Chugalug Posted April 20, 2020 Share Posted April 20, 2020 Hi Everyone I just looked in my logs and I am seeing a bunch of different IP addresses trying to gain access to my server, mainly from China looking up the IP addresses. What can I do about this, freaking out a little bit. Here is a small snippet of the log but there are a bunch of different ones trying to gain access. Thank you Apr 20 09:05:28 Tower sshd[1077]: Invalid user dnsmasq from 62.210.125.29 port 57258 Apr 20 09:05:28 Tower sshd[1077]: error: Could not get shadow information for NOUSER Apr 20 09:05:28 Tower sshd[1077]: Failed password for invalid user dnsmasq from 62.210.125.29 port 57258 ssh2 Apr 20 09:05:29 Tower sshd[1077]: Received disconnect from 62.210.125.29 port 57258:11: Bye Bye [preauth] Apr 20 09:05:29 Tower sshd[1077]: Disconnected from invalid user dnsmasq 62.210.125.29 port 57258 [preauth] Apr 20 09:05:36 Tower sshd[1269]: Failed password for root from 206.189.229.112 port 50756 ssh2 Apr 20 09:05:36 Tower sshd[1269]: Received disconnect from 206.189.229.112 port 50756:11: Bye Bye [preauth] Apr 20 09:05:36 Tower sshd[1269]: Disconnected from authenticating user root 206.189.229.112 port 50756 [preauth] Apr 20 09:05:49 Tower sshd[2154]: Failed password for root from 49.88.112.71 port 37939 ssh2 Apr 20 09:05:49 Tower sshd[2154]: Failed password for root from 49.88.112.71 port 37939 ssh2 Apr 20 09:05:50 Tower sshd[2154]: Failed password for root from 49.88.112.71 port 37939 ssh2 Apr 20 09:05:50 Tower sshd[2154]: Received disconnect from 49.88.112.71 port 37939:11: [preauth] Apr 20 09:05:50 Tower sshd[2154]: Disconnected from authenticating user root 49.88.112.71 port 37939 [preauth] Apr 20 09:06:32 Tower sshd[2767]: Invalid user rt from 159.138.65.33 port 38316 Apr 20 09:06:32 Tower sshd[2767]: error: Could not get shadow information for NOUSER Apr 20 09:06:32 Tower sshd[2767]: Failed password for invalid user rt from 159.138.65.33 port 38316 ssh2 Apr 20 09:06:33 Tower sshd[2767]: Received disconnect from 159.138.65.33 port 38316:11: Bye Bye [preauth] Apr 20 09:06:33 Tower sshd[2767]: Disconnected from invalid user rt 159.138.65.33 port 38316 [preauth] Apr 20 09:06:54 Tower sshd[3124]: Accepted none for adm from 62.112.11.88 port 49806 ssh2 Quote Link to comment
Hoopster Posted April 20, 2020 Share Posted April 20, 2020 4 minutes ago, Chugalug said: Hi Everyone I just looked in my logs and I am seeing a bunch of different IP addresses trying to gain access to my server, mainly from China looking up the IP addresses. What can I do about this, freaking out a little bit. Here is a small snippet of the log but there are a bunch of different ones trying to gain access. Thank you Apr 20 09:05:28 Tower sshd[1077]: Invalid user dnsmasq from 62.210.125.29 port 57258 Apr 20 09:05:28 Tower sshd[1077]: error: Could not get shadow information for NOUSER Apr 20 09:05:28 Tower sshd[1077]: Failed password for invalid user dnsmasq from 62.210.125.29 port 57258 ssh2 Apr 20 09:05:29 Tower sshd[1077]: Received disconnect from 62.210.125.29 port 57258:11: Bye Bye [preauth] Apr 20 09:05:29 Tower sshd[1077]: Disconnected from invalid user dnsmasq 62.210.125.29 port 57258 [preauth] Apr 20 09:05:36 Tower sshd[1269]: Failed password for root from 206.189.229.112 port 50756 ssh2 Apr 20 09:05:36 Tower sshd[1269]: Received disconnect from 206.189.229.112 port 50756:11: Bye Bye [preauth] Apr 20 09:05:36 Tower sshd[1269]: Disconnected from authenticating user root 206.189.229.112 port 50756 [preauth] Apr 20 09:05:49 Tower sshd[2154]: Failed password for root from 49.88.112.71 port 37939 ssh2 Apr 20 09:05:49 Tower sshd[2154]: Failed password for root from 49.88.112.71 port 37939 ssh2 Apr 20 09:05:50 Tower sshd[2154]: Failed password for root from 49.88.112.71 port 37939 ssh2 Apr 20 09:05:50 Tower sshd[2154]: Received disconnect from 49.88.112.71 port 37939:11: [preauth] Apr 20 09:05:50 Tower sshd[2154]: Disconnected from authenticating user root 49.88.112.71 port 37939 [preauth] Apr 20 09:06:32 Tower sshd[2767]: Invalid user rt from 159.138.65.33 port 38316 Apr 20 09:06:32 Tower sshd[2767]: error: Could not get shadow information for NOUSER Apr 20 09:06:32 Tower sshd[2767]: Failed password for invalid user rt from 159.138.65.33 port 38316 ssh2 Apr 20 09:06:33 Tower sshd[2767]: Received disconnect from 159.138.65.33 port 38316:11: Bye Bye [preauth] Apr 20 09:06:33 Tower sshd[2767]: Disconnected from invalid user rt 159.138.65.33 port 38316 [preauth] Apr 20 09:06:54 Tower sshd[3124]: Accepted none for adm from 62.112.11.88 port 49806 ssh2 Looks like you may have opened up ssh and other ports on your server directly to the Internet. Many do that thinking it's what they need to do to gain access their own server remotely. There are much better ways to do that than opening ports to the Internet. All that does is open the door for the bad guys. Close any ports you have opened on your server. Use WireGuard (builtin to unRAID) or a VPN, such as the OpenVPN-AS docker container, instead. Quote Link to comment
Chugalug Posted April 20, 2020 Author Share Posted April 20, 2020 10 minutes ago, Hoopster said: Looks like you may have opened up ssh and other ports on your server directly to the Internet. Many do that thinking it's what they need to do to gain access their own server remotely. There are much better ways to do that than opening ports to the Internet. All that does is open the door for the bad guys. Close any ports you have opened on your server. Use WireGuard (builtin to unRAID) or a VPN, such as the OpenVPN-AS docker container, instead. It appears I did have SSH open so I have closed it and those have stopped now. Thank you so much!!!! Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.