Hack attempt on my firewall?
-
A few users had VPN authentication issues so I looked through some logs. On the system log, I see this below. Does this look like someone is trying to brute force my admin login through ssh? Should I be worried?
(this is just a snippet, but there is a very long list of this in the logs)
Time Process PID Message Apr 19 16:03:02 sshd 70591 Disconnected from 121.18.238.104 port 34457 [preauth] Apr 19 16:03:02 sshd 70591 Received disconnect from 121.18.238.104 port 34457:11: [preauth] Apr 19 16:03:02 sshd 70941 Disconnected from 121.18.238.104 port 45540 [preauth] Apr 19 16:03:02 sshd 70941 Received disconnect from 121.18.238.104 port 45540:11: [preauth] Apr 19 15:58:33 sshd 34243 Disconnected from 59.45.175.66 port 44374 [preauth] Apr 19 15:58:33 sshd 34243 Received disconnect from 59.45.175.66 port 44374:11: [preauth] Apr 19 15:58:32 sshd 34215 Disconnected from 59.45.175.66 port 57961 [preauth] Apr 19 15:58:32 sshd 34215 Received disconnect from 59.45.175.66 port 57961:11: [preauth] Apr 19 15:44:17 sshd 40561 Disconnecting: Too many authentication failures [preauth] Apr 19 15:44:17 sshd 40561 error: maximum authentication attempts exceeded for root from 201.178.249.163 port 58134 ssh2 [preauth] Apr 19 15:44:17 sshd 40561 Failed password for root from 201.178.249.163 port 58134 ssh2 Apr 19 15:44:17 sshd 40561 Failed password for root from 201.178.249.163 port 58134 ssh2 Apr 19 15:44:16 sshd 40561 Failed password for root from 201.178.249.163 port 58134 ssh2 Apr 19 15:44:16 sshd 40561 Failed password for root from 201.178.249.163 port 58134 ssh2 Apr 19 15:44:16 sshd 40561 Failed password for root from 201.178.249.163 port 58134 ssh2 Apr 19 15:44:15 sshd 40561 Failed password for root from 201.178.249.163 port 58134 ssh2 Apr 19 15:43:33 sshd 9119 Disconnecting: Too many authentication failures [preauth] Apr 19 15:43:33 sshd 9119 error: maximum authentication attempts exceeded for root from 31.163.253.2 port 32945 ssh2 [preauth] Apr 19 15:43:33 sshd 9119 Failed password for root from 31.163.253.2 port 32945 ssh2 Apr 19 15:43:32 sshd 9119 Failed password for root from 31.163.253.2 port 32945 ssh2 Apr 19 15:43:32 sshd 9119 Failed password for root from 31.163.253.2 port 32945 ssh2 Apr 19 15:43:32 sshd 9119 Failed password for root from 31.163.253.2 port 32945 ssh2 Apr 19 15:43:31 sshd 9119 Failed password for root from 31.163.253.2 port 32945 ssh2 Apr 19 15:43:31 sshd 9119 Failed password for root from 31.163.253.2 port 32945 ssh2 Apr 19 15:40:52 sshd 43486 Disconnecting: Too many authentication failures [preauth] Apr 19 15:40:52 sshd 43486 error: maximum authentication attempts exceeded for admin from 90.189.30.206 port 41798 ssh2 [preauth] Apr 19 15:40:52 sshd 43486 Failed password for admin from 90.189.30.206 port 41798 ssh2 Apr 19 15:40:52 sshd 43486 Failed password for admin from 90.189.30.206 port 41798 ssh2 Apr 19 15:40:51 sshd 43486 Failed password for admin from 90.189.30.206 port 41798 ssh2 Apr 19 15:40:51 sshd 43486 Failed password for admin from 90.189.30.206 port 41798 ssh2 Apr 19 15:40:50 sshd 43486 Failed password for admin from 90.189.30.206 port 41798 ssh2 Apr 19 15:40:50 sshd 43486 Failed password for admin from 90.189.30.206 port 41798 ssh2 Apr 19 15:38:48 sshd 67714 Disconnecting: Too many authentication failures [preauth] Apr 19 15:38:48 sshd 67714 error: maximum authentication attempts exceeded for root from 119.193.140.151 port 60937 ssh2 [preauth] Apr 19 15:38:48 sshd 67714 Failed password for root from 119.193.140.151 port 60937 ssh2 Apr 19 15:38:48 sshd 67714 Failed password for root from 119.193.140.151 port 60937 ssh2 Apr 19 15:38:48 sshd 67714 Failed password for root from 119.193.140.151 port 60937 ssh2 Apr 19 15:38:47 sshd 67714 Failed password for root from 119.193.140.151 port 60937 ssh2 Apr 19 15:38:47 sshd 67714 Failed password for root from 119.193.140.151 port 60937 ssh2 Apr 19 15:38:47 sshd 67714 Failed password for root from 119.193.140.151 port 60937 ssh2
-
Why do you have SSH to firewall opened to outside world?
Block it and allow it only via VPN.And yes, this is exactley what is happening here, btuteforce…
-
ssh open to the world is going to get massive amounts of traffic.. Yup going to try and bruteforce you til the sun comes up..
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.