From owner-freebsd-questions@freebsd.org  Sun Oct  1 15:52:38 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1BB2EE28003
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sun,  1 Oct 2017 15:52:38 +0000 (UTC)
 (envelope-from guru@unixarea.de)
Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D7044648C7
 for <freebsd-questions@freebsd.org>; Sun,  1 Oct 2017 15:52:37 +0000 (UTC)
 (envelope-from guru@unixarea.de)
Received: from [2.247.255.240] (helo=[10.112.135.240])
 by ms-10.1blu.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.86_2) (envelope-from <guru@unixarea.de>) id 1dygXi-0003jT-N5
 for freebsd-questions@freebsd.org; Sun, 01 Oct 2017 17:52:34 +0200
From: Matthias Apitz <guru@unixarea.de>
To: <freebsd-questions@freebsd.org>
Subject: Re: help - under attack
Date: Sun, 01 Oct 2017 17:52:31 +0200
User-Agent: Dekko/0.6.20; Qt/5.4.1; ubuntumirclient; Linux; 
MIME-Version: 1.0
Message-ID: <cd7f3038-b05c-411e-8bb5-6c5b09bc23a7@unixarea.de>
In-Reply-To: <59D10B0C.1010702@gmail.com>
References: <59D10736.2070504@gmail.com> <20171001152637.GA60730@c720-r314251>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Con-Id: 51246
X-Con-U: 0-guru
X-Originating-IP: 2.247.255.240
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Oct 2017 15:52:38 -0000

On Sunday, 1 October 2017 17:34:36 CEST, Ernie Luzar <luzar722@gmail.com>=20
wrote:
> Matthias Apitz wrote:
>> El d=C3=ADa domingo, octubre 01, 2017 a las 11:18:14a. m. -0400,=20
>> Ernie Luzar escribi=C3=B3:
>>=20
>>> Hello list;
>>>
>>> Installed 11.1 from scratch and after about 2-3 weeks I finally got=20
>>> around to inspecting the /var/logs. I have never seen the auth.log file=20=

>>> roll over before, so this peaked my interest. It was full of failed=20
>>> login attempts. My firewall blocks all inbound traffic, so I am very=20
>>> baffled be what I see in the log. Any suggestions on how this can be=20
>>> happening?
>>>
>>> Sep 29 03:09:14 fbsd sshd[33675]: Connection closed by 149.202.179.216=20=

>>> port 48876 [preauth]
>>> ...
>>=20
>> If you have a firewall (about which you have not said anything), how can
>> SYN-SYN-ACK happen on port 22?
>>=20
>> =09matthias
>=20
> My post says "My firewall blocks all inbound traffic". The login error=20
> messages do not say it on port 22. That inbound port is blocked by the=20
> firewall. All pc on the lan are powered off. Even disconnected the lan=20
> cable from the freebsd gateway host and still the error messages come=20
> out. That is why I am asking for help here.

Run tcpdump to get the src addr of the connects.



--=20
Sent from my Ubuntu phone
http://www.unixarea.de/