From owner-freebsd-questions@freebsd.org Wed Oct 4 12:08:06 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65DCEE38434 for ; Wed, 4 Oct 2017 12:08:06 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E6C884BBC for ; Wed, 4 Oct 2017 12:08:06 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mail-qk0-x22b.google.com with SMTP id o187so8932333qke.7 for ; Wed, 04 Oct 2017 05:08:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1YSy4K5J5+BqIHWQbzSYbKDPO0xbaHAlOu4VhcT6keI=; b=YQ2dwN1YAfmiiqDjv2Nk5tKKgt/3QESYeUjroQ2ag8Ii43Y4SoFwnUHIabTUXBhJnG Kuh/EVhd8ReGpDISEmNgtcBzbH6z1Ub8mQjAOv31gkA+uXngW0qXA5WIslcZs4N93Rkr C36kQ1IW9SvulhXVbIfAzU9whSQOAEYhdE9MzUOYMlf+Q0JG9W724IX/hY5ZMM3F7OpD CGXUWchGutrI3HhhaXGtUQxstp6kow3izeOgm7xKumf+YlzSSZPFx48afq6CcV5KgFHS x3eiApq9MkYHWqZG7yUaCYaNlrnM7AOEHv7FUdtqP+qq1s4RFzvBACgZg5FHu6qTCInG Y35Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1YSy4K5J5+BqIHWQbzSYbKDPO0xbaHAlOu4VhcT6keI=; b=TsU+8qjjDDGnx0pdVmpa6OfdxhLZM1UV0Ly/9uAgpJVr4OuqT4ikCCbpGnjhpvxTVg 98SZKQdFzV4l9GvBt07S+Cwqo2gIDynce2Cu3BQQfkYCYdGc+uoifYipH0ivWjK8vji6 1sbARMA0wY1cZEfuPsn/vK9YCXAj6zebzzDw4iaXSmXqNCWfK7jXdGHKg3vM7yFcPCg7 7CmPoZgsuo9CQ5LxzFet4og8drrbhzmKA1e1G5TzfRdyYaAg34Y4C0ftIEeD6LMZLmZ2 tkyXwybQeCVqM+6pUNK0NF0n9efywgOPpHXL8ARcXsWBKWFNTXgmK2kbIr9aqcshaexE Uqpw== X-Gm-Message-State: AMCzsaVxRuectxaXPEVFs5ABIJnP6hASzrrf4XbdUONEwBBHlyBhfpRw nHJCQTRH/lvDLjMgoldTs81BoWugdJTqraEkzIE= X-Google-Smtp-Source: AOwi7QBqfU3RxkZJ+vCOwOjVmFqSLkk5OeErKe/MqyKeSUfVVmQl4BLSVivj8slRujtuObgoj8MnYfq/8AqGZ/9LnjU= X-Received: by 10.55.141.66 with SMTP id p63mr23175523qkd.314.1507118885252; Wed, 04 Oct 2017 05:08:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.20.17 with HTTP; Wed, 4 Oct 2017 05:08:04 -0700 (PDT) In-Reply-To: <59D10B0C.1010702@gmail.com> References: <59D10736.2070504@gmail.com> <20171001152637.GA60730@c720-r314251> <59D10B0C.1010702@gmail.com> From: krad Date: Wed, 4 Oct 2017 13:08:04 +0100 Message-ID: Subject: Re: help - under attack To: Ernie Luzar Cc: Matthias Apitz , FreeBSD Questions Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Oct 2017 12:08:06 -0000 post the ruleset, if you are dual homed make sure sshd in bound to the internal nic only. If you have to go on the public side, disable password based auth and just use keys. Do those things and the community can maybe help you go forward. On 1 October 2017 at 16:34, Ernie Luzar wrote: > Matthias Apitz wrote: > >> El d=C3=ADa domingo, octubre 01, 2017 a las 11:18:14a. m. -0400, Ernie L= uzar >> escribi=C3=B3: >> >> Hello list; >>> >>> Installed 11.1 from scratch and after about 2-3 weeks I finally got >>> around to inspecting the /var/logs. I have never seen the auth.log file >>> roll over before, so this peaked my interest. It was full of failed log= in >>> attempts. My firewall blocks all inbound traffic, so I am very baffled = be >>> what I see in the log. Any suggestions on how this can be happening? >>> >>> Sep 29 03:09:14 fbsd sshd[33675]: Connection closed by 149.202.179.216 >>> port 48876 [preauth] >>> ... >>> >> >> If you have a firewall (about which you have not said anything), how can >> SYN-SYN-ACK happen on port 22? >> >> matthias >> > > My post says "My firewall blocks all inbound traffic". The login error > messages do not say it on port 22. That inbound port is blocked by the > firewall. All pc on the lan are powered off. Even disconnected the lan > cable from the freebsd gateway host and still the error messages come out= . > That is why I am asking for help here. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe > @freebsd.org" >