"Hacking" attempt confusion - logs and port numbers


elbweb

Recommended Posts

Hello! Recently I've had Fix Common Problems plugin let me know about a hacking attempt. That's definitely what the logs imply. Looks like someone was attempting to connect via a bunch of standard / known users and passwords (this was repeated over two days, and 100's of times a day with similar information):

 

Jan 9 02:22:03 Tower sshd[1979]: Failed password for mysql from 91.xxx.x.x port 56816 ssh2

Jan 9 02:22:03 Tower sshd[1979]: Connection closed by authenticating user mysql 91.xxx.x.x port 56816 [preauth]

Jan 9 04:43:27 Tower sshd[130858]: Invalid user nginx from 91.xxx.x.x port 52020

Jan 9 04:43:27 Tower sshd[130858]: error: Could not get shadow information for NOUSER

Jan 9 04:43:27 Tower sshd[130858]: Failed password for invalid user nginx from 91.xxx.x.x port 52020 ssh2

Jan 9 04:43:27 Tower sshd[130858]: Connection closed by invalid user nginx 91.xxx.x.x port 52020 [preauth]

 

The part that I don't understand is the ports, and what this log really means. My server is exposed to the internet, but only on a non-standard port that is forwarded to SSH, and port 80 (redirected to 443)/443. One of the port 443 redirects goes to the unraid web portal, but hidden behind an NGINX auth - on top of the unraid auth itself.

 

So, my question - how was a login attempt made for these different ports? Beyond taking the access that I have down, what else should I be doing to limit this?

 

Thanks!

 

  • Like 1
Link to comment
  • 2 years later...

I know it's an older thread but essentially, changing the port number of your SSH isn't doing much in terms of security. It just makes it a tiny bit harder to determine the right port. You do discourage very simple attacks that scan very broadly and don't bother with alternate ports but changing the default port does nothing for targeted attacks and also not much for more sophisticated, automated attacks, once an attacker figures out your true ssh port, you will get brute-forced just like normal.

If you are still looking for a very simple and elegant solution for remote ssh access, give Tailscale a try. It's FOSS, based on WireGuard, doesn't require port forwarding and has clients for basically all platforms under the sun.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.