SOLVED freenas.local login failures: from Avast Antivirus

[drgonzo3000]

For the past couple weeks now I have been getting security emails about these login attempts on my Freenas server. The server is not exposed to the internet, it is just local network storage. The attempts are coming from a local machine on my network. Looking into the access logs it looks like these login attempts are coming from Avast Antivirus. Has anyone seen anything like this before and is there something that can be done about it?

The IP it's coming from is my Father In-laws work computer. We both work from my house. The computer is virus free and does run Avast paid version. So not too sure what to make of this

Snippet from the Security log output

Code:

freenas.local login failures:
Feb 14 12:51:04 freenas sshd[71399]: Invalid user  from 192.168.86.146
Feb 14 12:51:04 freenas sshd[71399]: input_userauth_request: invalid user  [preauth]
Feb 14 12:51:04 freenas sshd[71399]: Failed none for invalid user  from 192.168.86.146 port 54282 ssh2
Feb 14 12:51:04 freenas sshd[71401]: Invalid user Admin from 192.168.86.146
Feb 14 12:51:04 freenas sshd[71401]: input_userauth_request: invalid user Admin [preauth]
Feb 14 12:51:04 freenas sshd[71401]: Failed password for invalid user Admin from 192.168.86.146 port 54285 ssh2
Feb 14 12:51:04 freenas sshd[71403]: Failed password for root from 192.168.86.146 port 54288 ssh2
Feb 14 12:51:04 freenas sshd[71405]: Invalid user Administrator from 192.168.86.146
Feb 14 12:51:04 freenas sshd[71405]: input_userauth_request: invalid user Administrator [preauth]
Feb 14 12:51:04 freenas sshd[71405]: Failed password for invalid user Administrator from 192.168.86.146 port 54291 ssh2
Feb 14 12:51:04 freenas sshd[71407]: Invalid user admin from 192.168.86.146
Feb 14 12:51:04 freenas sshd[71407]: input_userauth_request: invalid user admin [preauth]
Feb 14 12:51:04 freenas sshd[71407]: Failed password for invalid user admin from 192.168.86.146 port 54294 ssh2
Feb 14 12:51:04 freenas sshd[71409]: Invalid user admin from 192.168.86.146
Feb 14 12:51:04 freenas sshd[71409]: input_userauth_request: invalid user admin [preauth]
Feb 14 12:51:04 freenas sshd[71409]: Failed password for invalid user admin from 192.168.86.146 port 54297 ssh2
Feb 14 12:51:04 freenas sshd[71411]: Invalid user admin from 192.168.86.146
Feb 14 12:51:04 freenas sshd[71411]: input_userauth_request: invalid user admin [preauth]
Feb 14 12:51:04 freenas sshd[71411]: Failed none for invalid user admin from 192.168.86.146 port 54302 ssh2
Feb 14 12:51:04 freenas sshd[71413]: Invalid user user from 192.168.86.146

NGINX Access Logs

Code:

192.168.86.146 - - [14/Feb/2022:12:50:55 -0500] "GET / HTTP/1.1" 302 5 "-" "Avast Antivirus"                                        
192.168.86.146 - - [14/Feb/2022:12:50:55 -0500] "GET /account/login/?next=/ HTTP/1.1" 200 5935 "-" "Avast Antivirus"                
192.168.86.146 - - [14/Feb/2022:12:50:55 -0500] "GET /HNAP1/ HTTP/1.1" 302 5 "-" "Avast Antivirus"                                  
192.168.86.146 - - [14/Feb/2022:12:50:55 -0500] "GET / HTTP/1.1" 302 5 "-" "Avast Antivirus"                                        
192.168.86.146 - - [14/Feb/2022:12:50:55 -0500] "GET /account/login/?next=/ HTTP/1.1" 200 5935 "-" "Avast Antivirus"                
192.168.86.146 - - [14/Feb/2022:12:51:07 -0500] "POST /cgi-bin/mainfunction.cgi HTTP/1.1" 302 5 "-" "Avast Antivirus"              
192.168.86.146 - - [14/Feb/2022:12:51:07 -0500] "GET / HTTP/1.1" 302 5 "-" "Avast Antivirus"                                        
192.168.86.146 - - [14/Feb/2022:12:51:07 -0500] "GET /account/login/?next=/ HTTP/1.1" 200 5935 "-" "Avast Antivirus" 

 

[Matt84]

I'm seeing the same thing every time I run a "Smart Scan" on any machine on my network that has Avast Free installed. auth.log fills up with failed SSH login attempts.

However my NGINX Access Logs have nothing in them for years. How in TrueNAS do you get the NGINX access logs working?

 

[Samuel Tai]

What version of TrueNAS are you running? If 13, be advised upstream OpenSSH deprecated ssh-rsa ciphers for key-based logins, due to crypto vulnerabilities in the SHA-1 hashing algorithm. You can run at risk, and add ssh-rsa support back by adding PubkeyAcceptedAlgorithms +ssh-rsa to the SSH service's Auxiliary parameters field.

Without this modification, there will be a crypto mismatch in accepted key algorithms, with a spurious errror message about "Failed password logins" like you're seeing.

 

[Matt84]

TrueNAS 12.8-U1. I haven't upgraded to 13 yet. I found the cause of the issue. Avast checks services on your home network for weak passwords. Turn this setting off in the screenshot and when you run a scan, I don't see any failed auth attempts in my TrueNAS logs.

 

[drgonzo3000]

Thanks for posting the solution as I had completely forgot about this thread being open.

I found the exact same thing after digging into Avasts more. Not sure how I feel about this blatant hack attempt from Avast trying to access everything on the network.