From owner-freebsd-questions@freebsd.org Sun Oct 1 15:34:38 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3EA3E278C1 for ; Sun, 1 Oct 2017 15:34:38 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6BC8963FB8 for ; Sun, 1 Oct 2017 15:34:38 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qt0-x230.google.com with SMTP id t46so4709237qtj.2 for ; Sun, 01 Oct 2017 08:34:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-transfer-encoding; bh=fJ2jkwDHgmUU7iqlbRWpXuD4uK4PfenAL4KvXxjpeCQ=; b=WuERWWlOhn4D+bxlH0XLURugYmPIz8gDut57a4X3Eb9Q/POV+UCziWNRaFDUxDeVQZ rdYMB4EIJjJEw7ws7ZCtoc/swiIDFAH3WonPmQIAqgeR62Mwd/eeu16wEf+vsUOYDJRT 4fBKPg5a78m266obm08/RTf6ZgDLDtUvx03bW027jGTWx6WibeFE7C3Qd7ZbwORIHG1r y0ezpLQL/HyqCHzBEezONFRknRcZmvgeHFAcJRMMpTMr+OIOu6Cic+VO+tEartZuW8M/ Ae1o5sZSEEtHQZ79rs3rVx6/GF++E/ILt/4kHvOKAY1YI1LN+xQZn5Hl12FRS6z9PeXo jfBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-transfer-encoding; bh=fJ2jkwDHgmUU7iqlbRWpXuD4uK4PfenAL4KvXxjpeCQ=; b=HAuAjIc04K9zd1Acv4yITCQHR1ABIffroShx8bo3e3H9jLQr72nWAwLTv/XTYQBU08 nkppPFBE7jOWmduy3FmhVCFv8dLY9IPmNfCHZ7LrMiJULkyiZSIFFbphOQofFK/gZ4Df IqZ8D9y3gX41XvxOdkhFr1gkVkOt8BJRWRkEpB96ZtLex9fhS8K66vMRy9c8yr0aL9uS IJqAR/SGtgquij4NDcRwSAKJgMzWkxUzb4Ggebzp3jD0Q8zIeqQXr//CopO3y0jniw/7 JlfW47sXhppqHq0gaf5WNSuD+SHqvhMjHn7J5jokwq2Nkz4ADuJWmeyLjngC+rRZToPP QrUw== X-Gm-Message-State: AMCzsaV6a0k+xc74bDq9uimqa5XtMKrq3AgTMstbf2bHbPiXnXLuT9fk IsGpgZrwWaolEqTuJ/VGyLQ= X-Google-Smtp-Source: AOwi7QByx4T9245LxXHa18Ne51PIn9lyiDyjSpSclgS2RimTpbRx4L3pzGrcKiBLuWw8enTiSaypdg== X-Received: by 10.237.60.249 with SMTP id e54mr6635610qtf.23.1506872077643; Sun, 01 Oct 2017 08:34:37 -0700 (PDT) Received: from [10.0.10.3] (cpe-74-141-88-147.neo.res.rr.com. [74.141.88.147]) by smtp.googlemail.com with ESMTPSA id l11sm5531620qke.19.2017.10.01.08.34.37 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 01 Oct 2017 08:34:37 -0700 (PDT) Message-ID: <59D10B0C.1010702@gmail.com> Date: Sun, 01 Oct 2017 11:34:36 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Matthias Apitz , freebsd-questions@freebsd.org Subject: Re: help - under attack References: <59D10736.2070504@gmail.com> <20171001152637.GA60730@c720-r314251> In-Reply-To: <20171001152637.GA60730@c720-r314251> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Oct 2017 15:34:38 -0000 Matthias Apitz wrote: > El día domingo, octubre 01, 2017 a las 11:18:14a. m. -0400, Ernie Luzar escribió: > >> Hello list; >> >> Installed 11.1 from scratch and after about 2-3 weeks I finally got >> around to inspecting the /var/logs. I have never seen the auth.log file >> roll over before, so this peaked my interest. It was full of failed >> login attempts. My firewall blocks all inbound traffic, so I am very >> baffled be what I see in the log. Any suggestions on how this can be >> happening? >> >> Sep 29 03:09:14 fbsd sshd[33675]: Connection closed by 149.202.179.216 >> port 48876 [preauth] >> ... > > If you have a firewall (about which you have not said anything), how can > SYN-SYN-ACK happen on port 22? > > matthias My post says "My firewall blocks all inbound traffic". The login error messages do not say it on port 22. That inbound port is blocked by the firewall. All pc on the lan are powered off. Even disconnected the lan cable from the freebsd gateway host and still the error messages come out. That is why I am asking for help here.