconnected from 107.155.198.88 [preauth] Apr 30 09:28:55 UNRAIDSERVER sshd[21077]: Invalid user test from 202.126.93.18 Apr 30 09:28:55 UNRAIDSERVER sshd[21077]: input_userauth_request: invalid user test [preauth] Apr 30 09:28:55 UNRAIDSERVER sshd[21077]: error: Could not get shadow information for NOUSER (Errors) Quote Link to comment
tdallen Posted April 30, 2016 Share Posted April 30, 2016 What is your network configuration? Do you have your server exposed to the Internet? Quote Link to comment
mbc0 Posted April 30, 2016 Author Share Posted April 30, 2016 Hi, yes I access the unRAID whilst out and about Quote Link to comment
John_M Posted April 30, 2016 Share Posted April 30, 2016 If you do that you're putting it at risk. If you want to do it safely set up a VPN. Quote Link to comment
CHBMB Posted April 30, 2016 Share Posted April 30, 2016 Setup a VPN. But first get your Unraid box secured... Quote Link to comment
tdallen Posted April 30, 2016 Share Posted April 30, 2016 Yeah, sorry to be the bearers of bad news but the internet is not a safe place. What you're seeing is expected - you are being hacked. Worse, unRAID is not a hardened OS and it is not suitable for direct exposure on the Internet so you're really at risk. You need to get your server behind a firewall. After you've done that, consider implementing a VPN for your remote access. Quote Link to comment
Marco2G Posted April 30, 2016 Share Posted April 30, 2016 Uhh these are SSH login attempts. It's a bruteforce attack. Where is the problem? You do have a sufficiently complex username with a sufficiently complex password that aren't dictionary words, yes? Let them try to log in. Who cares? And wasn't there a plugin that automatically sets the hosts on a blacklist for exactly this kind of behaviour? The question here isn't whether unRAID is hardened. If only port 22 is forwarded, the only question is whether the SSH server is secure. Quote Link to comment
hooger Posted April 30, 2016 Share Posted April 30, 2016 Yeah, sorry to be the bearers of bad news but the internet is not a safe place. What you're seeing is expected - you are being hacked. Worse, unRAID is not a hardened OS and it is not suitable for direct exposure on the Internet so you're really at risk. You need to get your server behind a firewall. After you've done that, consider implementing a VPN for your remote access. He's not being hacked, this is very common if you expose port 22 (ssh) to the internet. It is an automated attack trying to get into the server, as long as you disable password (and root login) and use private/public keys he will be fine. I suppose you could implement fail2ban or other such programs out there to reduce the number of attempts. But this is a common occurrence these days, as long as your ssh server is sufficiently secure they can brute-force all they want. So just disable password login info here, and use private keys to login info here, and you'll be fine. Quote Link to comment
mbc0 Posted April 30, 2016 Author Share Posted April 30, 2016 Thanks for all your input guys, I need to have a good look into making this as secure as possible.... I am using the ProFTPD Plugin and it is behind a DD-WRT Router so I should be able to work something out! Thanks again.... Quote Link to comment
JonathanM Posted April 30, 2016 Share Posted April 30, 2016 Unraid has a limited amount of space allocated for logging. There are various consequences of the log file getting filled up with garbage, none of them particularly helpful. I'd recommend not putting yourself in the position to be so easily attacked, even if you are sure they can't get in. Quote Link to comment
mbc0 Posted April 30, 2016 Author Share Posted April 30, 2016 Thanks jonathanm, do you mean not putting myself in the position by not having my unRAID server connected to the outside world? Quote Link to comment
gundamguy Posted April 30, 2016 Share Posted April 30, 2016 He's not being hacked, this is very common if you expose port 22 (ssh) to the internet. It is an automated attack trying to get into the server, as long as you disable password (and root login) and use private/public keys he will be fine. Interesting way to put it... he isn't being hacked, it's just that people (actually automated scripts) are trying to attack his system but... You are correct that you can make it harder for them to use automated systems to break into your server, but here is the most important point.... unRAID doesn't disable password login by default and doesn't use private public key log in by default... so the reason people say... don't do this is because we don't like to assume that they have done this... Not to mention that there are smarter safer ways to go about this. Quote Link to comment
CHBMB Posted April 30, 2016 Share Posted April 30, 2016 Thanks jonathanm, do you mean not putting myself in the position by not having my unRAID server connected to the outside world? No, what we're saying is don't open the ports for FTP and SSH on your firewall. If you need to access your machine from outside your LAN then setup a VPN. Quote Link to comment
mbc0 Posted April 30, 2016 Author Share Posted April 30, 2016 ok... thanks for the info, I will investigate VPN, if anyone has some novice pointers I would appreciate it! Cheers All Quote Link to comment
gundamguy Posted May 1, 2016 Share Posted May 1, 2016 I would consider looking at the VPN plugin, I think it has good instructions. Quote Link to comment
mbc0 Posted May 3, 2016 Author Share Posted May 3, 2016 Ok, so ftp disabled, rebooted, checked disabled but still loads of attempted logins? help anyone please? May 3 08:59:04 UNRAIDSERVER telnetd[30208]: ttloop: peer died: EOF (Logins) May 3 09:12:13 UNRAIDSERVER sshd[31812]: Did not receive identification string from 222.255.174.31 May 3 09:12:14 UNRAIDSERVER sshd[31815]: fatal: Unable to negotiate with 222.255.174.31: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related) May 3 09:12:42 UNRAIDSERVER sshd[31871]: Failed password for root from 107.155.198.94 port 65482 ssh2 May 3 09:12:43 UNRAIDSERVER sshd[31871]: Received disconnect from 107.155.198.94: 11: User exit [preauth] May 3 09:12:43 UNRAIDSERVER sshd[31871]: Disconnected from 107.155.198.94 [preauth] May 3 09:28:51 UNRAIDSERVER sshd[1423]: Failed password for root from 113.22.62.255 port 64378 ssh2 May 3 09:28:57 UNRAIDSERVER sshd[1423]: Connection reset by 113.22.62.255 [preauth] May 3 09:36:33 UNRAIDSERVER sshd[2382]: Connection closed by 122.144.196.177 [preauth] May 3 09:37:08 UNRAIDSERVER sshd[2449]: Accepted none for root from 125.88.177.94 port 36655 ssh2 May 3 09:37:08 UNRAIDSERVER sshd[2449]: Received disconnect from 125.88.177.94: 11: May 3 09:37:08 UNRAIDSERVER sshd[2449]: Disconnected from 125.88.177.94 May 3 09:37:56 UNRAIDSERVER sshd[2556]: Failed password for root from 107.155.198.80 port 51640 ssh2 May 3 09:37:58 UNRAIDSERVER sshd[2556]: Received disconnect from 107.155.198.80: 11: User exit [preauth] May 3 09:37:58 UNRAIDSERVER sshd[2556]: Disconnected from 107.155.198.80 [preauth] May 3 09:39:31 UNRAIDSERVER in.telnetd[2837]: connect from 60.184.101.43 (60.184.101.43) (Routine) May 3 09:40:16 UNRAIDSERVER telnetd[2837]: ttloop: read: Connection reset by peer (Logins) May 3 09:42:31 UNRAIDSERVER sshd[3206]: Did not receive identification string from 125.212.232.120 May 3 09:42:35 UNRAIDSERVER sshd[3209]: Invalid user ubnt from 125.212.232.120 May 3 09:42:35 UNRAIDSERVER sshd[3209]: input_userauth_request: invalid user ubnt [preauth] May 3 09:42:35 UNRAIDSERVER sshd[3209]: error: Could not get shadow information for NOUSER (Errors) May 3 09:42:35 UNRAIDSERVER sshd[3209]: Failed none for invalid user ubnt from 125.212.232.120 port 62364 ssh2 May 3 09:42:35 UNRAIDSERVER sshd[3209]: Failed password for invalid user ubnt from 125.212.232.120 port 62364 ssh2 May 3 09:42:36 UNRAIDSERVER sshd[3209]: error: Received disconnect from 125.212.232.120: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] (Errors) May 3 09:42:36 UNRAIDSERVER sshd[3209]: Disconnected from 125.212.232.120 [preauth] May 3 09:42:39 UNRAIDSERVER sshd[3221]: Invalid user admin from 125.212.232.120 May 3 09:42:39 UNRAIDSERVER sshd[3221]: input_userauth_request: invalid user admin [preauth] May 3 09:42:39 UNRAIDSERVER sshd[3221]: error: Could not get shadow information for NOUSER (Errors) May 3 09:42:39 UNRAIDSERVER sshd[3221]: Failed none for invalid user admin from 125.212.232.120 port 63071 ssh2 May 3 09:42:40 UNRAIDSERVER sshd[3221]: Failed password for invalid user admin from 125.212.232.120 port 63071 ssh2 May 3 09:42:40 UNRAIDSERVER sshd[3221]: error: Received disconnect from 125.212.232.120: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] (Errors) May 3 09:42:40 UNRAIDSERVER sshd[3221]: Disconnected from 125.212.232.120 [preauth] May 3 09:42:42 UNRAIDSERVER sshd[3233]: Accepted none for root from 125.212.232.120 port 63647 ssh2 May 3 09:55:53 UNRAIDSERVER in.telnetd[4850]: connect from 61.216.13.22 (61.216.13.22) (Routine) May 3 09:56:00 UNRAIDSERVER telnetd[4850]: ttloop: peer died: EOF (Logins) May 3 10:02:53 UNRAIDSERVER sshd[5689]: Failed password for root from 113.22.62.255 port 51291 ssh2 May 3 10:02:56 UNRAIDSERVER sshd[5689]: Connection reset by 113.22.62.255 [preauth] May 3 10:08:15 UNRAIDSERVER sshd[6348]: Did not receive identification string from 222.255.174.32 May 3 10:08:16 UNRAIDSERVER sshd[6351]: fatal: Unable to negotiate with 222.255.174.32: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] (Drive related) May 3 10:14:57 UNRAIDSERVER in.telnetd[7162]: connect from 95.38.145.56 (95.38.145.56) (Routine) Quote Link to comment
gubbgnutten Posted May 3, 2016 Share Posted May 3, 2016 Ok, so ftp disabled, rebooted, checked disabled but still loads of attempted logins? help anyone please? Those are attempts to gain access through SSH and Telnet. You really should put the server behind a firewall without any ports forwarded to it from the Internet. Quote Link to comment
mbc0 Posted May 3, 2016 Author Share Posted May 3, 2016 Thank you, I forgot to close of the router! done now... Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.