Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: bndt206 on March 29, 2024, 12:53:22 PM

Title: Many ssh conncetion attempts from WAN interface
Post by: bndt206 on March 29, 2024, 12:53:22 PM
Hi

I'm trying to figure out why the firewall (WAN ip: 192.168.0.157) is trying to ssh to almost every host on the WAN net. This happens every 15mins

Interface      Time   Source   Destination   Proto   Label   
wan      2024-03-29T12:30:46   192.168.0.157:1186   192.168.0.50:22   tcp      
wan      2024-03-29T12:30:45   192.168.0.157:1184   192.168.0.50:22   tcp      
wan      2024-03-29T12:30:45   192.168.0.157:1183   192.168.0.40:22   tcp      
wan      2024-03-29T12:30:44   192.168.0.157:1181   192.168.0.40:22   tcp      
wan      2024-03-29T12:30:44   192.168.0.157:1180   192.168.0.33:22   tcp      
wan      2024-03-29T12:30:43   192.168.0.157:1177   192.168.0.33:22   tcp      
wan      2024-03-29T12:30:43   192.168.0.157:1176   192.168.0.27:22   tcp      
wan      2024-03-29T12:30:43   192.168.0.157:1173   192.168.0.27:22   tcp      
wan      2024-03-29T12:30:43   192.168.0.157:1172   192.168.0.25:22   tcp      
wan      2024-03-29T12:30:43   192.168.0.157:1170   192.168.0.25:22   tcp      
wan      2024-03-29T12:30:43   192.168.0.157:1169   192.168.0.229:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1167   192.168.0.229:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1166   192.168.0.224:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1164   192.168.0.224:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1163   192.168.0.220:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1161   192.168.0.220:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1160   192.168.0.22:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1158   192.168.0.22:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1157   192.168.0.21:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1155   192.168.0.21:22   tcp      
wan      2024-03-29T12:30:42   192.168.0.157:1154   192.168.0.208:22   tcp      
wan      2024-03-29T12:30:41   192.168.0.157:1152   192.168.0.208:22   tcp      
wan      2024-03-29T12:30:41   192.168.0.157:1151   192.168.0.204:22   tcp      
wan      2024-03-29T12:30:40   192.168.0.157:1149   192.168.0.204:22   tcp      
wan      2024-03-29T12:30:40   192.168.0.157:1148   192.168.0.201:22   tcp      
wan      2024-03-29T12:30:39   192.168.0.157:1146   192.168.0.201:22   tcp      
wan      2024-03-29T12:30:39   192.168.0.157:1145   192.168.0.200:22   tcp      
wan      2024-03-29T12:30:38   192.168.0.157:1143   192.168.0.200:22   tcp      
wan      2024-03-29T12:30:38   192.168.0.157:1142   192.168.0.20:22   tcp      
wan      2024-03-29T12:30:38   192.168.0.157:1140   192.168.0.20:22   tcp      
wan      2024-03-29T12:30:38   192.168.0.157:1139   192.168.0.199:22   tcp      
wan      2024-03-29T12:30:37   192.168.0.157:1137   192.168.0.199:22   tcp      
wan      2024-03-29T12:30:37   192.168.0.157:1136   192.168.0.198:22   tcp      
wan      2024-03-29T12:30:37   192.168.0.157:1134   192.168.0.198:22   tcp      
wan      2024-03-29T12:30:37   192.168.0.157:1133   192.168.0.171:22   tcp      
wan      2024-03-29T12:30:36   192.168.0.157:1131   192.168.0.171:22   tcp      
wan      2024-03-29T12:30:36   192.168.0.157:1130   192.168.0.163:22   tcp      
wan      2024-03-29T12:30:36   192.168.0.157:1128   192.168.0.163:22   tcp      
wan      2024-03-29T12:30:36   192.168.0.157:1127   192.168.0.162:22   tcp      
wan      2024-03-29T12:30:35   192.168.0.157:1125   192.168.0.162:22   tcp      
wan      2024-03-29T12:30:35   192.168.0.157:1124   192.168.0.161:22   tcp      
wan      2024-03-29T12:30:35   192.168.0.157:1122   192.168.0.161:22   tcp      
wan      2024-03-29T12:30:35   192.168.0.157:1121   192.168.0.160:22   tcp      
wan      2024-03-29T12:30:35   192.168.0.157:1119   192.168.0.160:22   tcp      
wan      2024-03-29T12:30:35   192.168.0.157:1117   192.168.0.16:22   tcp      
wan      2024-03-29T12:30:35   192.168.0.157:1116   192.168.0.159:22   tcp      
wan      2024-03-29T12:30:34   192.168.0.157:1114   192.168.0.159:22   tcp

I've also spotted a couple of forign IP's
PR  DIR  SRC                        DEST                       STATE              AGE       EXP     PKTS    BYTES
tcp  Out 192.168.0.157:4685  90.201.245.177:22  SYN_SENT:CLOSED  00:01:51  00:00:09  1  60
tcp  Out 192.168.0.157:9815  92.10.20.150:22  SYN_SENT:CLOSED  00:01:48  00:00:12  1  60
tcp  Out 192.168.0.157:35230  97.106.22.123:22  SYN_SENT:CLOSED  00:01:42  00:00:18  1  60
tcp  Out 192.168.0.157:48424  97.227.172.3:22  TIME_WAIT:TIME_WAIT  00:01:35  00:00:00  2  100
tcp  Out 192.168.0.157:64406  98.90.241.255:22  TIME_WAIT:TIME_WAIT  00:01:32  00:00:00  2  100
tcp  Out 192.168.0.157:45567  99.129.42.74:80  SYN_SENT:CLOSED  00:01:29  00:00:31  1  60
tcp  Out 192.168.0.157:30475  99.129.42.74:22  TIME_WAIT:TIME_WAIT  00:01:28  00:00:02  2  100
tcp  Out 192.168.0.157:4522  9.0.0.0:22  TIME_WAIT:TIME_WAIT  00:01:17  00:00:14  3  160

I have not been able to find a PID claiming responcibility of the connections.

/Peter
Title: Re: Many ssh conncetion attempts from WAN interface
Post by: cookiemonster on March 29, 2024, 10:37:57 PM
Nothing in the OS will do that. This is something you have setup, some software misbehaving or you are being subjected to some attack or virus or similar on the inside.
Don't forget also that source ip addresses can and are often spoofed.
By the way, is your WAN ip really 192.168.0.157 i.e. your OPN is behind another router? If yes, then the situation might be less malign. Needs investigating ASAP though.
Title: Re: Many ssh conncetion attempts from WAN interface
Post by: bndt206 on March 30, 2024, 01:37:17 PM
Thanks for the feedback, and I have the gut feeling that somthing isn't right. whether its something malicious or misbehaving sw I dont know, soI guess I'll do a clean install of the fw.

PS. no my real WAN ip is not 192.168.0.157, this is a lab setup. I've been running untangle/arista for some years and they have recently decided to discont. the homepro version, hense license fee will 10x.

Again thanks for input  :)
Title: Re: Many ssh conncetion attempts from WAN interface
Post by: starfox101 on March 30, 2024, 04:47:07 PM
I am by no means an X-pert! I discovered the same thing while looking at the log's. I had enabled opnsense admin page to wan. My setup had no business being setup that way. Control everything local lan.
Title: Re: Many ssh conncetion attempts from WAN interface
Post by: chemlud on March 30, 2024, 05:31:18 PM
Quote from: starfox101 on March 30, 2024, 04:47:07 PM
I am by no means an X-pert! I discovered the same thing while looking at the log's. I had enabled opnsense admin page to wan. My setup had no business being setup that way. Control everything local lan.

iirc the GUI listens by default on all interfaces, but in WAN there is no FW rule allowing to access. Normally.
Text only | Text with Images