Strange login attempts. Am I being attacked?


Recommended Posts

I still don't believe that an ISP would supply a router/modem that is allowing all these ports to be open.

 

They didn't.  They supplied a router that was easily hacked from the WAN side (there are plenty to choose from), and someone got into it, opened those ports, and forwarded them to IPs inside the LAN.

 

Stands to reason that as a rule of thumb no end-user should trust the modem/router supplied by their ISP or any retail modem/router for that matter. Even if no unknown adversary hacks the router, your ISP should be treated as a known adversary. One way to mitigate these threats is to deploy your own firewall box and configure it accordingly: ex: with VPN's etc etc... and as most users here have at least one unRAID box on their LAN it would be prudent to learn about and deploy perimeter protection (firewall) in order to reduce the likelihood of an intrusion and by adding additional firewall protections reducing DPI (deep packet inspection) by the ISP.

 

If I understand the OP's statement correctly, the fact that his unRAID logs contained adversarial intrusion attempts means his unRAID server was compromised to a lesser or greater degree, and I would err on the side of caution. Deploy a robust firewall (not the isp's router firewall) first before exposing unRAID ports on the WAN; even this needs to be monitored.

Link to comment

your ISP should be treated as a known adversary.

I once had to give my ISP access to my modem (can't 100% remember why), and after they were done they started telling me that the admin passwords had to stay the exact same as what they set them to. 

 

Fine.  ok.  The minute they finished what they had to do I changed the password to an ultra hard password, then sat down and composed a very nasty email to them about that "policy"

Link to comment

One suggestion if the ISP router is really annoying / hard to configure, is to setup your own router (like the pfsense box). Then make sure that the ISP router either bridges to your router or make your router the DMZ. this will prevent double NAT scenarios, and give you back a significant amount of control. This is my setup btw (DMZ), since its a pain for the (only) ISP to provide replacements on their modem/router which seems to drop connections after a while in bridge mode.

Link to comment

your ISP should be treated as a known adversary.

I once had to give my ISP access to my modem (can't 100% remember why), and after they were done they started telling me that the admin passwords had to stay the exact same as what they set them to. 

 

Fine.  ok.  The minute they finished what they had to do I changed the password to an ultra hard password, then sat down and composed a very nasty email to them about that "policy"

 

Yes this is common with some ISP's. Sadly people don't know the extent of their ISP's intentions, and some of these intentions are not for the users benefit.

 

If the ISP has full access to modem/router:

 

1. Check if they updated your firmware?

2. Is your modem one of those affected by port 32764 being open?

3. Did you check for other user accounts on the router?

4. Look for any opened ports exposed to WAN side.

 

Some interesting info to read:

 

http://routersecurity.org/bugs.php

 

http://routersecurity.org/othersgripeonrouters.php

 

https://opensource.com/life/16/6/why-i-built-my-own-linux-router

 

 

 

This might be a good inexpensive hardware platform for you if you can get it at a reasonable price.

 

https://forum.pfsense.org/index.php?topic=114202.0

 

These appear to have the same hardware if you want to order directly from china.

http://www.aliexpress.com/wholesale?catId=0&initiative_id=SB_20160720115425&SearchText=QOTOM-Q190G4

 

These are very nice indeed. Not sure how capable they are to handle multiple VPNs connections with pfSense but that wouldn't matter if OpenVPN Server plugin was installed on unRAID.

 

 

Link to comment
  • 2 years later...

hi I just got this error of log in attempts I know I turned off port forwarding on my router  for 22  as I OpenVPN to my remote side comp... but the remote side comp logged more then 2000 login attempts... can you tell by what port is it hitting..   

I have it behind a pfsense router    but I cant tell what to look for to block this???  here is copy of some of it and my diagnostic file.. it just popped up toda when I ran fix common issues

and my router isn't setup as DMZ  but is it acting like it then  I mean the router..  but ya I not sure  any input be great

 

Apr 12 17:06:24 mitchsserver sshd[10628]: Did not receive identification string from 103.89.89.19 port 56742
Apr 12 17:06:25 mitchsserver sshd[10650]: Unable to negotiate with 103.89.89.19 port 56765: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:26 mitchsserver sshd[10655]: Unable to negotiate with 103.89.89.19 port 56787: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:26 mitchsserver sshd[10656]: Unable to negotiate with 103.89.89.19 port 56803: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:26 mitchsserver sshd[10657]: Unable to negotiate with 103.89.89.19 port 56820: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:26 mitchsserver sshd[10677]: Unable to negotiate with 103.89.89.19 port 56849: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:26 mitchsserver sshd[10679]: Unable to negotiate with 103.89.89.19 port 56868: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:26 mitchsserver sshd[10681]: Unable to negotiate with 103.89.89.19 port 56886: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:26 mitchsserver sshd[10683]: Unable to negotiate with 103.89.89.19 port 56899: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:27 mitchsserver sshd[10690]: Unable to negotiate with 103.89.89.19 port 56920: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:28 mitchsserver sshd[10710]: Unable to negotiate with 103.89.89.19 port 56939: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:29 mitchsserver sshd[10736]: Unable to negotiate with 103.89.89.19 port 56962: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:29 mitchsserver sshd[10737]: Unable to negotiate with 103.89.89.19 port 56978: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:29 mitchsserver sshd[10738]: Unable to negotiate with 103.89.89.19 port 56989: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:29 mitchsserver sshd[10739]: Unable to negotiate with 103.89.89.19 port 57003: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:06:29 mitchsserver sshd[10740]: Unable to negotiate with 103.89.89.19 port 57015: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:21:09 mitchsserver sshd[29175]: Received disconnect from 222.161.209.43 port 56296:11: Bye Bye [preauth]
Apr 12 17:21:09 mitchsserver sshd[29175]: Disconnected from 222.161.209.43 port 56296 [preauth]
Apr 12 17:44:54 mitchsserver sshd[26632]: Did not receive identification string from 103.89.89.19 port 61750
Apr 12 17:44:55 mitchsserver sshd[26654]: Unable to negotiate with 103.89.89.19 port 61757: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:56 mitchsserver sshd[26677]: Unable to negotiate with 103.89.89.19 port 61759: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:56 mitchsserver sshd[26678]: Unable to negotiate with 103.89.89.19 port 61761: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:56 mitchsserver sshd[26679]: Unable to negotiate with 103.89.89.19 port 61764: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:56 mitchsserver sshd[26682]: Unable to negotiate with 103.89.89.19 port 61769: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:56 mitchsserver sshd[26680]: Unable to negotiate with 103.89.89.19 port 61767: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:57 mitchsserver sshd[26686]: Unable to negotiate with 103.89.89.19 port 61787: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:57 mitchsserver sshd[26684]: Unable to negotiate with 103.89.89.19 port 61774: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:57 mitchsserver sshd[26687]: Unable to negotiate with 103.89.89.19 port 61786: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:57 mitchsserver sshd[26685]: Unable to negotiate with 103.89.89.19 port 61776: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:57 mitchsserver sshd[26691]: Unable to negotiate with 103.89.89.19 port 61794: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:57 mitchsserver sshd[26692]: Unable to negotiate with 103.89.89.19 port 61796: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:57 mitchsserver sshd[26718]: Unable to negotiate with 103.89.89.19 port 61798: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:58 mitchsserver sshd[26725]: Unable to negotiate with 103.89.89.19 port 61806: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:44:58 mitchsserver sshd[26726]: Unable to negotiate with 103.89.89.19 port 61810: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 12 17:57:48 mitchsserver sshd[10496]: Received disconnect from 223.111.139.211 port 44290:11:  [preauth]
Apr 12 17:57:48 mitchsserver sshd[10496]: Disconnected from 223.111.139.211 port 44290 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10498]: Received disconnect from 223.111.139.247 port 57026:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10498]: Disconnected from 223.111.139.247 port 57026 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10504]: Received disconnect from 36.156.24.94 port 37762:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10504]: Disconnected from 36.156.24.94 port 37762 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10500]: Received disconnect from 223.111.139.211 port 44611:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10500]: Disconnected from 223.111.139.211 port 44611 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10502]: Received disconnect from 36.156.24.94 port 37592:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10502]: Disconnected from 36.156.24.94 port 37592 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10509]: Received disconnect from 223.68.10.247 port 38767:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10509]: Disconnected from 223.68.10.247 port 38767 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10511]: Received disconnect from 223.111.139.239 port 33860:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10511]: Disconnected from 223.111.139.239 port 33860 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10513]: Received disconnect from 223.111.139.244 port 45468:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10513]: Disconnected from 223.111.139.244 port 45468 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10515]: Received disconnect from 36.156.24.94 port 39178:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10515]: Disconnected from 36.156.24.94 port 39178 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10517]: Received disconnect from 223.111.139.210 port 44240:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10517]: Disconnected from 223.111.139.210 port 44240 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10519]: Received disconnect from 36.156.24.98 port 35873:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10519]: Disconnected from 36.156.24.98 port 35873 [preauth]
Apr 12 17:57:49 mitchsserver sshd[10521]: Received disconnect from 223.111.139.239 port 36495:11:  [preauth]
Apr 12 17:57:49 mitchsserver sshd[10521]: Disconnected from 223.111.139.239 port 36495 [preauth]
Apr 12 17:57:50 mitchsserver sshd[10541]: Received disconnect from 119.249.54.236 port 40852:11:  [preauth]
Apr 12 17:57:50 mitchsserver sshd[10541]: Disconnected from 119.249.54.236 port 40852 [preauth]
Apr 12 17:57:50 mitchsserver sshd[10546]: Received disconnect from 223.68.10.247 port 43389:11:  [preauth]
Apr 12 17:57:50 mitchsserver sshd[10546]: Disconnected from 223.68.10.247 port 43389 [preauth]
Apr 12 17:57:50 mitchsserver sshd[10548]: Received disconnect from 36.156.24.99 port 55128:11:  [preauth]
Apr 12 17:57:50 mitchsserver sshd[10548]: Disconnected from 36.156.24.99 port 55128 [preauth]
Apr 12 17:57:50 mitchsserver sshd[10568]: Received disconnect from 36.156.24.98 port 38491:11:  [preauth]
Apr 12 17:57:50 mitchsserver sshd[10568]: Disconnected from 36.156.24.98 port 38491 [preauth]
Apr 12 17:57:51 mitchsserver sshd[10572]: Received disconnect from 223.111.139.211 port 50372:11:  [preauth]
Apr 12 17:57:51 mitchsserver sshd[10572]: Disconnected from 223.111.139.211 port 50372 [preauth]
Apr 12 17:57:51 mitchsserver sshd[10570]: Received disconnect from 223.111.139.211 port 50089:11:  [preauth]
Apr 12 17:57:51 mitchsserver sshd[10570]: Disconnected from 223.111.139.211 port 50089 [preauth]
Apr 12 17:57:51 mitchsserver sshd[10577]: Received disconnect from 122.226.181.166 port 42514:11:  [preauth]
Apr 12 17:57:51 mitchsserver sshd[10577]: Disconnected from 122.226.181.166 port 42514 [preauth]
Apr 12 17:57:53 mitchsserver sshd[10622]: Received disconnect from 61.184.247.11 port 47516:11:  [preauth]
Apr 12 17:57:53 mitchsserver sshd[10622]: Disconnected from 61.184.247.11 port 47516 [preauth]
Apr 12 17:57:53 mitchsserver sshd[10624]: Received disconnect from 223.111.139.210 port 56049:11:  [preauth]
Apr 12 17:57:53 mitchsserver sshd[10624]: Disconnected from 223.111.139.210 port 56049 [preauth]
Apr 12 17:57:53 mitchsserver sshd[10602]: Received disconnect from 222.187.225.10 port 49449:11:  [preauth]
Apr 12 17:57:53 mitchsserver sshd[10602]: Disconnected from 222.187.225.10 port 49449 [preauth]
Apr 12 17:57:53 mitchsserver sshd[10629]: Received disconnect from 122.226.181.166 port 55364:11:  [preauth]
Apr 12 17:57:53 mitchsserver sshd[10629]: Disconnected from 122.226.181.166 port 55364 [preauth]
Apr 12 17:57:53 mitchsserver sshd[10631]: Received disconnect from 36.156.24.95 port 32787:11:  [preauth]
Apr 12 17:57:53 mitchsserver sshd[10631]: Disconnected from 36.156.24.95 port 32787 [preauth]
Apr 12 17:57:53 mitchsserver sshd[10633]: Received disconnect from 223.111.139.244 port 33917:11:  [preauth]
Apr 12 17:57:53 mitchsserver sshd[10633]: Disconnected from 223.111.139.244 port 33917 [preauth]
Apr 12 17:57:53 mitchsserver sshd[10653]: Received disconnect from 36.156.24.99 port 46646:11:  [preauth]
Apr 12 17:57:53 mitchsserver sshd[10653]: Disconnected from 36.156.24.99 port 46646 [preauth]
Apr 12 17:57:54 mitchsserver sshd[10658]: Received disconnect from 36.156.24.99 port 48152:11:  [preauth]
Apr 12 17:57:54 mitchsserver sshd[10658]: Disconnected from 36.156.24.99 port 48152 [preauth]
Apr 12 17:57:54 mitchsserver sshd[10662]: Received disconnect from 61.184.247.11 port 53757:11:  [preauth]
Apr 12 17:57:54 mitchsserver sshd[10662]: Disconnected from 61.184.247.11 port 53757 [preauth]
Apr 12 17:57:54 mitchsserver sshd[10664]: Received disconnect from 36.156.24.95 port 35272:11:  [preauth]
Apr 12 17:57:54 mitchsserver sshd[10664]: Disconnected from 36.156.24.95 port 35272 [preauth]
Apr 12 17:57:54 mitchsserver sshd[10660]: Received disconnect from 222.187.225.10 port 54629:11:  [preauth]
Apr 12 17:57:54 mitchsserver sshd[10660]: Disconnected from 222.187.225.10 port 54629 [preauth]
Apr 12 17:57:56 mitchsserver sshd[10708]: Received disconnect from 115.238.245.2 port 49866:11:  [preauth]
Apr 12 17:57:56 mitchsserver sshd[10708]: Disconnected from 115.238.245.2 port 49866 [preauth]
Apr 12 17:57:57 mitchsserver sshd[10600]: Received disconnect from 115.238.245.2 port 39668:11:  [preauth]
Apr 12 17:57:57 mitchsserver sshd[10600]: Disconnected from 115.238.245.2 port 39668 [preauth]

 

mitchsserver-diagnostics-20190417-1351.zip

uu.JPG

Edited by comet424
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.