Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hack attempt on my firewall?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      AxSD
      last edited by

      A few users had VPN authentication issues so I looked through some logs. On the system log, I see this below. Does this look like someone is trying to brute force my admin login through ssh? Should I be worried?

      (this is just a snippet, but there is a very long list of this in the logs)

      
      Time	Process	PID	Message
      Apr 19 16:03:02	sshd	70591	Disconnected from 121.18.238.104 port 34457 [preauth]
      Apr 19 16:03:02	sshd	70591	Received disconnect from 121.18.238.104 port 34457:11: [preauth]
      Apr 19 16:03:02	sshd	70941	Disconnected from 121.18.238.104 port 45540 [preauth]
      Apr 19 16:03:02	sshd	70941	Received disconnect from 121.18.238.104 port 45540:11: [preauth]
      Apr 19 15:58:33	sshd	34243	Disconnected from 59.45.175.66 port 44374 [preauth]
      Apr 19 15:58:33	sshd	34243	Received disconnect from 59.45.175.66 port 44374:11: [preauth]
      Apr 19 15:58:32	sshd	34215	Disconnected from 59.45.175.66 port 57961 [preauth]
      Apr 19 15:58:32	sshd	34215	Received disconnect from 59.45.175.66 port 57961:11: [preauth]
      Apr 19 15:44:17	sshd	40561	Disconnecting: Too many authentication failures [preauth]
      Apr 19 15:44:17	sshd	40561	error: maximum authentication attempts exceeded for root from 201.178.249.163 port 58134 ssh2 [preauth]
      Apr 19 15:44:17	sshd	40561	Failed password for root from 201.178.249.163 port 58134 ssh2
      Apr 19 15:44:17	sshd	40561	Failed password for root from 201.178.249.163 port 58134 ssh2
      Apr 19 15:44:16	sshd	40561	Failed password for root from 201.178.249.163 port 58134 ssh2
      Apr 19 15:44:16	sshd	40561	Failed password for root from 201.178.249.163 port 58134 ssh2
      Apr 19 15:44:16	sshd	40561	Failed password for root from 201.178.249.163 port 58134 ssh2
      Apr 19 15:44:15	sshd	40561	Failed password for root from 201.178.249.163 port 58134 ssh2
      Apr 19 15:43:33	sshd	9119	Disconnecting: Too many authentication failures [preauth]
      Apr 19 15:43:33	sshd	9119	error: maximum authentication attempts exceeded for root from 31.163.253.2 port 32945 ssh2 [preauth]
      Apr 19 15:43:33	sshd	9119	Failed password for root from 31.163.253.2 port 32945 ssh2
      Apr 19 15:43:32	sshd	9119	Failed password for root from 31.163.253.2 port 32945 ssh2
      Apr 19 15:43:32	sshd	9119	Failed password for root from 31.163.253.2 port 32945 ssh2
      Apr 19 15:43:32	sshd	9119	Failed password for root from 31.163.253.2 port 32945 ssh2
      Apr 19 15:43:31	sshd	9119	Failed password for root from 31.163.253.2 port 32945 ssh2
      Apr 19 15:43:31	sshd	9119	Failed password for root from 31.163.253.2 port 32945 ssh2
      Apr 19 15:40:52	sshd	43486	Disconnecting: Too many authentication failures [preauth]
      Apr 19 15:40:52	sshd	43486	error: maximum authentication attempts exceeded for admin from 90.189.30.206 port 41798 ssh2 [preauth]
      Apr 19 15:40:52	sshd	43486	Failed password for admin from 90.189.30.206 port 41798 ssh2
      Apr 19 15:40:52	sshd	43486	Failed password for admin from 90.189.30.206 port 41798 ssh2
      Apr 19 15:40:51	sshd	43486	Failed password for admin from 90.189.30.206 port 41798 ssh2
      Apr 19 15:40:51	sshd	43486	Failed password for admin from 90.189.30.206 port 41798 ssh2
      Apr 19 15:40:50	sshd	43486	Failed password for admin from 90.189.30.206 port 41798 ssh2
      Apr 19 15:40:50	sshd	43486	Failed password for admin from 90.189.30.206 port 41798 ssh2
      Apr 19 15:38:48	sshd	67714	Disconnecting: Too many authentication failures [preauth]
      Apr 19 15:38:48	sshd	67714	error: maximum authentication attempts exceeded for root from 119.193.140.151 port 60937 ssh2 [preauth]
      Apr 19 15:38:48	sshd	67714	Failed password for root from 119.193.140.151 port 60937 ssh2
      Apr 19 15:38:48	sshd	67714	Failed password for root from 119.193.140.151 port 60937 ssh2
      Apr 19 15:38:48	sshd	67714	Failed password for root from 119.193.140.151 port 60937 ssh2
      Apr 19 15:38:47	sshd	67714	Failed password for root from 119.193.140.151 port 60937 ssh2
      Apr 19 15:38:47	sshd	67714	Failed password for root from 119.193.140.151 port 60937 ssh2
      Apr 19 15:38:47	sshd	67714	Failed password for root from 119.193.140.151 port 60937 ssh2
      
      1 Reply Last reply Reply Quote 0
      • M Offline
        maverick_slo
        last edited by

        Why do you have SSH to firewall opened to outside world?
        Block it and allow it only via VPN.

        And yes, this is exactley what is happening here, btuteforce…

        1 Reply Last reply Reply Quote 0
        • johnpozJ Online
          johnpoz LAYER 8 Global Moderator
          last edited by

          ssh open to the world is going to get massive amounts of traffic..  Yup going to try and bruteforce you til the sun comes up..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.