Date: Sun, 01 Oct 2017 17:52:31 +0200 From: Matthias Apitz <guru@unixarea.de> To: <freebsd-questions@freebsd.org> Subject: Re: help - under attack Message-ID: <cd7f3038-b05c-411e-8bb5-6c5b09bc23a7@unixarea.de> In-Reply-To: <59D10B0C.1010702@gmail.com> References: <59D10736.2070504@gmail.com> <20171001152637.GA60730@c720-r314251>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday, 1 October 2017 17:34:36 CEST, Ernie Luzar <luzar722@gmail.com>=20 wrote: > Matthias Apitz wrote: >> El d=C3=ADa domingo, octubre 01, 2017 a las 11:18:14a. m. -0400,=20 >> Ernie Luzar escribi=C3=B3: >>=20 >>> Hello list; >>> >>> Installed 11.1 from scratch and after about 2-3 weeks I finally got=20 >>> around to inspecting the /var/logs. I have never seen the auth.log file=20= >>> roll over before, so this peaked my interest. It was full of failed=20 >>> login attempts. My firewall blocks all inbound traffic, so I am very=20 >>> baffled be what I see in the log. Any suggestions on how this can be=20 >>> happening? >>> >>> Sep 29 03:09:14 fbsd sshd[33675]: Connection closed by 149.202.179.216=20= >>> port 48876 [preauth] >>> ... >>=20 >> If you have a firewall (about which you have not said anything), how can >> SYN-SYN-ACK happen on port 22? >>=20 >> =09matthias >=20 > My post says "My firewall blocks all inbound traffic". The login error=20 > messages do not say it on port 22. That inbound port is blocked by the=20 > firewall. All pc on the lan are powered off. Even disconnected the lan=20 > cable from the freebsd gateway host and still the error messages come=20 > out. That is why I am asking for help here. Run tcpdump to get the src addr of the connects. --=20 Sent from my Ubuntu phone http://www.unixarea.de/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cd7f3038-b05c-411e-8bb5-6c5b09bc23a7>