I'm really worried - Unknown Autentication Request

piffrob · 11 January 2017 22:57

Hi,
while I was looking to my raspberry for a Tethering issue, I have notice these lines in the logs

Jan 11 23:47:55 RaspSala sshd[1595]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cblmdm170-253-232-130.maxxsouthbb.net user=root
Jan 11 23:47:57 RaspSala sshd[1595]: Failed password for root from 170.253.232.130 port 58771 ssh2
Jan 11 23:47:58 RaspSala sshd[1599]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cblmdm170-253-232-130.maxxsouthbb.net user=root
Jan 11 23:47:59 RaspSala sshd[1595]: Failed password for root from 170.253.232.130 port 58771 ssh2
Jan 11 23:48:00 RaspSala sshd[1599]: Failed password for root from 170.253.232.130 port 58780 ssh2
Jan 11 23:48:01 RaspSala sshd[1595]: Failed password for root from 170.253.232.130 port 58771 ssh2
Jan 11 23:48:02 RaspSala sshd[1599]: Failed password for root from 170.253.232.130 port 58780 ssh2
Jan 11 23:48:03 RaspSala sshd[1595]: Failed password for root from 170.253.232.130 port 58771 ssh2
Jan 11 23:48:04 RaspSala sshd[1599]: Failed password for root from 170.253.232.130 port 58780 ssh2
Jan 11 23:48:06 RaspSala sshd[1595]: Failed password for root from 170.253.232.130 port 58771 ssh2
Jan 11 23:48:07 RaspSala sshd[1599]: Failed password for root from 170.253.232.130 port 58780 ssh2
Jan 11 23:48:08 RaspSala sshd[1595]: Failed password for root from 170.253.232.130 port 58771 ssh2
Jan 11 23:48:08 RaspSala sshd[1595]: Disconnecting: Too many authentication failures for root from 170.253.232.130 port 58771 ssh2 [preauth]
Jan 11 23:48:08 RaspSala sshd[1595]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=cblmdm170-253-232-130.maxxsouthbb.net user=root
Jan 11 23:48:08 RaspSala sshd[1595]: PAM service(sshd) ignoring max retries; 6 > 3
Jan 11 23:48:08 RaspSala sshd[1599]: Failed password for root from 170.253.232.130 port 58780 ssh2
Jan 11 23:48:11 RaspSala sshd[1603]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cblmdm170-253-232-130.maxxsouthbb.net user=root
Jan 11 23:48:11 RaspSala sshd[1599]: Failed password for root from 170.253.232.130 port 58780 ssh2
Jan 11 23:48:11 RaspSala sshd[1599]: Disconnecting: Too many authentication failures for root from 170.253.232.130 port 58780 ssh2 [preauth]
Jan 11 23:48:11 RaspSala sshd[1599]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=cblmdm170-253-232-130.maxxsouthbb.net user=root
Jan 11 23:48:11 RaspSala sshd[1599]: PAM service(sshd) ignoring max retries; 6 > 3
Jan 11 23:48:13 RaspSala sshd[1603]: Failed password for root from 170.253.232.130 port 58789 ssh2
Jan 11 23:48:15 RaspSala sshd[1603]: Failed password for root from 170.253.232.130 port 58789 ssh2
Jan 11 23:48:18 RaspSala sshd[1603]: Failed password for root from 170.253.232.130 port 58789 ssh2
Jan 11 23:48:20 RaspSala sshd[1603]: Failed password for root from 170.253.232.130 port 58789 ssh2
Jan 11 23:48:22 RaspSala sshd[1603]: Failed password for root from 170.253.232.130 port 58789 ssh2
Jan 11 23:48:25 RaspSala sshd[1603]: Failed password for root from 170.253.232.130 port 58789 ssh2
Jan 11 23:48:25 RaspSala sshd[1603]: Disconnecting: Too many authentication failures for root from 170.253.232.130 port 58789 ssh2 [preauth]
Jan 11 23:48:25 RaspSala sshd[1603]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=cblmdm170-253-232-130.maxxsouthbb.net user=root
Jan 11 23:48:25 RaspSala sshd[1603]: PAM service(sshd) ignoring max retries; 6 > 3
Jan 11 23:48:36 RaspSala sshd[1617]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cblmdm170-253-232-130.maxxsouthbb.net user=root
Jan 11 23:48:38 RaspSala sshd[1617]: Failed password for root from 170.253.232.130 port 58854 ssh2
Jan 11 23:48:40 RaspSala sshd[1617]: Failed password for root from 170.253.232.130 port 58854 ssh2
Jan 11 23:48:42 RaspSala sshd[1617]: Failed password for root from 170.253.232.130 port 58854 ssh2
Jan 11 23:48:44 RaspSala sshd[1617]: Failed password for root from 170.253.232.130 port 58854 ssh2
Jan 11 23:48:48 RaspSala sshd[1617]: Failed password for root from 170.253.232.130 port 58854 ssh2
Jan 11 23:48:50 RaspSala sshd[1617]: Failed password for root from 170.253.232.130 port 58854 ssh2
Jan 11 23:48:50 RaspSala sshd[1617]: Disconnecting: Too many authentication failures for root from 170.253.232.130 port 58854 ssh2 [preauth]
Jan 11 23:48:50 RaspSala sshd[1617]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=cblmdm170-253-232-130.maxxsouthbb.net user=root
Jan 11 23:48:50 RaspSala sshd[1617]: PAM service(sshd) ignoring max retries; 6 > 3
Jan 11 23:50:01 RaspSala sudo[977]: pam_unix(sudo:session): session closed for user root
Jan 11 23:50:08 RaspSala sudo[1724]: osmc : TTY=pts/0 ; PWD=/home/osmc ; USER=root ; COMMAND=/bin/journalctl
Jan 11 23:50:08 RaspSala sudo[1724]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)

It seems like a lot of request of autentication from some IP address (not in my subnet).

I tried rebooting and also reboot the router (in order to get a different public IP address), but after a while the “requests” start again?

Someone know what is it? Something strange on OSMC or I am really have some external attack?
thanks for your help

ActionA · 11 January 2017 23:02

Are you port forwarding port 22 through your firewall?

piffrob · 11 January 2017 23:08

Yes, now I have promptly removed. So I was really having some tentative access from WAN?

As far as I understood is to assign the port forwarding with a “Non-Standard external port” right?

Thanks again for your support.

ActionA · 11 January 2017 23:16

Virtually all IP’s are probed by automated scripts by wannabe hackers on port 22. It’s only a matter of time (if not already) before they add osmc:osmc to their user:pass dictionaries…

Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those from 1024 through 49151 should also be avoided too. Dynamic and/or Private Ports are those from 49152 through 65535 and can be used.

piffrob · 11 January 2017 23:32

Very well noted.

Thank you again for your help!!!

sam_nazarko · 11 January 2017 23:39

Already added by most.

One can assume they are comprised if they fwd 22 with default credentials. You should reinstall if you want to ensure your system (and other systems on your network) remain secure.

Sam

piffrob · 11 January 2017 23:43

Thank you Sam. I’ll keep the rasp off until I’ll be able to reinstall osmc

willemse · 13 January 2017 10:08

To see who’s IP it is adres use: http://whois.domaintools.com/

piffrob · 13 January 2017 10:51

I have removed the port forwarding for the SSH port and already re-installed OSMC