In the last few days I've been seeing multiple login attemps similiar to:
I'm running 11.2-U7 on a local network. However, I allow users to backup to the machine over SFTP. While this puts the machine "on the net" I've followed suggestions to (1) use a non-standard port (port forward) plus each user has SSH keys (plus password). All has been quiet for well over acouple of years until these attacks. I've disabled the port-forward and all goes quiet.
What has happened here? Has a scanner managed to find the non-standard port, got lucky and then told the bot-net army to pay a visit?
As a current mitigation I've changed the external port but should I be doing more? Is Pfsense and fail2ban a good way / worthwhile way to go?
Please help me kill the bots!
Thanks.
Jan 6 22:19:04 freenas sshd[53755]: Disconnected from invalid user unm 51.77.140.111 port 38102 [preauth]
Jan 6 22:30:56 freenas sshd[54290]: Disconnected from invalid user zhz 34.66.28.207 port 34648 [preauth]
Jan 6 22:54:28 freenas sshd[54977]: Disconnected from invalid user nagios 218.78.54.84 port 46548 [preauth]
Jan 6 23:30:30 freenas sshd[56247]: Disconnected from invalid user pondering 59.51.65.17 port 56748 [preauth]
Jan 6 23:30:49 freenas sshd[56249]: Disconnected from invalid user pi 59.41.65.251 port 9167 [preauth]
Jan 6 23:33:04 freenas sshd[56338]: Disconnected from invalid user db2inst3 110.164.205.133 port 19259 [preauth]
Jan 6 23:45:42 freenas sshd[56687]: Disconnected from invalid user fl 51.158.104.58 port 50542 [preauth]
Jan 6 23:48:38 freenas sshd[56769]: Disconnected from invalid user odell 150.95.212.72 port 37430 [preauth]
I'm running 11.2-U7 on a local network. However, I allow users to backup to the machine over SFTP. While this puts the machine "on the net" I've followed suggestions to (1) use a non-standard port (port forward) plus each user has SSH keys (plus password). All has been quiet for well over acouple of years until these attacks. I've disabled the port-forward and all goes quiet.
What has happened here? Has a scanner managed to find the non-standard port, got lucky and then told the bot-net army to pay a visit?
As a current mitigation I've changed the external port but should I be doing more? Is Pfsense and fail2ban a good way / worthwhile way to go?
Please help me kill the bots!
Thanks.