Failed login attempts ssh:notty

lorc34 · April 19, 2023, 10:08am

Hi guys, I just noticed when I logged into my FreePBX via Putty that I have 10 failed login attempts.

I ran LastB and can see even more failed login attempts.

Do you guys know if this is normal? Seems a bit odd to me?

I dont have NAT rules or port forwarding rules set up for port 22 for people to be able to connect to the SSH of the server from outside my LAN.

[root@freepbx ~]#
[root@freepbx ~]#
[root@freepbx ~]# lastb
administ ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
administ ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
tech     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
tech     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
webadmin ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
webadmin ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admim    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admim    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
Admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
Admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
root     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
Administ ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
Administ ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
root     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
ubnt     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
ubnt     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
Admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
Admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
meo      ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
meo      ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
root     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
Administ ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
guest    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
guest    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
root     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
         ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
         ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
user     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
user     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
sysadm   ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
sysadm   ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
root     ssh:notty    192.168.88.41    Fri Apr 14 11:45 - 11:45  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:44 - 11:44  (00:00)
admin    ssh:notty    192.168.88.41    Fri Apr 14 11:44 - 11:44  (00:00)
Admin    ssh:notty    192.168.88.41    Fri Apr 14 11:44 - 11:44  (00:00)
         ssh:notty    192.168.88.41    Fri Apr 14 11:44 - 11:44  (00:00)
webadmin ssh:notty    192.168.88.210   Tue Apr 11 12:47 - 12:47  (00:00)
webadmin ssh:notty    192.168.88.210   Tue Apr 11 12:47 - 12:47  (00:00)
admim    ssh:notty    192.168.88.210   Tue Apr 11 12:47 - 12:47  (00:00)
admim    ssh:notty    192.168.88.210   Tue Apr 11 12:47 - 12:47  (00:00)
Admin    ssh:notty    192.168.88.210   Tue Apr 11 12:47 - 12:47  (00:00)
Admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
root     ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
Administ ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
Administ ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
root     ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
ubnt     ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
ubnt     ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
Admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
Admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
meo      ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
meo      ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
root     ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
Administ ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
guest    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
guest    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
root     ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
         ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
         ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
user     ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
user     ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
sysadm   ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
sysadm   ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
root     ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
Admin    ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)
         ssh:notty    192.168.88.210   Tue Apr 11 12:46 - 12:46  (00:00)

david55 · April 19, 2023, 11:19am

Normal: yes. Right: no.

It looks to me that someone has been trying various system accounts hoping they have weak passwords. Attacks are normal if exposed to the internet.

dobrosavljevic · April 19, 2023, 2:16pm

If you are 100% certain that there is no port forwarding happening to the phone system for SSH then somebody is able to get at the port from the inside. Do you recognize the IP that’s listed in the logs?

lorc34 · April 19, 2023, 3:40pm

I have Ports 2000 - 65000 (UDP) forwarded to the phone server

Ports 80, 5090, 5060, 5061 (TCP) forwarded to the phone server.

Could this be why they are able to attempt to log in, or is it an IP on the private network?

The IPs 192.168.88.41 and 192.168.88.210 are devices on my private LAN. However they are both DHCP so i am not entirely sure what the devices were on those dates.

dobrosavljevic · April 19, 2023, 3:55pm

Yea, pretty sure these are coming from your local LAN.

SROSys_Sean · April 19, 2023, 4:01pm

192.168.88.41 and 192.168.88.210 are devices on my private LAN

Illustrating why network segmentation/vlans are so important (says someone with light bulbs that could theoretically hack the PC he’s using right now) :(.

lorc34 · April 19, 2023, 4:11pm

Should I have the FreePBX server on a separate VLAN and then I am able to only allow like ports 10000-20000 (not port 22) access? Would this be what you mean?

lorc34 · April 19, 2023, 4:12pm

Do you think devices on my network have been hacked then? Or someone on the work network was trying to log in?

dobrosavljevic · April 19, 2023, 4:23pm

I don’t think we have a way of telling what is going on. You’ll have to pull on that thread and try and figure out what those devices are and then look at them and their logs to see what else you can discover.

As far as network segregation is concerned, that’s really up to you but on most networks I setup a separate VLAN for the phone system and phones to live on and regulate access to that network in the firewall.

dicko · April 19, 2023, 4:30pm

from a root shell

tcpdump -vvX port 22

will better show traffic. (port 22 will always be noisy, if you allow passwords on port 22, then is only a matter of time until you are breached.)

lorc34 · April 20, 2023, 9:47am

It does seem like the devices trying to log in are coming from the private LAN given my private LAN IP address range is 192.168.88.1-254. Which could mean an infected PC. I would have thought if the logins were from an external PC outside my LAN it would show a public IP address not a 192 one

system · May 21, 2023, 9:48am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.