Re: why do I see failed login attempts to vm on non-forwarded ports?

From: Dale Scott <dalescott_at_shaw.ca>
Date: Thu, 05 Jan 2023 18:57:16 UTC
----- Original Message -----
> From: "Erwan David" <erwan@rail.eu.org>
> To: "questions" <questions@freebsd.org>
> Sent: Thursday, January 5, 2023 8:50:29 AM
> Subject: Re: why do I see failed login attempts to vm on non-forwarded ports?

> Le 05/01/2023 à 16:27, Dale Scott a écrit :
>> Hi all, this has me stumped. I'm seeing login attempts from what I assume to be
>> a scripted exploit attempt. The login attempts aren't a major concern (other
>> than they choke the server) as ssh is configured for key authentication only,
>> but the ports they use has me confused.
>> 
>> The server is a FreeBSD 13.1 headless guest vm on a headless 13.1 host, hosted
>> using virtualbox-ose (managed using phpVirtualBox). Only 3 ports are forwarded
>> from host to guest: 3022 to 22 for ssh login to the guest, 8000 to 8000 for
>> remote client access to tryton ERP, and 5432 to 5432 for remote access to
>> postgresql (DBMS for Tryton).
>> 
>> My (very limited) understanding of networking and port forwarding was that that
>> the guest could only be accessed from the outside world using one of those
>> three ports. Clearly I was wrong.
>> 
>> Can anyone explain what is happening?
>> 
>> TIA!
>> 
>> Cheers,
>> Dale
>> 
>> Fwiw, I was originally just trying to configure remote access to PostgreSQL so I
>> could use pgAdmin remotely to investigate Tryton's databases, and then noticed
>> the login attempts (which could be why the vm crashes every couple weeks).
>> 
> 
> [...]
> 
>> 
>> starlord login failures:
>> Jan  4 00:02:05 starlord sshd[1597]: Invalid user admin from 10.0.2.2 port 51252
>> Jan  4 00:02:07 starlord sshd[1597]: Connection closed by invalid user admin
>> 10.0.2.2 port 51252 [preauth]
> 
> [...]
> 
> The ports you see are the source port (on the machine trying to
> connect), not the destination port (22 since your sshd only listen on
> port 22)

Thanks Erwan for educating me. :-)

IIUC, the attacker attempts an ssh login on port 3022 on the host system, which is handled by the virtualbox NAT and sent to vm client port 22 from host port e.g. 51252.

Do I understand this correctly? Why does the host use so many different ports?


Cheers,
Dale