From nobody Thu Jan 05 18:57:16 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nnwgz0njfz2nvwp for ; Thu, 5 Jan 2023 18:57:19 +0000 (UTC) (envelope-from dalescott@shaw.ca) Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nnwgy5xw9z4Q12 for ; Thu, 5 Jan 2023 18:57:18 +0000 (UTC) (envelope-from dalescott@shaw.ca) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227]) by cmsmtp with ESMTP id DQ0MpmWI1l2xSDVQTpmXi6; Thu, 05 Jan 2023 18:57:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=shaw.ca; s=s20180605; t=1672945037; bh=jqkIoxztmrkWxu2Pts90qLMNU7QnjtXT8VugEYT1ecw=; h=Date:From:To:Cc:In-Reply-To:References:Subject; b=GdViHsq45FkpiCljjiWLs0HNJpiO/C0sqAXhQWs8YEe9PsCTSORLVVMU+IbQNYJQ4 LJ8d0SRFVILyskfvemSPrTXJKQOZlxwugvAnJaH4YVtBOMXX3Qrgv7w9Eh8y++Y7Fy mCCPv+a9FsE74I2ZEXaUGrp95NcdSctP7sZQ6eBcDhlkyTesNA3vOFntVoaNs+Yvrx RgVE/9SSjMZaiDDORI6/NSqMMRX9tgqL6XPmJjE9xxlPX1owgEP6ODa8fOxgNGx81u QxvhZRNNlikjtku67jFelESsCKWvT1yLHKW1/tPpma75R/vPoXNQaNmdEHLJU64h/n WZ4zzRzQbxI2w== Received: from cds220.dcs.int.inet ([64.59.134.6]) by cmsmtp with ESMTP id DVQSp8bAB3fOSDVQSp5kXQ; Thu, 05 Jan 2023 18:57:17 +0000 X-Authority-Analysis: v=2.4 cv=J8G5USrS c=1 sm=1 tr=0 ts=63b71d8d a=9zdlX7M534QhL7mOrorEvQ==:117 a=3UxWyQioVHr2skco:21 a=FKkrIqjQGGEA:10 a=on0NmgUIp3IA:10 a=IkcTkHD0fZMA:10 a=kfBijIZpAAAA:8 a=6I5d2MoRAAAA:8 a=Z8obudGBKpE29XRKkXoA:9 a=QEXdDO2ut3YA:10 a=PCoULDFJkAlZdUsMV3KF:22 a=9_YzszCUoAznPwRPfjw_:22 a=IjZwj45LgO3ly-622nXo:22 Date: Thu, 5 Jan 2023 11:57:16 -0700 (MST) From: Dale Scott To: Erwan David Cc: questions Message-ID: <1526169121.66664274.1672945036737.JavaMail.zimbra@shaw.ca> In-Reply-To: <355e6690-5188-149d-4f9d-855b35f46a1a@rail.eu.org> References: <327799993.65810026.1672932433732.JavaMail.zimbra@shaw.ca> <355e6690-5188-149d-4f9d-855b35f46a1a@rail.eu.org> Subject: Re: why do I see failed login attempts to vm on non-forwarded ports? List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [162.223.103.50, 162.223.103.50] X-Mailer: Zimbra 8.8.15_GA_4464 (ZimbraWebClient - GC108 (Win)/8.8.15_GA_4468) Thread-Topic: why do I see failed login attempts to vm on non-forwarded ports? Thread-Index: yqSRlsDZ9nETlgaP4dUXUgvpb+qZbg== X-CMAE-Envelope: MS4xfPMel937Ekks/XH/RKV1fjaMmJIAYGCABuwG8JgFoISmU6GH6KNnmAogT7Y7/ISJO60UalXyqMKS9+WXsXUWjQuQuZEHr9lIHo0xxzs/Hjmyfm0+bxhV 5gyJnjF/nelYDhROo+y+HMa8REt1FaCb3S4l5frVylfE+1lVDfy21PBcNnfBMGPXz788maehcyJXtdP7wdSDhzft3NqheuDvQ02c4AWReCUmfoZZ52idEf/f X-Rspamd-Queue-Id: 4Nnwgy5xw9z4Q12 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N ----- Original Message ----- > From: "Erwan David" > To: "questions" > Sent: Thursday, January 5, 2023 8:50:29 AM > Subject: Re: why do I see failed login attempts to vm on non-forwarded po= rts? > Le 05/01/2023 =C3=A0 16:27, Dale Scott a =C3=A9crit=C2=A0: >> Hi all, this has me stumped. I'm seeing login attempts from what I assum= e to be >> a scripted exploit attempt. The login attempts aren't a major concern (o= ther >> than they choke the server) as ssh is configured for key authentication = only, >> but the ports they use has me confused. >>=20 >> The server is a FreeBSD 13.1 headless guest vm on a headless 13.1 host, = hosted >> using virtualbox-ose (managed using phpVirtualBox). Only 3 ports are for= warded >> from host to guest: 3022 to 22 for ssh login to the guest, 8000 to 8000 = for >> remote client access to tryton ERP, and 5432 to 5432 for remote access t= o >> postgresql (DBMS for Tryton). >>=20 >> My (very limited) understanding of networking and port forwarding was th= at that >> the guest could only be accessed from the outside world using one of tho= se >> three ports. Clearly I was wrong. >>=20 >> Can anyone explain what is happening? >>=20 >> TIA! >>=20 >> Cheers, >> Dale >>=20 >> Fwiw, I was originally just trying to configure remote access to Postgre= SQL so I >> could use pgAdmin remotely to investigate Tryton's databases, and then n= oticed >> the login attempts (which could be why the vm crashes every couple weeks= ). >>=20 >=20 > [...] >=20 >>=20 >> starlord login failures: >> Jan 4 00:02:05 starlord sshd[1597]: Invalid user admin from 10.0.2.2 po= rt 51252 >> Jan 4 00:02:07 starlord sshd[1597]: Connection closed by invalid user a= dmin >> 10.0.2.2 port 51252 [preauth] >=20 > [...] >=20 > The ports you see are the source port (on the machine trying to > connect), not the destination port (22 since your sshd only listen on > port 22) Thanks Erwan for educating me. :-) IIUC, the attacker attempts an ssh login on port 3022 on the host system, w= hich is handled by the virtualbox NAT and sent to vm client port 22 from ho= st port e.g. 51252. Do I understand this correctly? Why does the host use so many different por= ts? Cheers, Dale