January 16, 20206 yr Hi guys, Need some help - fix common problems has notified me of hacking attempts on two different days (roughly a week apart) - 348 attempts on each day. I have a bunch of ports forwarded (letsencrypt, openvpn, plex, organizr etc.) and also a reverse proxy. 22 is closed. The log for the relevant days is full of similar lines to the below: Quote Jan 3 08:38:49 MediaCentre sshd[25296]: Invalid user from 192.168.101.1 port 46341 Jan 3 08:38:49 MediaCentre sshd[25296]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25296]: Failed none for invalid user from 192.168.101.1 port 46341 ssh2 Jan 3 08:38:49 MediaCentre sshd[25296]: Failed password for invalid user from 192.168.101.1 port 46341 ssh2 Jan 3 08:38:49 MediaCentre sshd[25296]: Connection closed by invalid user 192.168.101.1 port 46341 [preauth] Jan 3 08:38:49 MediaCentre sshd[25300]: Invalid user from 192.168.101.1 port 46345 Jan 3 08:38:49 MediaCentre sshd[25300]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25300]: Failed none for invalid user from 192.168.101.1 port 46345 ssh2 Jan 3 08:38:49 MediaCentre sshd[25300]: Failed password for invalid user from 192.168.101.1 port 46345 ssh2 Jan 3 08:38:49 MediaCentre sshd[25301]: Invalid user from 192.168.101.1 port 46346 Jan 3 08:38:49 MediaCentre sshd[25301]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25301]: Failed none for invalid user from 192.168.101.1 port 46346 ssh2 Jan 3 08:38:49 MediaCentre sshd[25299]: Invalid user from 192.168.101.1 port 46344 Jan 3 08:38:49 MediaCentre sshd[25299]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25302]: Invalid user from 192.168.101.1 port 46347 Jan 3 08:38:49 MediaCentre sshd[25302]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25301]: Failed password for invalid user from 192.168.101.1 port 46346 ssh2 Jan 3 08:38:49 MediaCentre sshd[25299]: Failed none for invalid user from 192.168.101.1 port 46344 ssh2 Jan 3 08:38:49 MediaCentre sshd[25302]: Failed none for invalid user from 192.168.101.1 port 46347 ssh2 Jan 3 08:38:49 MediaCentre sshd[25299]: Failed password for invalid user from 192.168.101.1 port 46344 ssh2 Jan 3 08:38:49 MediaCentre sshd[25302]: Failed password for invalid user from 192.168.101.1 port 46347 ssh2 Jan 3 08:38:49 MediaCentre sshd[25298]: Invalid user from 192.168.101.1 port 46343 Jan 3 08:38:49 MediaCentre sshd[25298]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25298]: Failed none for invalid user from 192.168.101.1 port 46343 ssh2 Jan 3 08:38:49 MediaCentre sshd[25298]: Failed password for invalid user from 192.168.101.1 port 46343 ssh2 Jan 3 08:38:49 MediaCentre sshd[25298]: Connection closed by invalid user 192.168.101.1 port 46343 [preauth] Jan 3 08:38:49 MediaCentre sshd[25299]: Connection closed by invalid user 192.168.101.1 port 46344 [preauth] Jan 3 08:38:49 MediaCentre sshd[25300]: Connection closed by invalid user 192.168.101.1 port 46345 [preauth] Jan 3 08:38:49 MediaCentre sshd[25302]: Connection closed by invalid user 192.168.101.1 port 46347 [preauth] Jan 3 08:38:49 MediaCentre sshd[25301]: Connection closed by invalid user 192.168.101.1 port 46346 [preauth] Jan 3 08:38:49 MediaCentre sshd[25312]: Accepted none for root from 192.168.101.1 port 46351 ssh2 Jan 3 08:38:49 MediaCentre sshd[25310]: Invalid user pi from 192.168.101.1 port 46349 Jan 3 08:38:49 MediaCentre sshd[25310]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25310]: Failed none for invalid user pi from 192.168.101.1 port 46349 ssh2 Jan 3 08:38:49 MediaCentre sshd[25310]: Failed password for invalid user pi from 192.168.101.1 port 46349 ssh2 Jan 3 08:38:49 MediaCentre sshd[25308]: Invalid user from 192.168.101.1 port 46348 Jan 3 08:38:49 MediaCentre sshd[25308]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25308]: Failed none for invalid user from 192.168.101.1 port 46348 ssh2 Jan 3 08:38:49 MediaCentre sshd[25309]: Invalid user admin from 192.168.101.1 port 46350 Jan 3 08:38:49 MediaCentre sshd[25309]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25315]: Invalid user vagrant from 192.168.101.1 port 46352 Jan 3 08:38:49 MediaCentre sshd[25315]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25309]: Failed none for invalid user admin from 192.168.101.1 port 46350 ssh2 Jan 3 08:38:49 MediaCentre sshd[25315]: Failed none for invalid user vagrant from 192.168.101.1 port 46352 ssh2 Jan 3 08:38:49 MediaCentre sshd[25308]: Failed password for invalid user from 192.168.101.1 port 46348 ssh2 Jan 3 08:38:49 MediaCentre sshd[25315]: Failed password for invalid user vagrant from 192.168.101.1 port 46352 ssh2 Jan 3 08:38:49 MediaCentre sshd[25309]: Failed password for invalid user admin from 192.168.101.1 port 46350 ssh2 Jan 3 08:38:49 MediaCentre sshd[25308]: Connection closed by invalid user 192.168.101.1 port 46348 [preauth] Somewhat confused as none of these ports are forwarded so unsure how the attempts are even getting through to the unraid box. My router is a Netgear Orbi AC3000 - any ideas / similar experiences? Many thanks!
January 16, 20206 yr Not a security kinda guy, but seems to me that since the originating IP address is your (presumably) router at 192.168.101.1, then the user in question first has gained access to your router (hopefully you did change the default password that they ship with), and is now launching attacks from within your router itself. Probably not a good situation to be in.
January 16, 20206 yr Ohhh, @Squid's reply just triggered a lightbulb. I think some of these routers have a security package installed that thinks it's helpful to try to break in to everything in your network, then report if it succeeded. Check if your router has that sort of security enabled.
January 16, 20206 yr 1 minute ago, jonathanm said: Ohhh, @Squid's reply just triggered a lightbulb. I think some of these routers have a security package installed that thinks it's helpful to try to break in to everything in your network, then report if it succeeded. Check if your router has that sort of security enabled. Huh. Yeah I don't think so. Having a piece of electronic equipment that is your first line of defense against hackers, that is actually manufactured and programmed in China actively trying to hack my network, and by its very nature also has the ability to transmit its results anywhere in the world.
January 16, 20206 yr 9 minutes ago, Squid said: Huh. Yeah I don't think so. Having a piece of electronic equipment that is your first line of defense against hackers, that is actually manufactured and programmed in China actively trying to hack my network, and by its very nature also has the ability to transmit its results anywhere in the world. https://www.netgear.com/landings/armor/
January 16, 20206 yr @Squid, would it be productive to parse the failed logins and if they all originate from the gateway IP, warn that the user may have a router level "security" package that is causing it? Or maybe quantify the number of unique IP's with failed logins? If below arbitrary number X, general internet exposure unlikely?
January 16, 20206 yr 2 minutes ago, jonathanm said: @Squid, would it be productive to parse the failed logins and if they all originate from the gateway IP, warn that the user may have a router level "security" package that is causing it? Or maybe quantify the number of unique IP's with failed logins? If below arbitrary number X, general internet exposure unlikely? You can set the number of invalid per day allowed. (Default is 10) IMO to ignore say an attempt from anything on the local network is a mistake even if its the router, as the originating IP could itself be compromised.
January 16, 20206 yr @sonicyouth Did you change the default port from 22 to 46352 and do you recognize the user vagrant?
January 22, 20206 yr Sounds like a breach, or a Bad port forward. As someone else mentioned, sounds like someone is/has run a Shell _ SSH Bruteforcer script from your Router... Id recommend checking if "External Access" is Disabled and maybe considered a Hard Reset. I would recommend making sure the Router you are using is not on an known list of Exploits (Current/Working exploits).
January 26, 20206 yr Author 192.168.101.1 is indeed my router. Since this I've had two identical episodes again exactly a week apart. I've now disabled ssh entirely on my Unraid box. I also checked and my Orbi already had Netgear's Armor product installed and didn't seem to have identified any of these events. I've seen a couple of other people on the forums with similar problems, but no one seems to have figured out the issue, very confused... In any case I will probably try a hard reset of the router and see if that solves the issue. Thanks for the help so far all.
January 26, 20206 yr Update the firmware on your router and change your netgear and router username and password. They (netgear) have been hacked multiple times so anyone using the cloud features on their firmware are at severe risk.
January 26, 20206 yr 1 hour ago, sonicyouth said: my Orbi already had Netgear's Armor product installed There's your answer. The armor security suite is actively checking your network for vulnerabilities. Disable the armor and the log entries will stop. I tried to tell you that earlier in this thread.
January 28, 20206 yr Author Ah OK, sorry - I thought you were suggesting that I install it! Many thanks...
February 1, 20215 yr Glad I found this thread. I had exactly the same issue, and have recently enabled Armour on my Orbi. I'll disable it again now.
Archived
This topic is now archived and is closed to further replies.