From owner-freebsd-questions@freebsd.org Sun Oct 1 15:18:17 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22604E27309 for ; Sun, 1 Oct 2017 15:18:17 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CFCAC63754 for ; Sun, 1 Oct 2017 15:18:16 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qt0-x22c.google.com with SMTP id 47so4640200qts.10 for ; Sun, 01 Oct 2017 08:18:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=Qjs+8SKGp5UAAeXSv/yfWhbVhIogxa891v6TkULiz7w=; b=gDuHkd/H+upQjF/sNENrji7su9leBQ3aq7ezduF1quqWxD9krrRNRj+w+9rF2wW7QC 5aVHquf0zJqb9QEjn+E4NMvkmAd6gdvQQBxu4pGm53ZYfbz5covbEZoYYU90YWCdTIz6 XSURNlOgEAfcuD+O6q5IfniB+ZyiZdDu6NTDAYut/bP9owtuVEJNb4btzbDIW70ErNQ/ fvzi+qal2Yukw71H6mo4t9sxWPnAZt1OVRXaBtXrGf3m59VlnX2J5fFqRmUldnADK+yd ZqYov5Ff3J3jQ0Q7rDi/OneHFZNy5dJjx/z2EmZealD1D0OeGG1jweMfCePjw84xRtdR 8DLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=Qjs+8SKGp5UAAeXSv/yfWhbVhIogxa891v6TkULiz7w=; b=Khog5FDUAb8C5b5NnKSjWCmb72KruoL4Dzk3VFvnz55xUT9Tma2aDEo811Ycs09IcP ZIU4dM90Lz1h8C8Bcp7A7wp60fAWjJV/9eE31fWmEOBVzPpDH28h1khqp+gVjaQQLjX/ 4+O12tAlFOsDDkPh0nTWumZi0fb7PDjl4PeoAHDoMhJRqJOnxVZI/IlV4hdQ4aVlv1DO EOPrbomkRKHC5vd7bVV870WIr08t70UbtvXprqy3nrbOTL9nLPoTnRfaRSEAr9xSG7wc 3xzg7NnuNx0FkJQ8MBy6rCkyIoTcF1ZXj0BjjgMuBUcoTjt3joGszQXJfCFoEYrWgpQr JhkA== X-Gm-Message-State: AMCzsaUig5XoriZvdzSatAUosvNRt4RUtuj+U0EU6307Z5SShgQ8IcT0 s5Sm+3m9d0NNIQ87J1JCpZyPwQ== X-Google-Smtp-Source: AOwi7QAiZaCnzL2hrsIYOkosHPuwPbALOqEzuknB1at2LmBJTbbtTMF1kYVPGy5NBQTlg4JtONsxfQ== X-Received: by 10.237.34.24 with SMTP id n24mr14284710qtc.218.1506871095786; Sun, 01 Oct 2017 08:18:15 -0700 (PDT) Received: from [10.0.10.3] (cpe-74-141-88-147.neo.res.rr.com. [74.141.88.147]) by smtp.googlemail.com with ESMTPSA id i92sm5673900qtb.65.2017.10.01.08.18.15 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 01 Oct 2017 08:18:15 -0700 (PDT) Message-ID: <59D10736.2070504@gmail.com> Date: Sun, 01 Oct 2017 11:18:14 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" Subject: help - under attack Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Oct 2017 15:18:17 -0000 Hello list; Installed 11.1 from scratch and after about 2-3 weeks I finally got around to inspecting the /var/logs. I have never seen the auth.log file roll over before, so this peaked my interest. It was full of failed login attempts. My firewall blocks all inbound traffic, so I am very baffled be what I see in the log. Any suggestions on how this can be happening? Sep 29 03:09:14 fbsd sshd[33675]: Connection closed by 149.202.179.216 port 48876 [preauth] Sep 29 03:23:27 fbsd sshd[33709]: Connection closed by 149.202.179.216 port 37641 [preauth] Sep 29 03:37:19 fbsd sshd[33732]: Connection closed by 149.202.179.216 port 51083 [preauth] Sep 29 03:51:35 fbsd sshd[33897]: Connection closed by 149.202.179.216 port 42178 [preauth] Sep 29 04:06:12 fbsd sshd[33935]: Connection closed by 149.202.179.216 port 40065 [preauth] Sep 29 04:20:57 fbsd sshd[33957]: Connection closed by 149.202.179.216 port 51644 [preauth] Sep 29 04:35:13 fbsd sshd[33993]: Connection closed by 149.202.179.216 port 55964 [preauth] Sep 29 04:49:36 fbsd sshd[34012]: Connection closed by 149.202.179.216 port 33713 [preauth] Sep 29 05:03:20 fbsd sshd[34050]: Connection closed by 149.202.179.216 port 48110 [preauth] snip Oct 1 00:04:31 fbsd sshd[48041]: input_userauth_request: invalid user virus [preauth] Oct 1 00:04:31 fbsd sshd[48041]: Connection closed by 149.202.179.216 port 50713 [preauth] Oct 1 00:14:11 fbsd sshd[48060]: Invalid user vmail from 149.202.179.216 Oct 1 00:14:11 fbsd sshd[48060]: input_userauth_request: invalid user vmail [preauth] Oct 1 00:14:11 fbsd sshd[48060]: Connection closed by 149.202.179.216 port 36514 [preauth] Oct 1 00:23:36 fbsd sshd[48079]: Invalid user vmail from 149.202.179.216 Oct 1 00:23:36 fbsd sshd[48079]: input_userauth_request: invalid user vmail [preauth] Oct 1 00:23:36 fbsd sshd[48079]: Connection closed by 149.202.179.216 port 49458 [preauth] Oct 1 00:32:05 fbsd sshd[48087]: Invalid user vnc from 149.202.179.216 Oct 1 00:32:05 fbsd sshd[48087]: input_userauth_request: invalid user vnc [preauth] Oct 1 00:32:05 fbsd sshd[48087]: Connection closed by 149.202.179.216 port 52451 [preauth] Oct 1 00:40:24 fbsd sshd[48106]: Invalid user vnc from 149.202.179.216 Oct 1 00:40:24 fbsd sshd[48106]: input_userauth_request: invalid user vnc [preauth] Oct 1 00:40:24 fbsd sshd[48106]: Connection closed by 149.202.179.216 port 59811 [preauth] Oct 1 00:48:39 fbsd sshd[48123]: Invalid user vnc from 149.202.179.216 Oct 1 00:48:39 fbsd sshd[48123]: input_userauth_request: invalid user vnc [preauth] Oct 1 00:48:40 fbsd sshd[48123]: Connection closed by 149.202.179.216 port 35215 [preauth] Oct 1 00:56:41 fbsd sshd[48143]: Invalid user voip from 149.202.179.216 Oct 1 00:56:41 fbsd sshd[48143]: input_userauth_request: invalid user voip [preauth] Oct 1 00:56:41 fbsd sshd[48143]: Connection closed by 149.202.179.216 port 49147 [preauth]