Avro
Dabbler
- Joined
- Mar 14, 2015
- Messages
- 11
I received an e-mail this morning from my FreeNAS server advising of six failed log-in attempts to the root account.
I found this odd, as the 10.x.x.x address listed is that of my primary workstation. I was home, and the PC was on but it wasn't in use at 9pm. I recall getting a similar e-mail some time ago listing failed log-in attempts, however the IP address was that of my desktop at my old house. I changed the net ID between there and here, so I was a little freaked out but didn't know how to dig any further.
This morning I logged into the FreeNAS GUI and went through the scrolling log at the bottom and couldn't find any matching activity for the time shown. I looked around and found the /var/log folder, and looked at the auth.log file. If I went back far enough, I could find some entries matching the e-mail. Time stamps in the auth.log file are the same as in the e-mail: month, day and time but no year.
Is it possible that this incident occurred on Dec 5th LAST YEAR, and FreeNAS is just seeing the date (no year) and falsely sending an e-mail today?
Code:
FreeNAS.lan login failures: Dec 5 20:59:56 FreeNAS sshd[74787]: Failed password for root from 10.x.x.x port 56806 ssh2 Dec 5 21:00:00 FreeNAS sshd[74787]: Failed password for root from 10.x.x.x port 56806 ssh2 Dec 5 21:00:13 FreeNAS sshd[74787]: Failed password for root from 10.x.x.x port 56806 ssh2 Dec 5 21:00:19 FreeNAS sshd[74787]: Failed password for root from 10.x.x.x port 56806 ssh2 Dec 5 21:00:20 FreeNAS sshd[74787]: Failed password for root from 10.x.x.x port 56806 ssh2 Dec 5 21:00:22 FreeNAS sshd[74787]: Failed password for root from 10.x.x.x port 56806 ssh2 Dec 5 21:00:22 FreeNAS sshd[74787]: Disconnecting: Too many authentication failures for root [preauth]
I found this odd, as the 10.x.x.x address listed is that of my primary workstation. I was home, and the PC was on but it wasn't in use at 9pm. I recall getting a similar e-mail some time ago listing failed log-in attempts, however the IP address was that of my desktop at my old house. I changed the net ID between there and here, so I was a little freaked out but didn't know how to dig any further.
This morning I logged into the FreeNAS GUI and went through the scrolling log at the bottom and couldn't find any matching activity for the time shown. I looked around and found the /var/log folder, and looked at the auth.log file. If I went back far enough, I could find some entries matching the e-mail. Time stamps in the auth.log file are the same as in the e-mail: month, day and time but no year.
Is it possible that this incident occurred on Dec 5th LAST YEAR, and FreeNAS is just seeing the date (no year) and falsely sending an e-mail today?
Last edited by a moderator:
