hacking?

[Michele Lombardo]

Dear all,
I'm a newbie and I've built my first FN machine a few weeks ago. I have FTP, SSH, AFP and CIFS ports opened (I know I know...). I tried to setup a VPN but I had many problems and I couldn't. That being said, my system seems to work very well. But... I was looking at my logs and I saw these "strange" lines.
What do you think?

Thanks

Code:

Jul 25 12:53:26 mqc sshd[5412]: fatal: Unable to negotiate with 103.207.36.45 port 50325: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]                                                                                    
Jul 25 12:56:40 mqc sshd[5644]: error: Received disconnect from 103.207.36.130 port 65246:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                        
Jul 25 12:56:49 mqc sshd[5667]: error: Received disconnect from 103.207.36.130 port 59460:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                        
Jul 25 13:07:22 mqc sshd[6564]: error: Received disconnect from 212.129.1.167 port 61941:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                        
Jul 25 13:18:11 mqc sshd[7480]: error: Received disconnect from 62.210.178.56 port 63211:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                        
Jul 25 13:18:12 mqc sshd[7482]: error: Received disconnect from 62.210.178.56 port 65076:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                        
Jul 25 13:18:12 mqc sshd[7484]: error: Received disconnect from 62.210.178.56 port 50151:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                        
Jul 25 13:39:44 mqc afpd[4969]: afp_zzz: entering extended sleep                                                                  
Jul 25 13:44:10 mqc sshd[9620]: error: Received disconnect from 203.205.33.199 port 61797:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                        
Jul 25 13:44:14 mqc sshd[9613]: error: Received disconnect from 103.207.38.165 port 49785:3: java.net.SocketTimeoutException: Read timed out [preauth]                                                                                                                
Jul 25 14:06:45 mqc sshd[11429]: error: Received disconnect from 203.113.135.50 port 60033:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                      
Jul 25 14:06:48 mqc sshd[11431]: error: Received disconnect from 203.113.135.50 port 62686:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                      
Jul 25 14:06:53 mqc sshd[11434]: error: Received disconnect from 203.113.135.50 port 64716:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                      
Jul 25 14:07:01 mqc sshd[11436]: error: Received disconnect from 203.113.135.50 port 53512:3: com.jcraft.jsch.JSchException: Auth fail [preauth]                                                                                                                      
Jul 25 14:07:10 mqc sshd[11490]: error: Received disconnect from 203.113.135.50 port 57672:3: com.jcraft.jsch.JSchException: Auth fail [preauth]

 

[Spearfoot]

Dear all,
I'm a newbie and I've built my first FN machine a few weeks ago. I have FTP, SSH, AFP and CIFS ports opened (I know I know...). I tried to setup a VPN but I had many problems and I couldn't. That being said, my system seems to work very well. But... I was looking at my logs and I saw these "strange" lines.
What do you think?

Thanks



Jul 25 12:53:26 mqc sshd[5412]: fatal: Unable to negotiate with 103.207.36.45 port 50325: no matching key exchange method found. The
ir offer: diffie-hellman-group1-sha1 [preauth]
Jul 25 12:56:40 mqc sshd[5644]: error: Received disconnect from 103.207.36.130 port 65246:3: com.jcraft.jsch.JSchException: Auth fai
l [preauth]
Jul 25 12:56:49 mqc sshd[5667]: error: Received disconnect from 103.207.36.130 port 59460:3: com.jcraft.jsch.JSchException: Auth fai
l [preauth]
Jul 25 13:07:22 mqc sshd[6564]: error: Received disconnect from 212.129.1.167 port 61941:3: com.jcraft.jsch.JSchException: Auth fail
[preauth]
Jul 25 13:18:11 mqc sshd[7480]: error: Received disconnect from 62.210.178.56 port 63211:3: com.jcraft.jsch.JSchException: Auth fail
[preauth]
Jul 25 13:18:12 mqc sshd[7482]: error: Received disconnect from 62.210.178.56 port 65076:3: com.jcraft.jsch.JSchException: Auth fail
[preauth]
Jul 25 13:18:12 mqc sshd[7484]: error: Received disconnect from 62.210.178.56 port 50151:3: com.jcraft.jsch.JSchException: Auth fail
[preauth]
Jul 25 13:39:44 mqc afpd[4969]: afp_zzz: entering extended sleep
Jul 25 13:44:10 mqc sshd[9620]: error: Received disconnect from 203.205.33.199 port 61797:3: com.jcraft.jsch.JSchException: Auth fai
l [preauth]
Jul 25 13:44:14 mqc sshd[9613]: error: Received disconnect from 103.207.38.165 port 49785:3: java.net.SocketTimeoutException: Read t
imed out [preauth]
Jul 25 14:06:45 mqc sshd[11429]: error: Received disconnect from 203.113.135.50 port 60033:3: com.jcraft.jsch.JSchException: Auth fa
il [preauth]
Jul 25 14:06:48 mqc sshd[11431]: error: Received disconnect from 203.113.135.50 port 62686:3: com.jcraft.jsch.JSchException: Auth fa
il [preauth]
Jul 25 14:06:53 mqc sshd[11434]: error: Received disconnect from 203.113.135.50 port 64716:3: com.jcraft.jsch.JSchException: Auth fa
il [preauth]
Jul 25 14:07:01 mqc sshd[11436]: error: Received disconnect from 203.113.135.50 port 53512:3: com.jcraft.jsch.JSchException: Auth fa
il [preauth]
Jul 25 14:07:10 mqc sshd[11490]: error: Received disconnect from 203.113.135.50 port 57672:3: com.jcraft.jsch.JSchException: Auth fa
il [preauth]

Yes, it appears several hackers are trying to attach to your system with SSH. Is your FreeNAS server connected to a router? Is it behind a firewall? If not, it ought to be. If so, you need to tighten up the security on your router/firewall and not grant access to your FreeNAS server from the outside world.

 

[Michele Lombardo]

Yes, my FN is connected to a router and there are no firewall. I need to access it from outside, and that's why I opened ports and shares. How could I do? As I said I tried to follow a guide to install openVPN but I had problems and I couldn't...

Last but not least: did those hackers violate my system? Reading those lines it seems their attemp was refused, wasn't it?

Thx

 

[Spearfoot]

Yes, my FN is connected to a router and there are no firewall. I need to access it from outside, and that's why I opened ports and shares. How could I do? As I said I tried to follow a guide to install openVPN but I had problems and I couldn't...

Last but not least: did those hackers violate my system? Reading those lines it seems their attemp was refused, wasn't it?

Thx

Network security is a vast subject, and is really outside the bailiwick of this forum... :)

That said, if you will post your system information per the forum rules, including your network setup and the brand and model of your router/gateway, perhaps one of the network experts here on the forum will help out.

It appears that the hacker hasn't managed to break in to your system... yet. You might want to set SSH up to use private keys instead of passwords.

 

[Michele Lombardo]

Thank you very much for your kind support. Here's my machine's specs:

9.3-STABLE
Intel Core2 Quad 9650 3Ghz
8gb DDRAM
Connected to an Apple Time Capsule (only used as switch), that's connected to a router Comtrend VG-8050
WD black 250gb as system drive
2x WD blue 1tb (stripe) for storage
2x WD blue 2tb (stripe) for storage

 

[danb35]

You've configured your system so that you can access it remotely. But in so doing, you've also configured it so everyone else can too. I see three options, in order of preference:

• Figure out the VPN setup
• Only open the port for SSH, and figure out how to use SSH tunneling. In this case, it would be best to limit SSH to only using public key authentication, and disable root logins via SSH.
  
• Prepare to welcome @RussianMafia for an electronic visit.

 

[pirateghost]

If you opened up your CIFS shares to the internet, you're probably pwned already.

 

[anodos]

If you opened up your CIFS shares to the internet, you're probably pwned already.

That probably depends on the samba version. There are some old versions out there with some nasty vulnerabilities, but I don't think the latest versions are being actively exploited by profit-driven 'hackers' (ransomware / Viagra spam). So it's probably not the lowest of the low-hanging fruit, but still not a great idea.

I'd say about 9/10ths of security is doing things right (configuring stuff to do what it's supposed to do, and nothing more than what it's supposed to do). The rest of security is an awesome gravy-train if you can get in on it. :D