Invalid WAN login attempts

[ptirmal]

Can someone help me diagnose what is going on... Either my server or network?

 

I had to reboot my server this AM, unrelated. After powering it on Fix Common Problems tells me I have invalid login attempts, interesting. I check and see login attempts (SSH2) from WAN IPs on random ports. My network setup is Ubiquiti Unifi and I did NOT expose any of the ports that are shown in the log. I was not getting these login attempts before I restarted. I have only exposed ports for NGINX and Plex on my server.

 

I have been running some port scan checks: https://www.grc.com/default.htm and I do not see anything unusual, it tells me it passed - mostly stealth.

 

 

I currently run the Unifi controller from my server which I now see is not ideal. I don't see any firewall rules that would allow these connections to make it to my server. Not really sure where to go from here. The GRC website is saying everything is good yet I am getting WAN side IP login attempts. I have shut down the server for now. 

 

Should I attempt to disable SSH?

 

unraid6-diagnostics-20200525-0759.zip

[Squid]

You sure you haven't got the server in your router's DMZ, and that the ports you've forwarded to nginx / plex are correct?  (And by nginx that you mean the docker container and NOT the webUI for unRaid)

[ptirmal]

18 minutes ago, Squid said:

You sure you haven't got the server in your router's DMZ, and that the ports you've forwarded to nginx / plex are correct?  (And by nginx that you mean the docker container and NOT the webUI for unRaid)

Sorry, yes NGINX being the Letsencrypt docker container for reverse proxy. It's been set up like this for a long time and I transitioned from an Edgerouter to a USG maybe two months ago. The ports are correct. I didn't see anything in the Unifi settings that show it was in a DMZ. I will have to see if it changed somehow but in order to do so I have to boot my server up and turn on the docker for Unifi... 

 

 

I'm thinking disable SSH so I can at least get up and running. 

[ptirmal]

Is there any way to disable SSH on startup? 

[ptirmal]

So I thought I had this figured out but I don't. I had disabled password auth for ssh which stays but on reboots ssh becomes enabled again. It looked like my logs were ok but checking back now it seems I have a bunch of disconnects from random IP/port combinations.

 

Here's the kicker, I switched my router back to my edgerouter x... I don't have any DMZ setup and I didn't in the Unifi setup either... How can I narrow why these IP/ports are/were making it to my server?

[Squid]

Some unifi routers have an intrusion tester within them (although IIRC the IP addresses in your diagnostics didn't jive with that).  Disable that "feature", reboot the server and see if it continues.

[ptirmal]

8 hours ago, Squid said:

Some unifi routers have an intrusion tester within them (although IIRC the IP addresses in your diagnostics didn't jive with that).  Disable that "feature", reboot the server and see if it continues.

I'm running my edgerouter x now. Have been for 5 or so days. Since I disabled password authentication I haven't gotten any messages from the fix common problems plugin so I assumed it was ok but when I just checked I still was seeing connection attempts like this 

Quote

Jun 1 06:06:18 unraid6 sshd[23926]: Received disconnect from 182.72.99.196 port 63456:11: Bye Bye [preauth]

Jun 1 06:06:18 unraid6 sshd[23926]: Disconnected from authenticating user root 182.72.99.196 port 63456 [preauth]

I just disabled ssh to keep it clear but I am not sure what else to check. It's weird that I hadn't changed any network settings and I only started getting these connections when I rebooted the server. Any other ideas?