help - under attack

Ernie Luzar luzar722 at gmail.com
Sun Oct 1 15:18:17 UTC 2017 

Hello list;

Installed 11.1 from scratch and after about 2-3 weeks I finally got 
around to inspecting the /var/logs. I have never seen the auth.log file 
roll over before, so this peaked my interest. It was full of failed 
login attempts. My firewall blocks all inbound traffic, so I am very 
baffled be what I see in the log. Any suggestions on how this can be 
happening?

Sep 29 03:09:14 fbsd sshd[33675]: Connection closed by 149.202.179.216 
port 48876 [preauth]
Sep 29 03:23:27 fbsd sshd[33709]: Connection closed by 149.202.179.216 
port 37641 [preauth]
Sep 29 03:37:19 fbsd sshd[33732]: Connection closed by 149.202.179.216 
port 51083 [preauth]
Sep 29 03:51:35 fbsd sshd[33897]: Connection closed by 149.202.179.216 
port 42178 [preauth]
Sep 29 04:06:12 fbsd sshd[33935]: Connection closed by 149.202.179.216 
port 40065 [preauth]
Sep 29 04:20:57 fbsd sshd[33957]: Connection closed by 149.202.179.216 
port 51644 [preauth]
Sep 29 04:35:13 fbsd sshd[33993]: Connection closed by 149.202.179.216 
port 55964 [preauth]
Sep 29 04:49:36 fbsd sshd[34012]: Connection closed by 149.202.179.216 
port 33713 [preauth]
Sep 29 05:03:20 fbsd sshd[34050]: Connection closed by 149.202.179.216 
port 48110 [preauth]
snip
Oct  1 00:04:31 fbsd sshd[48041]: input_userauth_request: invalid user 
virus [preauth]
Oct  1 00:04:31 fbsd sshd[48041]: Connection closed by 149.202.179.216 
port 50713 [preauth]
Oct  1 00:14:11 fbsd sshd[48060]: Invalid user vmail from 149.202.179.216
Oct  1 00:14:11 fbsd sshd[48060]: input_userauth_request: invalid user 
vmail [preauth]
Oct  1 00:14:11 fbsd sshd[48060]: Connection closed by 149.202.179.216 
port 36514 [preauth]
Oct  1 00:23:36 fbsd sshd[48079]: Invalid user vmail from 149.202.179.216
Oct  1 00:23:36 fbsd sshd[48079]: input_userauth_request: invalid user 
vmail [preauth]
Oct  1 00:23:36 fbsd sshd[48079]: Connection closed by 149.202.179.216 
port 49458 [preauth]
Oct  1 00:32:05 fbsd sshd[48087]: Invalid user vnc from 149.202.179.216
Oct  1 00:32:05 fbsd sshd[48087]: input_userauth_request: invalid user 
vnc [preauth]
Oct  1 00:32:05 fbsd sshd[48087]: Connection closed by 149.202.179.216 
port 52451 [preauth]
Oct  1 00:40:24 fbsd sshd[48106]: Invalid user vnc from 149.202.179.216
Oct  1 00:40:24 fbsd sshd[48106]: input_userauth_request: invalid user 
vnc [preauth]
Oct  1 00:40:24 fbsd sshd[48106]: Connection closed by 149.202.179.216 
port 59811 [preauth]
Oct  1 00:48:39 fbsd sshd[48123]: Invalid user vnc from 149.202.179.216
Oct  1 00:48:39 fbsd sshd[48123]: input_userauth_request: invalid user 
vnc [preauth]
Oct  1 00:48:40 fbsd sshd[48123]: Connection closed by 149.202.179.216 
port 35215 [preauth]
Oct  1 00:56:41 fbsd sshd[48143]: Invalid user voip from 149.202.179.216
Oct  1 00:56:41 fbsd sshd[48143]: input_userauth_request: invalid user 
voip [preauth]
Oct  1 00:56:41 fbsd sshd[48143]: Connection closed by 149.202.179.216 
port 49147 [preauth]

More information about the freebsd-questions mailing list