Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

"Hacking" attempt confusion - logs and port numbers

Featured Replies

Hello! Recently I've had Fix Common Problems plugin let me know about a hacking attempt. That's definitely what the logs imply. Looks like someone was attempting to connect via a bunch of standard / known users and passwords (this was repeated over two days, and 100's of times a day with similar information):

 

Jan 9 02:22:03 Tower sshd[1979]: Failed password for mysql from 91.xxx.x.x port 56816 ssh2

Jan 9 02:22:03 Tower sshd[1979]: Connection closed by authenticating user mysql 91.xxx.x.x port 56816 [preauth]

Jan 9 04:43:27 Tower sshd[130858]: Invalid user nginx from 91.xxx.x.x port 52020

Jan 9 04:43:27 Tower sshd[130858]: error: Could not get shadow information for NOUSER

Jan 9 04:43:27 Tower sshd[130858]: Failed password for invalid user nginx from 91.xxx.x.x port 52020 ssh2

Jan 9 04:43:27 Tower sshd[130858]: Connection closed by invalid user nginx 91.xxx.x.x port 52020 [preauth]

 

The part that I don't understand is the ports, and what this log really means. My server is exposed to the internet, but only on a non-standard port that is forwarded to SSH, and port 80 (redirected to 443)/443. One of the port 443 redirects goes to the unraid web portal, but hidden behind an NGINX auth - on top of the unraid auth itself.

 

So, my question - how was a login attempt made for these different ports? Beyond taking the access that I have down, what else should I be doing to limit this?

 

Thanks!

 

If you really need to access your server remotely, you should be using a VPN.  Either openVPN or wireguard.

  • 2 years later...

I know it's an older thread but essentially, changing the port number of your SSH isn't doing much in terms of security. It just makes it a tiny bit harder to determine the right port. You do discourage very simple attacks that scan very broadly and don't bother with alternate ports but changing the default port does nothing for targeted attacks and also not much for more sophisticated, automated attacks, once an attacker figures out your true ssh port, you will get brute-forced just like normal.

If you are still looking for a very simple and elegant solution for remote ssh access, give Tailscale a try. It's FOSS, based on WireGuard, doesn't require port forwarding and has clients for basically all platforms under the sun.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.