Date: Thu, 5 Jan 2023 11:57:16 -0700 (MST) From: Dale Scott <dalescott@shaw.ca> To: Erwan David <erwan@rail.eu.org> Cc: questions <questions@freebsd.org> Subject: Re: why do I see failed login attempts to vm on non-forwarded ports? Message-ID: <1526169121.66664274.1672945036737.JavaMail.zimbra@shaw.ca> In-Reply-To: <355e6690-5188-149d-4f9d-855b35f46a1a@rail.eu.org> References: <OUSBWzfhSPaBjWj3PethQw@geopod-ismtpd-4-0> <327799993.65810026.1672932433732.JavaMail.zimbra@shaw.ca> <355e6690-5188-149d-4f9d-855b35f46a1a@rail.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- > From: "Erwan David" <erwan@rail.eu.org> > To: "questions" <questions@freebsd.org> > Sent: Thursday, January 5, 2023 8:50:29 AM > Subject: Re: why do I see failed login attempts to vm on non-forwarded po= rts? > Le 05/01/2023 =C3=A0 16:27, Dale Scott a =C3=A9crit=C2=A0: >> Hi all, this has me stumped. I'm seeing login attempts from what I assum= e to be >> a scripted exploit attempt. The login attempts aren't a major concern (o= ther >> than they choke the server) as ssh is configured for key authentication = only, >> but the ports they use has me confused. >>=20 >> The server is a FreeBSD 13.1 headless guest vm on a headless 13.1 host, = hosted >> using virtualbox-ose (managed using phpVirtualBox). Only 3 ports are for= warded >> from host to guest: 3022 to 22 for ssh login to the guest, 8000 to 8000 = for >> remote client access to tryton ERP, and 5432 to 5432 for remote access t= o >> postgresql (DBMS for Tryton). >>=20 >> My (very limited) understanding of networking and port forwarding was th= at that >> the guest could only be accessed from the outside world using one of tho= se >> three ports. Clearly I was wrong. >>=20 >> Can anyone explain what is happening? >>=20 >> TIA! >>=20 >> Cheers, >> Dale >>=20 >> Fwiw, I was originally just trying to configure remote access to Postgre= SQL so I >> could use pgAdmin remotely to investigate Tryton's databases, and then n= oticed >> the login attempts (which could be why the vm crashes every couple weeks= ). >>=20 >=20 > [...] >=20 >>=20 >> starlord login failures: >> Jan 4 00:02:05 starlord sshd[1597]: Invalid user admin from 10.0.2.2 po= rt 51252 >> Jan 4 00:02:07 starlord sshd[1597]: Connection closed by invalid user a= dmin >> 10.0.2.2 port 51252 [preauth] >=20 > [...] >=20 > The ports you see are the source port (on the machine trying to > connect), not the destination port (22 since your sshd only listen on > port 22) Thanks Erwan for educating me. :-) IIUC, the attacker attempts an ssh login on port 3022 on the host system, w= hich is handled by the virtualbox NAT and sent to vm client port 22 from ho= st port e.g. 51252. Do I understand this correctly? Why does the host use so many different por= ts? Cheers, Dale
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1526169121.66664274.1672945036737.JavaMail.zimbra>