Re: why do I see failed login attempts to vm on non-forwarded ports?

From: Erwan David <erwan_at_rail.eu.org>
Date: Thu, 05 Jan 2023 15:50:29 UTC
Le 05/01/2023 à 16:27, Dale Scott a écrit :
> Hi all, this has me stumped. I'm seeing login attempts from what I assume to be a scripted exploit attempt. The login attempts aren't a major concern (other than they choke the server) as ssh is configured for key authentication only, but the ports they use has me confused.
> 
> The server is a FreeBSD 13.1 headless guest vm on a headless 13.1 host, hosted using virtualbox-ose (managed using phpVirtualBox). Only 3 ports are forwarded from host to guest: 3022 to 22 for ssh login to the guest, 8000 to 8000 for remote client access to tryton ERP, and 5432 to 5432 for remote access to postgresql (DBMS for Tryton).
> 
> My (very limited) understanding of networking and port forwarding was that that the guest could only be accessed from the outside world using one of those three ports. Clearly I was wrong.
> 
> Can anyone explain what is happening?
> 
> TIA!
> 
> Cheers,
> Dale
> 
> Fwiw, I was originally just trying to configure remote access to PostgreSQL so I could use pgAdmin remotely to investigate Tryton's databases, and then noticed the login attempts (which could be why the vm crashes every couple weeks).
> 
> 
> 

[...]

> 
> starlord login failures:
> Jan  4 00:02:05 starlord sshd[1597]: Invalid user admin from 10.0.2.2 port 51252
> Jan  4 00:02:07 starlord sshd[1597]: Connection closed by invalid user admin 10.0.2.2 port 51252 [preauth]

[...]

The ports you see are the source port (on the machine trying to 
connect), not the destination port (22 since your sshd only listen on 
port 22)