Kindly explain this to me :(



  • Jun 29 13:55:53 sshd[17515]: Failed password for invalid user seth from 121.78.118.134 port 62558 ssh2
    Jun 29 13:55:53 sshd[17515]: Invalid user seth from 121.78.118.134
    Jun 29 13:55:50 sshd[17488]: Failed password for invalid user selma from 121.78.118.134 port 61436 ssh2
    Jun 29 13:55:50 sshd[17488]: Invalid user selma from 121.78.118.134
    Jun 29 13:55:48 sshd[17466]: Failed password for invalid user selby from 121.78.118.134 port 61200 ssh2
    Jun 29 13:55:48 sshd[17466]: Invalid user selby from 121.78.118.134
    Jun 29 13:55:46 sshd[17448]: Failed password for invalid user september from 121.78.118.134 port 60890 ssh2
    Jun 29 13:55:46 sshd[17448]: Invalid user september from 121.78.118.134
    Jun 29 13:55:43 sshd[17424]: Failed password for invalid user sebastian from 121.78.118.134 port 60654 ssh2
    Jun 29 13:55:43 sshd[17424]: Invalid user sebastian from 121.78.118.134
    Jun 29 13:55:41 sshd[17407]: Failed password for invalid user sean from 121.78.118.134 port 60487 ssh2
    Jun 29 13:55:41 sshd[17407]: Invalid user sean from 121.78.118.134
    Jun 29 13:55:39 sshd[17398]: Failed password for invalid user scotty from 121.78.118.134 port 60301 ssh2
    Jun 29 13:55:39 sshd[17398]: Invalid user scotty from 121.78.118.134
    Jun 29 13:55:37 sshd[17372]: Failed password for invalid user scott from 121.78.118.134 port 59110 ssh2
    Jun 29 13:55:37 sshd[17372]: Invalid user scott from 121.78.118.134
    Jun 29 13:55:35 sshd[17354]: Failed password for invalid user scot from 121.78.118.134 port 58905 ssh2
    Jun 29 13:55:35 sshd[17354]: Invalid user scot from 121.78.118.134
    Jun 29 13:55:33 sshd[17313]: Failed password for invalid user scarlett from 121.78.118.134 port 58679 ssh2
    Jun 29 13:55:33 sshd[17313]: Invalid user scarlett from 121.78.118.134
    Jun 29 13:55:30 sshd[17278]: Failed password for invalid user scarlet from 121.78.118.134 port 58477 ssh2
    Jun 29 13:55:30 sshd[17278]: Invalid user scarlet from 121.78.118.134
    Jun 29 13:55:28 sshd[17244]: Failed password for invalid user savanna from 121.78.118.134 port 57251 ssh2
    Jun 29 13:55:28 sshd[17244]: Invalid user savanna from 121.78.118.134
    Jun 29 13:55:25 sshd[17198]: Failed password for invalid user sarah from 121.78.118.134 port 56974 ssh2

    What this log means?

    Thanks in advance
    -cruzades



  • It means someone is trying a dictionary attack on SSH on your pfSense box.

    If you dont know what these log-entries mean you should
    uncheck the box "Enable Secure Shell" under system –> advanced.



  • Who is says that this IP belongs to
    OrgName:    Asia Pacific Network Information Centre
    OrgID:      APNIC
    Address:    PO Box 2131
    City:      Milton
    StateProv:  QLD
    PostalCode: 4064
    Country:    AU
    I would change the port ssh runs on if you don disable it.



  • @GruensFroeschli:

    It means someone is trying a dictionary attack on SSH on your pfSense box.

    If you dont know what these log-entries mean you should
    uncheck the box "Enable Secure Shell" under system –> advanced.

    Thanks  I got it now..



  • @ampwifi:

    Who is says that this IP belongs to
    OrgName:    Asia Pacific Network Information Centre
    OrgID:      APNIC
    Address:    PO Box 2131
    City:      Milton
    StateProv:  QLD
    PostalCode: 4064
    Country:    AU
    I would change the port ssh runs on if you don disable it.

    IP belongs to Korea, yea.. I'm changing it right now.

    Thanks.


  • LAYER 8 Moderator

    Changing the port SSH runs on doesn't help a bit if the attacker is a bit more intelligent as just hammering user/pass combinations against port 22. If he does a little portscanning before he'll quickly identify the new port ssh runs on and will continue.

    Other options are:

    • only permit ssh from locations you trust or via vpn
    • only permit xyz connects per abc seconds and slow him down to the ground (à la spamd)
    • disable ssh alltogether if you don't use it (from the outside or completely)

    Greets



  • @Grey:

    Changing the port SSH runs on doesn't help a bit if the attacker is a bit more intelligent as just hammering user/pass combinations against port 22. If he does a little portscanning before he'll quickly identify the new port ssh runs on and will continue.

    However, it does at least keep out all the bot probes.

    I'd also advise disabling password based logins completely and require keys.  The likes of denyhosts can help too.



  • @Grey:

    • only permit xyz connects per abc seconds and slow him down to the ground (à la spamd)

    how to do this one sir?

    -cruzades


  • LAYER 8 Moderator

    @Cry:

    However, it does at least keep out all the bot probes.

    I'd also advise disabling password based logins completely and require keys.  The likes of denyhosts can help too.

    Absolutely. I just wanted to point out to not feel too sure about security through obscurity. You're right about the bot probes, though.

    @cruzades:

    how to do this one sir?

    Create/edit your rule, that allows incoming traffic to the SSH port from WAN and unfold the advanced options on the bottom of the rule-edit-screen (click on the advanced button in that line). There you can enter various options like "Maximum new connections / per second" and "Simultaneous client connection limit"



  • You may also disable the ssh until you need it. Still would change the port though


Log in to reply