Under Attac? Many unknown login attempts

1

Hello,
Hi,
when I run on my Freedombox journalctl -f I see many login attempts from different ip addresses. I have no experience with servers. Is this normal, can something be configured incorrectly? Must i change something? I’m worried

  • Logs begin at Sat 2019-09-14 05:28:42 CEST. –
    Sep 14 11:01:56 freedombox sshd[12333]: Received disconnect from 51.255.160.188 port 55236:11: Bye Bye [preauth]
    Sep 14 11:01:56 freedombox sshd[12333]: Disconnected from invalid user GarrysMod 51.255.160.188 port 55236 [preauth]
    Sep 14 11:02:04 freedombox sshd[12338]: Invalid user gc from 211.193.13.111 port 62455
    Sep 14 11:02:04 freedombox sshd[12338]: pam_unix(sshd:auth): check pass; user unknown
    Sep 14 11:02:04 freedombox sshd[12338]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=211.193.13.111
    Sep 14 11:02:06 freedombox sshd[12338]: Failed password for invalid user gc from 211.193.13.111 port 62455 ssh2
    Sep 14 11:02:06 freedombox sudo[12336]: pam_unix(sudo:auth): authentication failure; logname=1110LT0m1k3. uid=10000 euid=0 tty=/dev/pts/2 ruser=1110LT0m1k3. rhost= user=1110LT0m1k3.
    Sep 14 11:02:06 freedombox slapd[762]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
    Sep 14 11:02:06 freedombox sudo[12336]: 1110LT0m1k3. : TTY=pts/2 ; PWD=/home/1110LT0m1k3. ; USER=root ; COMMAND=/usr/bin/journalctl -f
    Sep 14 11:02:06 freedombox sudo[12336]: pam_unix(sudo:session): session opened for user root by 1110LT0m1k3.(uid=0)
    Sep 14 11:02:08 freedombox sshd[12338]: Received disconnect from 211.193.13.111 port 62455:11: Bye Bye [preauth- Logs begin at Sat 2019-09-14 05:28:42 CEST. –
    Sep 14 11:01:56 freedombox sshd[12333]: Received disconnect from 51.255.160.188 port 55236:11: Bye Bye [preauth]
    Sep 14 11:01:56 freedombox sshd[12333]: Disconnected from invalid user GarrysMod 51.255.160.188 port 55236 [preauth]
    Sep 14 11:02:04 freedombox sshd[12338]: Invalid user gc from 211.193.13.111 port 62455
    Sep 14 11:02:04 freedombox sshd[12338]: pam_unix(sshd:auth): check pass; user unknown
    Sep 14 11:02:04 freedombox sshd[12338]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=211.193.13.111
    Sep 14 11:02:06 freedombox sshd[12338]: Failed password for invalid user gc from 211.193.13.111 port 62455 ssh2
    Sep 14 11:02:06 freedombox sudo[12336]: pam_unix(sudo:auth): authentication failure; logname=1110LT0m1k3. uid=10000 euid=0 tty=/dev/pts/2 ruser=1110LT0m1k3. rhost= user=1110LT0m1k3.
    Sep 14 11:02:06 freedombox slapd[762]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
    Sep 14 11:02:06 freedombox sudo[12336]: 1110LT0m1k3. : TTY=pts/2 ; PWD=/home/1110LT0m1k3. ; USER=root ; COMMAND=/usr/bin/journalctl -f
    Sep 14 11:02:06 freedombox sudo[12336]: pam_unix(sudo:session): session opened for user root by 1110LT0m1k3.(uid=0)
    Sep 14 11:02:08 freedombox sshd[12338]: Received disconnect from 211.193.13.111 port 62455:11: Bye Bye [preauth]
    Sep 14 11:02:08 freedombox sshd[12338]: Disconnected from invalid user gc 211.193.13.111 port 62455 [preauth]]
    Sep 14 11:02:08 freedombox sshd[12338]: Disconnected from invalid user gc 211.193.13.111 port 62455 [preauth]- Logs begin at Sat 2019-09-14 05:28:42 CEST. –
    Sep 14 11:01:56 freedombox sshd[12333]: Received disconnect from 51.255.160.188 port 55236:11: Bye Bye [preauth]
    Sep 14 11:01:56 freedombox sshd[12333]: Disconnected from invalid user GarrysMod 51.255.160.188 port 55236 [preauth]
    Sep 14 11:02:04 freedombox sshd[12338]: Invalid user gc from 211.193.13.111 port 62455
    Sep 14 11:02:04 freedombox sshd[12338]: pam_unix(sshd:auth): check pass; user unknown
    Sep 14 11:02:04 freedombox sshd[12338]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=211.193.13.111
    Sep 14 11:02:06 freedombox sshd[12338]: Failed password for invalid user gc from 211.193.13.111 port 62455 ssh2
    Sep 14 11:02:06 freedombox sudo[12336]: pam_unix(sudo:auth): authentication failure; logname=1110LT0m1k3. uid=10000 euid=0 tty=/dev/pts/2 ruser=1110LT0m1k3. rhost= user=1110LT0m1k3.
    Sep 14 11:02:06 freedombox slapd[762]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
    Sep 14 11:02:06 freedombox sudo[12336]: 1110LT0m1k3. : TTY=pts/2 ; PWD=/home/1110LT0m1k3. ; USER=root ; COMMAND=/usr/bin/journalctl -f
    Sep 14 11:02:06 freedombox sudo[12336]: pam_unix(sudo:session): session opened for user root by 1110LT0m1k3.(uid=0)
    Sep 14 11:02:08 freedombox sshd[12338]: Received disconnect from 211.193.13.111 port 62455:11: Bye Bye [preauth]
    Sep 14 11:02:08 freedombox sshd[12338]: Disconnected from invalid user gc 211.193.13.111 port 62455 [preauth]

this is going on and on… haven’t seen that before, is this a bigger Attack? What can i do? Should i cut the connection?

Information
FreedomBox Pioneer 19.15 reachable from the Internet with a .freedombox.rocks domain
Konfigured Tor is running
behind a Router with open ports for Matrix Synapse, bind, https,http,Tor,radicale,sftp
I am running ikiwiki as blog

2

@MikaelB You mentioned that you have an open port for sftp. I assume this is the SSH port, TCP 22. Since this is the standard SSH port, you will get a lot of login attempts if it is reachable from the outside on port 22.

In my opinion, this may not be a big problem, if you are using a hard-to-guess password, and have Fail2Ban enabled on the Security page.

But there are some ways to prevent the login attempts. For example, does your router support forwarding from a different external port, to port 22 internally?

2 Likes
3

Thank you jvalleroy,
I have changed the external port and now is calm again. As a longtime newcomer to Linux and Internet services, I have always dreamed of setting up my own server. We’ve been running a small webshop for a long time, but we run it on a provider’s server and we do not need to worry about basic security issues (though I locked out China because there were always strange operations at the shop with ip addresses from there). With Freedombox this dream comes true but that should not make me reckless. I always have to think a step further and get extensive information before I activate a new web service. Since I know Freedombox, I’ve learned more about Linux and the Internet than in the last 10 years, thank you, all of you! It is certainly terrifying for you if you read such post from stupid newbie errors. For software developers, of course, many things are so clear that you can not imagine what an apprentice can do wrong. I promise improvement

1 Like
4

For others who might venture here:
I don’t think that the port forwarding would work if DMZ forwarding is enabled though.
Another option would be to use keypairs. Using putty, puttygen, and pageant (all included in the putty bundle) you can generate a keypair. At freedombox.local, paste the public key under the admin user’s profile. Then in the system>SSH settings at the bottom, check the Disable password authentication box.