[Solved] Beginner question: should i be conserned about this firewall logs?

[macege]

Is my device hacked?

Ubuntu - media server, sending lots of requests from port 22. Or am i understanding the firewall direction wrong?

Please check attachment.

[cookiemonster]

that's right, the requests are coming IN from the client in your network.

[macege]

Thanks, I have some investigating or possible reinstall. I will try to find out how they got in the first place.

I did some portscan on the reported IP's and some have port 22 open. I guess my ubuntu is used for some brute force purpose.

I would never see this if it was not for the opnsense firewall log. (I just installed it on Tuesday.)

[cookiemonster]

checking the first 3 unique ips they all are assigned to the people's republic. Maybe you have something that needs to connect there. Notice the source port is 22 and the blocked traffic is state violation (S), so that suggests that someone/thing is connected into your network from those IPs. It's the return that has been blocked due to -possibly- stale connections. Don't want to be an alarmist but you need to investigate ASAP.

[macege]

Dude, I finally figured out why I was seeing these results. When I setup opnsens I left my old firewall running and this have port forward to port 22 on my ubuntu. The machine is trying to answer on its default route and sends everything to opnsense.

Before you arrest me, I use fail2ban to block bruteforce attempts.

Damn, took me awhile before I could understand why my ubuntu was trying to make all these connections through  opnsense.

I will shutdown the old router and let you know if this solves the problem. I'm pretty sure it does (I'm not home now)

[cookiemonster]

makes sense.

[macege]

I can confirm it has been resolved after turning of the old firewall.