Jump to content
elbweb

"Hacking" attempt confusion - logs and port numbers

2 posts in this topic Last Reply

Recommended Posts

Hello! Recently I've had Fix Common Problems plugin let me know about a hacking attempt. That's definitely what the logs imply. Looks like someone was attempting to connect via a bunch of standard / known users and passwords (this was repeated over two days, and 100's of times a day with similar information):

 

Jan 9 02:22:03 Tower sshd[1979]: Failed password for mysql from 91.xxx.x.x port 56816 ssh2

Jan 9 02:22:03 Tower sshd[1979]: Connection closed by authenticating user mysql 91.xxx.x.x port 56816 [preauth]

Jan 9 04:43:27 Tower sshd[130858]: Invalid user nginx from 91.xxx.x.x port 52020

Jan 9 04:43:27 Tower sshd[130858]: error: Could not get shadow information for NOUSER

Jan 9 04:43:27 Tower sshd[130858]: Failed password for invalid user nginx from 91.xxx.x.x port 52020 ssh2

Jan 9 04:43:27 Tower sshd[130858]: Connection closed by invalid user nginx 91.xxx.x.x port 52020 [preauth]

 

The part that I don't understand is the ports, and what this log really means. My server is exposed to the internet, but only on a non-standard port that is forwarded to SSH, and port 80 (redirected to 443)/443. One of the port 443 redirects goes to the unraid web portal, but hidden behind an NGINX auth - on top of the unraid auth itself.

 

So, my question - how was a login attempt made for these different ports? Beyond taking the access that I have down, what else should I be doing to limit this?

 

Thanks!

 

Share this post


Link to post

If you really need to access your server remotely, you should be using a VPN.  Either openVPN or wireguard.

  • Like 1
  • Thanks 1

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.