Failed password for invalid user

[kaipee]

Hi guys,

I have been running my FreeNAS for about 4 years now but have recently noticed a lost of failed login attempts to SSH on random ports within my daily security run reports.
To be clear, my FreeNAS is behind my consumer router/firewall with UPnP disabled and port-forwarding enabled for very selected ports / services (none of these ports are the ones showing the the security notification).

Example


SERVER login failures:
Aug 31 00:10:54 SERVER sshd[8974]: Failed password for invalid user ts3 from 118.69.122.110 port 52982 ssh2
Aug 31 00:10:54 SERVER sshd[8974]: Connection closed by invalid user ts3 118.69.122.110 port 52982 [preauth]
Aug 31 00:22:54 SERVER sshd[10362]: Failed password for invalid user ts3 from 118.69.122.110 port 52438 ssh2
Aug 31 00:22:54 SERVER sshd[10362]: Connection closed by invalid user ts3 118.69.122.110 port 52438 [preauth]
Aug 31 00:34:54 SERVER sshd[11626]: Failed password for invalid user ts3 from 118.69.122.110 port 51888 ssh2
Aug 31 00:34:54 SERVER sshd[11626]: Connection closed by invalid user ts3 118.69.122.110 port 51888 [preauth]
Aug 31 00:46:56 SERVER sshd[12861]: Failed password for invalid user ts3 from 118.69.122.110 port 51334 ssh2
Aug 31 00:46:56 SERVER sshd[12861]: Connection closed by invalid user ts3 118.69.122.110 port 51334 [preauth]
Aug 31 01:02:56 SERVER sshd[14839]: Failed password for invalid user test from 118.69.122.110 port 50790 ssh2
Aug 31 01:02:56 SERVER sshd[14839]: Connection closed by invalid user test 118.69.122.110 port 50790 [preauth]
Aug 31 01:15:15 SERVER sshd[16135]: Failed password for invalid user postgres from 118.69.122.110 port 50240 ssh2
Aug 31 01:15:15 SERVER sshd[16135]: Connection closed by invalid user postgres 118.69.122.110 port 50240 [preauth]
Aug 31 01:30:24 SERVER sshd[17673]: Failed password for invalid user postgres from 118.69.122.110 port 49682 ssh2
Aug 31 01:30:25 SERVER sshd[17673]: Connection closed by invalid user postgres 118.69.122.110 port 49682 [preauth]
Aug 31 01:44:38 SERVER sshd[19244]: Failed password for invalid user postgres from 118.69.122.110 port 49132 ssh2
Aug 31 01:44:39 SERVER sshd[19244]: Connection closed by invalid user postgres 118.69.122.110 port 49132 [preauth]
Aug 31 01:57:15 SERVER sshd[20715]: Failed password for invalid user postgres from 118.69.122.110 port 48570 ssh2
Aug 31 01:57:15 SERVER sshd[20715]: Connection closed by invalid user postgres 118.69.122.110 port 48570 [preauth]
Aug 31 02:11:47 SERVER sshd[22350]: Failed password for invalid user postgres from 118.69.122.110 port 48022 ssh2
Aug 31 02:11:47 SERVER sshd[22350]: Connection closed by invalid user postgres 118.69.122.110 port 48022 [preauth]
Aug 31 02:24:20 SERVER sshd[23633]: Failed password for invalid user postgres from 118.69.122.110 port 47468 ssh2
Aug 31 02:24:20 SERVER sshd[23633]: Connection closed by invalid user postgres 118.69.122.110 port 47468 [preauth]
Aug 31 02:40:57 SERVER sshd[25269]: Failed password for invalid user mysql from 118.69.122.110 port 46920 ssh2
Aug 31 02:40:57 SERVER sshd[25269]: Connection closed by invalid user mysql 118.69.122.110 port 46920 [preauth]
Aug 31 02:55:34 SERVER sshd[27081]: Failed password for invalid user databse from 118.69.122.110 port 46374 ssh2
Aug 31 02:55:34 SERVER sshd[27081]: Connection closed by invalid user databse 118.69.122.110 port 46374 [preauth]
Aug 31 03:08:02 SERVER sshd[30934]: Failed password for invalid user vps from 118.69.122.110 port 45824 ssh2
Aug 31 03:08:03 SERVER sshd[30934]: Connection closed by invalid user vps 118.69.122.110 port 45824 [preauth]
Aug 31 03:20:40 SERVER sshd[32506]: Failed password for invalid user solr from 118.69.122.110 port 45268 ssh2
Aug 31 03:20:41 SERVER sshd[32506]: Connection closed by invalid user solr 118.69.122.110 port 45268 [preauth]
Aug 31 03:35:33 SERVER sshd[34498]: Failed password for invalid user zabbix from 118.69.122.110 port 44714 ssh2
Aug 31 03:35:33 SERVER sshd[34498]: Connection closed by invalid user zabbix 118.69.122.110 port 44714 [preauth]
Aug 31 03:48:17 SERVER sshd[36011]: Failed password for invalid user zabbix from 118.69.122.110 port 44170 ssh2
Aug 31 03:48:18 SERVER sshd[36011]: Connection closed by invalid user zabbix 118.69.122.110 port 44170 [preauth]
Aug 31 04:01:00 SERVER sshd[37703]: Failed password for invalid user vagrant from 118.69.122.110 port 43622 ssh2
Aug 31 04:01:00 SERVER sshd[37703]: Connection closed by invalid user vagrant 118.69.122.110 port 43622 [preauth]
Aug 31 04:13:30 SERVER sshd[39024]: Failed password for invalid user gpadmin from 118.69.122.110 port 43068 ssh2
Aug 31 04:13:31 SERVER sshd[39024]: Connection closed by invalid user gpadmin 118.69.122.110 port 43068 [preauth]
Aug 31 04:26:15 SERVER sshd[40316]: Failed password for invalid user testuser from 118.69.122.110 port 42518 ssh2
Aug 31 04:26:15 SERVER sshd[40316]: Connection closed by invalid user testuser 118.69.122.110 port 42518 [preauth]
Aug 31 04:39:07 SERVER sshd[41641]: Failed password for invalid user backup from 118.69.122.110 port 41970 ssh2
Aug 31 04:39:08 SERVER sshd[41641]: Connection closed by invalid user backup 118.69.122.110 port 41970 [preauth]
Aug 31 04:51:34 SERVER sshd[43062]: Failed password for invalid user default from 118.69.122.110 port 41424 ssh2
Aug 31 04:51:34 SERVER sshd[43062]: Connection closed by invalid user default 118.69.122.110 port 41424 [preauth]
Aug 31 05:04:00 SERVER sshd[44504]: Failed password for invalid user server from 118.69.122.110 port 40884 ssh2
Aug 31 05:04:00 SERVER sshd[44504]: Connection closed by invalid user server 118.69.122.110 port 40884 [preauth]
Aug 31 05:16:23 SERVER sshd[45786]: Failed password for invalid user mongo from 118.69.122.110 port 40328 ssh2
Aug 31 05:16:24 SERVER sshd[45786]: Connection closed by invalid user mongo 118.69.122.110 port 40328 [preauth]
Aug 31 05:28:53 SERVER sshd[47012]: Failed password for invalid user user from 118.69.122.110 port 39780 ssh2
Aug 31 05:28:54 SERVER sshd[47012]: Connection closed by invalid user user 118.69.122.110 port 39780 [preauth]
Aug 31 05:42:49 SERVER sshd[48452]: Failed password for invalid user tom from 118.69.122.110 port 39230 ssh2
Aug 31 05:42:49 SERVER sshd[48452]: Connection closed by invalid user tom 118.69.122.110 port 39230 [preauth]
Aug 31 05:55:12 SERVER sshd[50054]: Failed password for invalid user user1 from 118.69.122.110 port 38678 ssh2
Aug 31 05:55:12 SERVER sshd[50054]: Connection closed by invalid user user1 118.69.122.110 port 38678 [preauth]
Aug 31 06:07:38 SERVER sshd[51331]: Failed password for invalid user tomcat from 118.69.122.110 port 38136 ssh2
Aug 31 06:07:38 SERVER sshd[51331]: Connection closed by invalid user tomcat 118.69.122.110 port 38136 [preauth]
Aug 31 06:22:23 SERVER sshd[52947]: Failed password for invalid user orange from 118.69.122.110 port 37588 ssh2
Aug 31 06:22:23 SERVER sshd[52947]: Connection closed by invalid user orange 118.69.122.110 port 37588 [preauth]
Aug 31 06:34:51 SERVER sshd[54176]: Failed password for invalid user postfix from 118.69.122.110 port 37030 ssh2
Aug 31 06:34:51 SERVER sshd[54176]: Connection closed by invalid user postfix 118.69.122.110 port 37030 [preauth]
Aug 31 06:49:05 SERVER sshd[55581]: Failed password for invalid user spot from 118.69.122.110 port 36478 ssh2
Aug 31 06:49:05 SERVER sshd[55581]: Connection closed by invalid user spot 118.69.122.110 port 36478 [preauth]
Aug 31 07:04:00 SERVER sshd[57407]: Failed password for invalid user management from 118.69.122.110 port 35930 ssh2
Aug 31 07:04:00 SERVER sshd[57407]: Connection closed by invalid user management 118.69.122.110 port 35930 [preauth]
Aug 31 07:17:35 SERVER sshd[58800]: Failed password for invalid user mybase from 118.69.122.110 port 35378 ssh2
Aug 31 07:17:35 SERVER sshd[58800]: Connection closed by invalid user mybase 118.69.122.110 port 35378 [preauth]
Aug 31 07:30:35 SERVER sshd[60107]: Failed password for invalid user sqlbase from 118.69.122.110 port 34816 ssh2
Aug 31 07:30:35 SERVER sshd[60107]: Connection closed by invalid user sqlbase 118.69.122.110 port 34816 [preauth]
Aug 31 07:43:03 SERVER sshd[61322]: Failed password for invalid user user from 118.69.122.110 port 34266 ssh2
Aug 31 07:43:04 SERVER sshd[61322]: Connection closed by invalid user user 118.69.122.110 port 34266 [preauth]
Aug 31 07:56:32 SERVER sshd[63021]: Failed password for invalid user tomcat from 118.69.122.110 port 33714 ssh2
Aug 31 07:56:32 SERVER sshd[63021]: Connection closed by invalid user tomcat 118.69.122.110 port 33714 [preauth]
Aug 31 08:09:21 SERVER sshd[64335]: Failed password for invalid user tomcat from 118.69.122.110 port 33162 ssh2
Aug 31 08:09:21 SERVER sshd[64335]: Connection closed by invalid user tomcat 118.69.122.110 port 33162 [preauth]
Aug 31 08:21:57 SERVER sshd[65575]: Failed password for invalid user git from 118.69.122.110 port 60844 ssh2
Aug 31 08:21:57 SERVER sshd[65575]: Connection closed by invalid user git 118.69.122.110 port 60844 [preauth]
Aug 31 08:34:46 SERVER sshd[67038]: Failed password for invalid user git from 118.69.122.110 port 60294 ssh2
Aug 31 08:34:47 SERVER sshd[67038]: Connection closed by invalid user git 118.69.122.110 port 60294 [preauth]
Aug 31 08:47:20 SERVER sshd[68336]: Failed password for invalid user git from 118.69.122.110 port 59730 ssh2
Aug 31 08:47:21 SERVER sshd[68336]: Connection closed by invalid user git 118.69.122.110 port 59730 [preauth]
Aug 31 09:00:14 SERVER sshd[70011]: Failed password for invalid user tomcat from 118.69.122.110 port 59174 ssh2
Aug 31 09:00:14 SERVER sshd[70011]: Connection closed by invalid user tomcat 118.69.122.110 port 59174 [preauth]
Aug 31 09:15:45 SERVER sshd[71657]: Failed password for invalid user tomcat from 118.69.122.110 port 58626 ssh2
Aug 31 09:15:45 SERVER sshd[71657]: Connection closed by invalid user tomcat 118.69.122.110 port 58626 [preauth]
Aug 31 09:34:32 SERVER sshd[73809]: Failed password for invalid user tomcat from 118.69.122.110 port 58076 ssh2
Aug 31 09:34:33 SERVER sshd[73809]: Connection closed by invalid user tomcat 118.69.122.110 port 58076 [preauth]
Aug 31 09:54:59 SERVER sshd[76096]: Failed password for invalid user tomcat from 118.69.122.110 port 57526 ssh2
Aug 31 09:54:59 SERVER sshd[76096]: Connection closed by invalid user tomcat 118.69.122.110 port 57526 [preauth]
Aug 31 10:11:34 SERVER sshd[78275]: Failed password for invalid user tomcat from 118.69.122.110 port 56976 ssh2
Aug 31 10:11:35 SERVER sshd[78275]: Connection closed by invalid user tomcat 118.69.122.110 port 56976 [preauth]
Aug 31 10:31:58 SERVER sshd[80428]: Failed password for invalid user tomcat from 118.69.122.110 port 56430 ssh2
Aug 31 10:31:59 SERVER sshd[80428]: Connection closed by invalid user tomcat 118.69.122.110 port 56430 [preauth]
Aug 31 10:52:03 SERVER sshd[82861]: Failed password for invalid user tomcat from 118.69.122.110 port 55880 ssh2
Aug 31 10:52:03 SERVER sshd[82861]: Connection closed by invalid user tomcat 118.69.122.110 port 55880 [preauth]
Aug 31 11:12:34 SERVER sshd[85431]: Failed password for invalid user tomcat from 118.69.122.110 port 55330 ssh2
Aug 31 11:12:35 SERVER sshd[85431]: Connection closed by invalid user tomcat 118.69.122.110 port 55330 [preauth]
Aug 31 11:33:47 SERVER sshd[87824]: Failed password for invalid user tomcat from 118.69.122.110 port 54780 ssh2
Aug 31 11:33:47 SERVER sshd[87824]: Connection closed by invalid user tomcat 118.69.122.110 port 54780 [preauth]
Aug 31 11:49:23 SERVER sshd[89518]: Failed password for invalid user tomcat from 118.69.122.110 port 54232 ssh2
Aug 31 11:49:23 SERVER sshd[89518]: Connection closed by invalid user tomcat 118.69.122.110 port 54232 [preauth]
Aug 31 12:02:06 SERVER sshd[91287]: Failed password for invalid user centos from 118.69.122.110 port 53676 ssh2
Aug 31 12:02:06 SERVER sshd[91287]: Connection closed by invalid user centos 118.69.122.110 port 53676 [preauth]
Aug 31 12:14:53 SERVER sshd[92663]: Failed password for invalid user centos from 118.69.122.110 port 53122 ssh2
Aug 31 12:14:54 SERVER sshd[92663]: Connection closed by invalid user centos 118.69.122.110 port 53122 [preauth]
Aug 31 12:27:32 SERVER sshd[94087]: Failed password for invalid user centos from 118.69.122.110 port 52564 ssh2
Aug 31 12:27:33 SERVER sshd[94087]: Connection closed by invalid user centos 118.69.122.110 port 52564 [preauth]
Aug 31 12:40:14 SERVER sshd[95526]: Failed password for invalid user centos from 118.69.122.110 port 52008 ssh2
Aug 31 12:40:15 SERVER sshd[95526]: Connection closed by invalid user centos 118.69.122.110 port 52008 [preauth]
Aug 31 12:52:35 SERVER sshd[97022]: Failed password for invalid user centos from 118.69.122.110 port 51460 ssh2
Aug 31 12:52:36 SERVER sshd[97022]: Connection closed by invalid user centos 118.69.122.110 port 51460 [preauth]
Aug 31 13:05:09 SERVER sshd[98659]: Failed password for invalid user ts3server from 118.69.122.110 port 50906 ssh2
Aug 31 13:05:09 SERVER sshd[98659]: Connection closed by invalid user ts3server 118.69.122.110 port 50906 [preauth]
Aug 31 13:17:56 SERVER sshd[115]: Failed password for invalid user ts3server from 118.69.122.110 port 50352 ssh2
Aug 31 13:17:57 SERVER sshd[115]: Connection closed by invalid user ts3server 118.69.122.110 port 50352 [preauth]
Aug 31 13:30:27 SERVER sshd[1556]: Failed password for invalid user teamspeak3 from 118.69.122.110 port 49790 ssh2
Aug 31 13:30:27 SERVER sshd[1556]: Connection closed by invalid user teamspeak3 118.69.122.110 port 49790 [preauth]
Aug 31 13:44:18 SERVER sshd[3240]: Failed password for invalid user teamspeak3 from 118.69.122.110 port 49238 ssh2
Aug 31 13:44:19 SERVER sshd[3240]: Connection closed by invalid user teamspeak3 118.69.122.110 port 49238 [preauth]
Aug 31 13:56:44 SERVER sshd[4774]: Failed password for invalid user centos from 118.69.122.110 port 48676 ssh2
Aug 31 13:56:45 SERVER sshd[4774]: Connection closed by invalid user centos 118.69.122.110 port 48676 [preauth]
Aug 31 14:09:04 SERVER sshd[6160]: Failed password for invalid user centos from 118.69.122.110 port 48118 ssh2
Aug 31 14:09:05 SERVER sshd[6160]: Connection closed by invalid user centos 118.69.122.110 port 48118 [preauth]

-- End of security output --


My question is, how are these requests reaching my FreeNAS server on port 52982 (for example) when this port is not open nor forwarded from my firewall?
Another quick question, what is the format of this email? (what does the number beside sshd inside [] relate to, a PID?

I have been adding some of the malicious IPs into ipfw for now (I know it shouldn't be added into the root filesystem).

 

[m0nkey_]

You clearly have a port forward enabled for SSH. Turn off port forward to TCP port 22 (SSH) and the problem will go away.

 

[kaipee]

You clearly have a port forward enabled for SSH. Turn off port forward to TCP port 22 (SSH) and the problem will go away.

Believe me there is no port being forwarded to TCP port 22.

 

[m0nkey_]

Believe me there is no port being forwarded to TCP port 22.

Are you 100% sure? Because that looks like a common probe from the Internet to find accounts on a system running SSH. Could you be forwarding to SSH from another port?

 

[gary_1]

Are you certain you're not port forwarding as m0nkey suggested or that the box has a public IP and your firewall isn't blocking all incoming ports by default (or the machine has ended up in a DMZ somehow).

Even if the router shows no forwarded ports, I'd look at what IPs are assigned to the freenas box, find any public ones, then run an online port scan or use nmap if you have access to a box external to your network. Just to remove the possibility of a router/firewall bug.

If that doesn't turn up anything then it's a strange one.

 

[kaipee]

What is the format of the email alert?

Is it similar to

{datestamp} {fqdn} {service}[{PID}]: Failed password for invalid user {username_attempt} from {originating_ip} port {originating_port} ssh2

or

{datestamp} {fqdn} {service}[{PID}]: Failed password for invalid user {username_attempt} from {originating_ip} port {destination_port} ssh2


 

[m0nkey_]

Can you paste the output of ifconfig using the [ code ] tags.

 

[kaipee]

Can you paste the output of ifconfig using the [ code ] tags.

Can you confirm what you are looking to check? Note there are no IPv6 addresses being used on my LAN either.

Code:

% ifconfig
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=2400b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6>
   ether [REDACTED]
   hwaddr [REDACTED]
   inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
   nd6 options=9<PERFORMNUD,IFDISABLED>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
igb1: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=9<PERFORMNUD,IFDISABLED>
   media: Ethernet autoselect
   status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
   inet 127.0.0.1 netmask 0xff000000
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: lo
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 02:2e:07:34:69:00
   nd6 options=1<PERFORMNUD>
   groups: bridge
   id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
   maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
   root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
   member: tap1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 15 priority 128 path cost 2000000
   member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 14 priority 128 path cost 2000000
   member: epair8a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 13 priority 128 path cost 2000
   member: epair7a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 12 priority 128 path cost 2000
   member: epair6a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 11 priority 128 path cost 2000
   member: epair5a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 10 priority 128 path cost 2000
   member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 9 priority 128 path cost 2000
   member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 8 priority 128 path cost 2000
   member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 7 priority 128 path cost 2000
   member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 6 priority 128 path cost 2000
   member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 5 priority 128 path cost 2000
   member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 1 priority 128 path cost 20000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair
epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair
epair2a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair
epair3a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair
epair4a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair
epair5a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair
epair6a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair
epair7a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair
epair8a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair
tap0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=80000<LINKSTATE>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet autoselect
   status: no carrier
   groups: tap
tap1: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=80000<LINKSTATE>
   ether [REDACTED]
   hwaddr [REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet autoselect
   status: no carrier
   groups: tap

 

[m0nkey_]

Why did you redact all the IPs? I'm trying to help determine what the issue is. Censoring important information isn't going to help.

 

[kaipee]

No IP addresses were redacted, only MAC addresses were removed

Example (non-sensitive jail)

Code:

epair8a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether 02:0b:10:00:0d:0a [THIS WAS REDACTED]
   hwaddr 02:0b:10:00:0d:0a [THIS WAS REDACTED]
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair

 

[m0nkey_]

Sorry, my error.

I'm not convinced that you don't have any kind of port forwarding enabled for SSH.

Can you share a screenshot of your routers port-forward configuration?

 

[kaipee]

Just to clarify, are you suggesting I have port forwarding enabled for all of the following ports all pointing to my FreeNAS?


52982
52438
51888
51334
50790
50240
49682
49132
48570
48022
47468
46920
46374
45824
45268
44714
44170
43622
43068
42518
41970
41424
40884
40328
39780
39230
38678
38136
37588
37030
36478
35930
35378
34816
34266
33714
33162
60844
60294
59730
59174
58626
58076
57526
56976
56430
55880
55330
54780
54232
53676
53122
52564
52008
51460
50906
50352
49790
49238
48676
48118


 

[kaipee]

Is it possible one of my jails is in fact compromised and is routing scans from the originating IP to my LAN? (or something similar that is a little more plausible)

 

[m0nkey_]

Just to clarify, are you suggesting I have port forwarding enabled for all of the following ports all pointing to my FreeNAS?

No. I asked for a screenshot of your port-forwarding configuration from your router.

 

[joeschmuck]

@kaipee If you are wanting to show your public IP address, just remove that from any screen images, it shouldn't make a difference for this issue, but your internal LAN IP's may make a difference. It does sound like you have a firewall issue.

To be clear, my FreeNAS is behind my consumer router/firewall

I suspect that your consumer firewall is passing this data. How about some details about this firewall, brand/model/firmware version? Also have you looked at the firewall logs (assuming you have them turned on).

 

[kaipee]

@kaipee If you are wanting to show your public IP address, just remove that from any screen images, it shouldn't make a difference for this issue, but your internal LAN IP's may make a difference. It does sound like you have a firewall issue.

I suspect that your consumer firewall is passing this data. How about some details about this firewall, brand/model/firmware version? Also have you looked at the firewall logs (assuming you have them turned on).

The router is a BT Home Hub (I believe 5, but will need to confirm). I don't think it holds firewall logs, but again I will double-check

 

[gary_1]

Just to clarify, are you suggesting I have port forwarding enabled for all of the following ports all pointing to my FreeNAS?

I expect both the IP and Port listed in that log is the source address/port, where the ssh connection is originating from. The destination in each case will be port 22.

I'm not sure a compromised machine inside your lan acting as a relay is likely. I'd expect the source IP to be your compromised machine in that case at least for a TCP based connection and not some machine in vietnam.