help - under attack
Matthias Apitz
guru at unixarea.de
Sun Oct 1 15:52:38 UTC 2017
On Sunday, 1 October 2017 17:34:36 CEST, Ernie Luzar <luzar722 at gmail.com>
wrote:
> Matthias Apitz wrote:
>> El día domingo, octubre 01, 2017 a las 11:18:14a. m. -0400,
>> Ernie Luzar escribió:
>>
>>> Hello list;
>>>
>>> Installed 11.1 from scratch and after about 2-3 weeks I finally got
>>> around to inspecting the /var/logs. I have never seen the auth.log file
>>> roll over before, so this peaked my interest. It was full of failed
>>> login attempts. My firewall blocks all inbound traffic, so I am very
>>> baffled be what I see in the log. Any suggestions on how this can be
>>> happening?
>>>
>>> Sep 29 03:09:14 fbsd sshd[33675]: Connection closed by 149.202.179.216
>>> port 48876 [preauth]
>>> ...
>>
>> If you have a firewall (about which you have not said anything), how can
>> SYN-SYN-ACK happen on port 22?
>>
>> matthias
>
> My post says "My firewall blocks all inbound traffic". The login error
> messages do not say it on port 22. That inbound port is blocked by the
> firewall. All pc on the lan are powered off. Even disconnected the lan
> cable from the freebsd gateway host and still the error messages come
> out. That is why I am asking for help here.
Run tcpdump to get the src addr of the connects.
--
Sent from my Ubuntu phone
http://www.unixarea.de/
More information about the freebsd-questions
mailing list