SSH Attack Attempt From My Own System?

[joeschmuck]

So this is very odd and it started happening a few weeks ago, keeping in mind I had not upgraded FreeNAS nor made any changed to FreeNAS, Firewall, nor anything network related.

Once I started getting these messages I turned off SSH but I still got the messages, then I upgraded FreeNAS to the most current version (FreeNAS-9.3-STABLE-201512121950) and I still get the messages. The odd part is these attacks are coming from my main computer which is IP address 192.168.1.200. My only thought is I introduced a virus/malware or something on my own computer. It's just odd that if someone had access to my main computer, why would they try to hack into the NAS when it's all open on my local network anyway. Just doesn't make sense to me. With the time of the attempts, I'm not sure what is going on. I do have an open firewall port for RDP into my main computer, I will hate to close it. Maybe it's time to figure out how to make a VPN connection, arg, I didn't want to sit on the computer today.

Here is what bugs me the most, there is an entry for user name of "joe" which of course is my alias. I've never used joe as a user name on my systems. I do feel like someone is trying to hack into my system. Any advice would be appreciated.

Here are the nightly reports FreeNAS is sending me:
Yesterdays

Code:

freenas.local login failures:

Dec 26 10:11:36 freenas sshd[8802]: Failed password for root from 192.168.1.200 port 52502 ssh2
Dec 26 10:11:37 freenas sshd[8802]: Failed password for root from 192.168.1.200 port 52502 ssh2
Dec 26 10:11:37 freenas sshd[8802]: Failed password for root from 192.168.1.200 port 52502 ssh2
Dec 26 10:11:37 freenas sshd[8802]: Failed password for root from 192.168.1.200 port 52502 ssh2
Dec 26 10:11:37 freenas sshd[8802]: Failed password for root from 192.168.1.200 port 52502 ssh2
Dec 26 10:11:38 freenas sshd[8802]: Failed password for root from 192.168.1.200 port 52502 ssh2
Dec 26 10:11:38 freenas sshd[8802]: Disconnecting: Too many authentication failures for root [preauth]



-- End of security output --

One in the middle

Code:

freenas.local login failures:

Dec 24 08:21:11 freenas sshd[11241]: Invalid user ubuntu from 192.168.1.200 
Dec 24 08:21:11 freenas sshd[11241]: input_userauth_request: invalid user ubuntu [preauth] 
Dec 24 08:21:14 freenas sshd[11241]: Failed password for invalid user ubuntu from 192.168.1.200 port 19057 ssh2 
Dec 24 08:21:16 freenas sshd[11241]: Failed password for invalid user ubuntu from 192.168.1.200 port 19057 ssh2 
Dec 24 08:21:16 freenas sshd[11241]: Failed password for invalid user ubuntu from 192.168.1.200 port 19057 ssh2 
Dec 24 08:21:16 freenas sshd[11241]: Failed password for invalid user ubuntu from 192.168.1.200 port 19057 ssh2 
Dec 24 08:21:17 freenas sshd[11241]: Failed password for invalid user ubuntu from 192.168.1.200 port 19057 ssh2 
Dec 24 08:21:17 freenas sshd[11241]: Failed password for invalid user ubuntu from 192.168.1.200 port 19057 ssh2 
Dec 24 08:21:17 freenas sshd[11241]: Disconnecting: Too many authentication failures for ubuntu [preauth] 
Dec 24 08:21:29 freenas sshd[11246]: Invalid user Ubuntu from 192.168.1.200 
Dec 24 08:21:29 freenas sshd[11246]: input_userauth_request: invalid user Ubuntu [preauth] 
Dec 24 08:21:32 freenas sshd[11246]: Failed password for invalid user Ubuntu from 192.168.1.200 port 19061 ssh2 
Dec 24 08:21:33 freenas sshd[11246]: Failed password for invalid user Ubuntu from 192.168.1.200 port 19061 ssh2 
Dec 24 08:21:33 freenas sshd[11246]: Failed password for invalid user Ubuntu from 192.168.1.200 port 19061 ssh2 
Dec 24 08:21:34 freenas sshd[11246]: Failed password for invalid user Ubuntu from 192.168.1.200 port 19061 ssh2 
Dec 24 08:21:34 freenas sshd[11246]: Failed password for invalid user Ubuntu from 192.168.1.200 port 19061 ssh2 
Dec 24 08:21:34 freenas sshd[11246]: Failed password for invalid user Ubuntu from 192.168.1.200 port 19061 ssh2 
Dec 24 08:21:34 freenas sshd[11246]: Disconnecting: Too many authentication failures for Ubuntu [preauth]

-- End of security output --

The very first one

Code:

freenas.local login failures:

Dec 21 16:21:06 freenas sshd[7982]: Invalid user joe from 192.168.1.200 
Dec 21 16:21:06 freenas sshd[7982]: input_userauth_request: invalid user joe [preauth] 
Dec 21 16:21:09 freenas sshd[7982]: Failed password for invalid user joe from 192.168.1.200 port 12696 ssh2 
Dec 21 16:21:12 freenas sshd[7982]: Failed password for invalid user joe from 192.168.1.200 port 12696 ssh2 
Dec 21 16:21:14 freenas sshd[7982]: Failed password for invalid user joe from 192.168.1.200 port 12696 ssh2 
Dec 21 16:21:15 freenas sshd[7982]: Failed password for invalid user joe from 192.168.1.200 port 12696 ssh2 
Dec 21 16:21:15 freenas sshd[7982]: Failed password for invalid user joe from 192.168.1.200 port 12696 ssh2 
Dec 21 16:21:15 freenas sshd[7982]: Failed password for invalid user joe from 192.168.1.200 port 12696 ssh2 
Dec 21 16:21:15 freenas sshd[7982]: Disconnecting: Too many authentication failures for joe [preauth] 
Dec 21 16:21:30 freenas sshd[8007]: Invalid user joe from 192.168.1.200 
Dec 21 16:21:30 freenas sshd[8007]: input_userauth_request: invalid user joe [preauth] 
Dec 21 16:21:38 freenas sshd[8007]: Failed password for invalid user joe from 192.168.1.200 port 12706 ssh2 
Dec 21 16:42:41 freenas sshd[10708]: Invalid user joe from 192.168.1.200 
Dec 21 16:42:41 freenas sshd[10708]: input_userauth_request: invalid user joe [preauth] 
Dec 21 16:42:46 freenas sshd[10708]: Failed password for invalid user joe from 192.168.1.200 port 13097 ssh2 
Dec 21 16:42:48 freenas sshd[10708]: Failed password for invalid user joe from 192.168.1.200 port 13097 ssh2 
Dec 21 19:16:22 freenas sshd[18500]: Failed password for root from 192.168.1.200 port 14942 ssh2 
Dec 21 19:16:26 freenas sshd[18500]: Failed password for root from 192.168.1.200 port 14942 ssh2 
Dec 21 19:16:29 freenas sshd[18500]: Failed password for root from 192.168.1.200 port 14942 ssh2 
Dec 21 19:16:29 freenas sshd[18500]: Failed password for root from 192.168.1.200 port 14942 ssh2 
Dec 21 19:16:29 freenas sshd[18500]: Failed password for root from 192.168.1.200 port 14942 ssh2 
Dec 21 19:16:30 freenas sshd[18500]: Failed password for root from 192.168.1.200 port 14942 ssh2 
Dec 21 19:16:30 freenas sshd[18500]: Disconnecting: Too many authentication failures for root [preauth] 
Dec 21 19:19:01 freenas sshd[18576]: Failed password for root from 192.168.1.200 port 15134 ssh2 
Dec 21 19:19:10 freenas sshd[18576]: Failed password for root from 192.168.1.200 port 15134 ssh2 
Dec 21 19:22:29 freenas sshd[18727]: Invalid user joe from 192.168.1.200 
Dec 21 19:22:29 freenas sshd[18727]: input_userauth_request: invalid user joe [preauth] 
Dec 21 19:22:31 freenas sshd[18727]: Failed password for invalid user joe from 192.168.1.200 port 15175 ssh2 
Dec 21 19:22:33 freenas sshd[18727]: Failed password for invalid user joe from 192.168.1.200 port 15175 ssh2 
Dec 21 19:22:33 freenas sshd[18727]: Failed password for invalid user joe from 192.168.1.200 port 15175 ssh2 
Dec 21 19:22:33 freenas sshd[18727]: Failed password for invalid user joe from 192.168.1.200 port 15175 ssh2 
Dec 21 19:22:34 freenas sshd[18727]: Failed password for invalid user joe from 192.168.1.200 port 15175 ssh2 
Dec 21 19:22:34 freenas sshd[18727]: Failed password for invalid user joe from 192.168.1.200 port 15175 ssh2 
Dec 21 19:22:34 freenas sshd[18727]: Disconnecting: Too many authentication failures for joe [preauth]

-- End of security output --

 

[gpsguy]

With your Sophos UTM, one can easily configure the HTML5VPN option to allow RDP.

Maybe it's time to figure out how to make a VPN connection,

 

[depasseg]

CAn you look at what's running on your machine to see what process is using SSH? That might narrow the search. You are right, it's odd that it's malware. Could be a monitoring program you installed or putty/secureCrt trying to reconnect?

 

[joeschmuck]

Could be a monitoring program you installed or putty/secureCrt trying to reconnect?

What I don't understand is even though I disabled SSH in FreeNAS, why would I receive an error message such as the ones from Dec 26 or Dec 24? sshd should be disabled, right?

With your Sophos UTM, one can easily configure the HTML5VPN option to allow RDP.

LOL, Easy once you know exactly what to do. I found a small tutorial, now I just need to follow it and cross my fingers.

 

[jgreco]

... throws a few more error messages in his logfile to confuse joeschmuck further ...

 

[Ericloewe]

Some people have reported old logs popping up after a year, for mysterious reasons. That may explain sshd logs despite sshd apparently not running.

 

[DrKK]

Some people have reported old logs popping up after a year, for mysterious reasons. That may explain sshd logs despite sshd apparently not running.

That IS true. That was a real thing. I forgot what caused it---some boneheaded one-liner programming mistake, if memory serves.

 

[Ericloewe]

That IS true. That was a real thing. I forgot what caused it---some boneheaded one-liner programming mistake, if memory serves.

Probably a date check that doesn't look at the year.

 

[joeschmuck]

Interesting, I hope that is the cause.