SSH login failures

[apel]

Recently I get daily alerts like

Sep 19 00:35:34 Glaris sshd[57197]: Failed password for "user" from 192.168.147.100 port 3872 ssh2

I get an alert every two hours, every days at exactly the same times.

"user" is a windows domain admin and wheel group
Glaris is FreeNAS-11.3-U5
the IP is my backup ADDC (W2008)

everything seems to be working fine, the various overnight backups and cron jobs are all running fine.

Removing this IP from the Nameserver 2 did not make it go away.

How do i find out what is generating these alerts?

Any help appreciated.

 

[apel]

It looks like I am the only one experiencing this

 

[danb35]

It sounds like there's a problem on whatever device is at 192.168.147.100, trying to SSH with invalid credentials. This doesn't look like a TrueNAS problem in any way.

 

[apel]

This was my first reaction but I cannot find any trace of it in server at 192.168.147.100 event viewer. I don't understand why this Windows server needs to SSH to FreeNAS and why it would be denied credentials. Furthermore My primary ADDC does not generate a failure alert on FreeNAS.

I can login on FreeNAS and any Windows machines with "user" credentials

As everything else seems to be working as it should it not easy to debug. Is there a more detailed log on FreeNAS that could give me a clue to what is going on.

 

[NugentS]

You aren't running something like PRTG on the server are you?
Some sort of network scanner?

 

[apel]

Ah yes thank you for asking. I have Spiceworks on this server. However the SSH credentials test says it can connect to freeNAS so perhaps it is not that.

 

[NugentS]

It was all I could think of - I was getting something similar from PRTG

 

[apel]

I ran
% last -n10
"user" pts/5 192.168.147.100 Sun Sep 26 18:38 - 18:38 (00:00)

I am not sure what (00:00) means, connected or not?

 

[apel]

I think I understand why these alerts are generated, the clue was in the more detailed auth.log

Spiceworks SSH this command:
USER=root ; COMMAND=/usr/local/sbin/lsof -nP +c0 -i4TCP Sep 28 13:54:51 Glaris sshd[77336]

by default FreeNAS refuses SSH from user root.

After supressing Spiceworks auto update for Glaris (FreeNAS) the Alerts stopped.

Thank you all

 

[sretalla]

I am not sure what (00:00) means, connected or not?

That probably indicates GMT or ZULU time (timezone offset).

 

[adorobis]

I have similar problem, have a regular command via ssh on the TrueNAS server (from Home Assistant in my case), it checks for some services running every minute. Most of the time it works but ~ 200 times per day I receive error message that the password failed. Any idea what could be wrong?
What I have noticed is that there are always two failed attempts at exactly the same time: could it be that TrueNAS is not allowing simultaneous logins from the same account and the same client?

 

[adorobis]

I've just changed the command to use private key authentication instead of password, let's see if this will resolve the problem. For sure there should no longer be "Failed password for root" errors.
Edit: since switching to private key authentication I am not facing ssh errors anymore (apart from some external attempts to log in).