sonicyouth Posted January 16, 2020 Share Posted January 16, 2020 Hi guys, Need some help - fix common problems has notified me of hacking attempts on two different days (roughly a week apart) - 348 attempts on each day. I have a bunch of ports forwarded (letsencrypt, openvpn, plex, organizr etc.) and also a reverse proxy. 22 is closed. The log for the relevant days is full of similar lines to the below: Quote Jan 3 08:38:49 MediaCentre sshd[25296]: Invalid user from 192.168.101.1 port 46341 Jan 3 08:38:49 MediaCentre sshd[25296]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25296]: Failed none for invalid user from 192.168.101.1 port 46341 ssh2 Jan 3 08:38:49 MediaCentre sshd[25296]: Failed password for invalid user from 192.168.101.1 port 46341 ssh2 Jan 3 08:38:49 MediaCentre sshd[25296]: Connection closed by invalid user 192.168.101.1 port 46341 [preauth] Jan 3 08:38:49 MediaCentre sshd[25300]: Invalid user from 192.168.101.1 port 46345 Jan 3 08:38:49 MediaCentre sshd[25300]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25300]: Failed none for invalid user from 192.168.101.1 port 46345 ssh2 Jan 3 08:38:49 MediaCentre sshd[25300]: Failed password for invalid user from 192.168.101.1 port 46345 ssh2 Jan 3 08:38:49 MediaCentre sshd[25301]: Invalid user from 192.168.101.1 port 46346 Jan 3 08:38:49 MediaCentre sshd[25301]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25301]: Failed none for invalid user from 192.168.101.1 port 46346 ssh2 Jan 3 08:38:49 MediaCentre sshd[25299]: Invalid user from 192.168.101.1 port 46344 Jan 3 08:38:49 MediaCentre sshd[25299]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25302]: Invalid user from 192.168.101.1 port 46347 Jan 3 08:38:49 MediaCentre sshd[25302]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25301]: Failed password for invalid user from 192.168.101.1 port 46346 ssh2 Jan 3 08:38:49 MediaCentre sshd[25299]: Failed none for invalid user from 192.168.101.1 port 46344 ssh2 Jan 3 08:38:49 MediaCentre sshd[25302]: Failed none for invalid user from 192.168.101.1 port 46347 ssh2 Jan 3 08:38:49 MediaCentre sshd[25299]: Failed password for invalid user from 192.168.101.1 port 46344 ssh2 Jan 3 08:38:49 MediaCentre sshd[25302]: Failed password for invalid user from 192.168.101.1 port 46347 ssh2 Jan 3 08:38:49 MediaCentre sshd[25298]: Invalid user from 192.168.101.1 port 46343 Jan 3 08:38:49 MediaCentre sshd[25298]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25298]: Failed none for invalid user from 192.168.101.1 port 46343 ssh2 Jan 3 08:38:49 MediaCentre sshd[25298]: Failed password for invalid user from 192.168.101.1 port 46343 ssh2 Jan 3 08:38:49 MediaCentre sshd[25298]: Connection closed by invalid user 192.168.101.1 port 46343 [preauth] Jan 3 08:38:49 MediaCentre sshd[25299]: Connection closed by invalid user 192.168.101.1 port 46344 [preauth] Jan 3 08:38:49 MediaCentre sshd[25300]: Connection closed by invalid user 192.168.101.1 port 46345 [preauth] Jan 3 08:38:49 MediaCentre sshd[25302]: Connection closed by invalid user 192.168.101.1 port 46347 [preauth] Jan 3 08:38:49 MediaCentre sshd[25301]: Connection closed by invalid user 192.168.101.1 port 46346 [preauth] Jan 3 08:38:49 MediaCentre sshd[25312]: Accepted none for root from 192.168.101.1 port 46351 ssh2 Jan 3 08:38:49 MediaCentre sshd[25310]: Invalid user pi from 192.168.101.1 port 46349 Jan 3 08:38:49 MediaCentre sshd[25310]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25310]: Failed none for invalid user pi from 192.168.101.1 port 46349 ssh2 Jan 3 08:38:49 MediaCentre sshd[25310]: Failed password for invalid user pi from 192.168.101.1 port 46349 ssh2 Jan 3 08:38:49 MediaCentre sshd[25308]: Invalid user from 192.168.101.1 port 46348 Jan 3 08:38:49 MediaCentre sshd[25308]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25308]: Failed none for invalid user from 192.168.101.1 port 46348 ssh2 Jan 3 08:38:49 MediaCentre sshd[25309]: Invalid user admin from 192.168.101.1 port 46350 Jan 3 08:38:49 MediaCentre sshd[25309]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25315]: Invalid user vagrant from 192.168.101.1 port 46352 Jan 3 08:38:49 MediaCentre sshd[25315]: error: Could not get shadow information for NOUSER Jan 3 08:38:49 MediaCentre sshd[25309]: Failed none for invalid user admin from 192.168.101.1 port 46350 ssh2 Jan 3 08:38:49 MediaCentre sshd[25315]: Failed none for invalid user vagrant from 192.168.101.1 port 46352 ssh2 Jan 3 08:38:49 MediaCentre sshd[25308]: Failed password for invalid user from 192.168.101.1 port 46348 ssh2 Jan 3 08:38:49 MediaCentre sshd[25315]: Failed password for invalid user vagrant from 192.168.101.1 port 46352 ssh2 Jan 3 08:38:49 MediaCentre sshd[25309]: Failed password for invalid user admin from 192.168.101.1 port 46350 ssh2 Jan 3 08:38:49 MediaCentre sshd[25308]: Connection closed by invalid user 192.168.101.1 port 46348 [preauth] Somewhat confused as none of these ports are forwarded so unsure how the attempts are even getting through to the unraid box. My router is a Netgear Orbi AC3000 - any ideas / similar experiences? Many thanks! Quote Link to comment
JonathanM Posted January 16, 2020 Share Posted January 16, 2020 Sounds like you enabled DMZ for the router's IP. Ignore that. Quote Link to comment
Squid Posted January 16, 2020 Share Posted January 16, 2020 Not a security kinda guy, but seems to me that since the originating IP address is your (presumably) router at 192.168.101.1, then the user in question first has gained access to your router (hopefully you did change the default password that they ship with), and is now launching attacks from within your router itself. Probably not a good situation to be in. Quote Link to comment
JonathanM Posted January 16, 2020 Share Posted January 16, 2020 Ohhh, @Squid's reply just triggered a lightbulb. I think some of these routers have a security package installed that thinks it's helpful to try to break in to everything in your network, then report if it succeeded. Check if your router has that sort of security enabled. 1 Quote Link to comment
Squid Posted January 16, 2020 Share Posted January 16, 2020 1 minute ago, jonathanm said: Ohhh, @Squid's reply just triggered a lightbulb. I think some of these routers have a security package installed that thinks it's helpful to try to break in to everything in your network, then report if it succeeded. Check if your router has that sort of security enabled. Huh. Yeah I don't think so. Having a piece of electronic equipment that is your first line of defense against hackers, that is actually manufactured and programmed in China actively trying to hack my network, and by its very nature also has the ability to transmit its results anywhere in the world. 1 Quote Link to comment
JonathanM Posted January 16, 2020 Share Posted January 16, 2020 9 minutes ago, Squid said: Huh. Yeah I don't think so. Having a piece of electronic equipment that is your first line of defense against hackers, that is actually manufactured and programmed in China actively trying to hack my network, and by its very nature also has the ability to transmit its results anywhere in the world. https://www.netgear.com/landings/armor/ Quote Link to comment
JonathanM Posted January 16, 2020 Share Posted January 16, 2020 @Squid, would it be productive to parse the failed logins and if they all originate from the gateway IP, warn that the user may have a router level "security" package that is causing it? Or maybe quantify the number of unique IP's with failed logins? If below arbitrary number X, general internet exposure unlikely? Quote Link to comment
Squid Posted January 16, 2020 Share Posted January 16, 2020 2 minutes ago, jonathanm said: @Squid, would it be productive to parse the failed logins and if they all originate from the gateway IP, warn that the user may have a router level "security" package that is causing it? Or maybe quantify the number of unique IP's with failed logins? If below arbitrary number X, general internet exposure unlikely? You can set the number of invalid per day allowed. (Default is 10) IMO to ignore say an attempt from anything on the local network is a mistake even if its the router, as the originating IP could itself be compromised. Quote Link to comment
ijuarez Posted January 16, 2020 Share Posted January 16, 2020 @sonicyouth Did you change the default port from 22 to 46352 and do you recognize the user vagrant? Quote Link to comment
Stan464 Posted January 22, 2020 Share Posted January 22, 2020 Sounds like a breach, or a Bad port forward. As someone else mentioned, sounds like someone is/has run a Shell _ SSH Bruteforcer script from your Router... Id recommend checking if "External Access" is Disabled and maybe considered a Hard Reset. I would recommend making sure the Router you are using is not on an known list of Exploits (Current/Working exploits). Quote Link to comment
sonicyouth Posted January 26, 2020 Author Share Posted January 26, 2020 192.168.101.1 is indeed my router. Since this I've had two identical episodes again exactly a week apart. I've now disabled ssh entirely on my Unraid box. I also checked and my Orbi already had Netgear's Armor product installed and didn't seem to have identified any of these events. I've seen a couple of other people on the forums with similar problems, but no one seems to have figured out the issue, very confused... In any case I will probably try a hard reset of the router and see if that solves the issue. Thanks for the help so far all. Quote Link to comment
BRiT Posted January 26, 2020 Share Posted January 26, 2020 Update the firmware on your router and change your netgear and router username and password. They (netgear) have been hacked multiple times so anyone using the cloud features on their firmware are at severe risk. Quote Link to comment
JonathanM Posted January 26, 2020 Share Posted January 26, 2020 1 hour ago, sonicyouth said: my Orbi already had Netgear's Armor product installed There's your answer. The armor security suite is actively checking your network for vulnerabilities. Disable the armor and the log entries will stop. I tried to tell you that earlier in this thread. 1 Quote Link to comment
sonicyouth Posted January 28, 2020 Author Share Posted January 28, 2020 Ah OK, sorry - I thought you were suggesting that I install it! Many thanks... Quote Link to comment
furtive Posted February 1, 2021 Share Posted February 1, 2021 Glad I found this thread. I had exactly the same issue, and have recently enabled Armour on my Orbi. I'll disable it again now. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.