Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[Solved] Beginner question: should i be conserned about this firewall logs?
« previous
next »
Print
Pages: [
1
]
Author
Topic: [Solved] Beginner question: should i be conserned about this firewall logs? (Read 1313 times)
macege
Newbie
Posts: 4
Karma: 0
[Solved] Beginner question: should i be conserned about this firewall logs?
«
on:
January 19, 2024, 01:16:54 pm »
Is my device hacked?
Ubuntu - media server, sending lots of requests from port 22. Or am i understanding the firewall direction wrong?
Please check attachment.
«
Last Edit: January 20, 2024, 01:57:34 am by macege
»
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: Beginner question: should i be conserned about this firewall logs?
«
Reply #1 on:
January 19, 2024, 03:20:06 pm »
that's right, the requests are coming IN from the client in your network.
Logged
macege
Newbie
Posts: 4
Karma: 0
Re: Beginner question: should i be conserned about this firewall logs?
«
Reply #2 on:
January 19, 2024, 04:15:41 pm »
Thanks, I have some investigating or possible reinstall. I will try to find out how they got in the first place.
I did some portscan on the reported IP's and some have port 22 open. I guess my ubuntu is used for some brute force purpose.
I would never see this if it was not for the opnsense firewall log. (I just installed it on Tuesday.)
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: Beginner question: should i be conserned about this firewall logs?
«
Reply #3 on:
January 19, 2024, 04:29:56 pm »
checking the first 3 unique ips they all are assigned to the people's republic. Maybe you have something that needs to connect there. Notice the source port is 22 and the blocked traffic is state violation (S), so that suggests that someone/thing is connected into your network from those IPs. It's the return that has been blocked due to -possibly- stale connections. Don't want to be an alarmist but you need to investigate ASAP.
Logged
macege
Newbie
Posts: 4
Karma: 0
Re: Beginner question: should i be conserned about this firewall logs?
«
Reply #4 on:
January 19, 2024, 06:35:03 pm »
Dude, I finally figured out why I was seeing these results. When I setup opnsens I left my old firewall running and this have port forward to port 22 on my ubuntu. The machine is trying to answer on its default route and sends everything to opnsense.
Before you arrest me, I use fail2ban to block bruteforce attempts.
Damn, took me awhile before I could understand why my ubuntu was trying to make all these connections through opnsense.
I will shutdown the old router and let you know if this solves the problem. I'm pretty sure it does (I'm not home now)
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: Beginner question: should i be conserned about this firewall logs?
«
Reply #5 on:
January 19, 2024, 06:39:03 pm »
makes sense.
Logged
macege
Newbie
Posts: 4
Karma: 0
Re: Beginner question: should i be conserned about this firewall logs?
«
Reply #6 on:
January 20, 2024, 01:57:14 am »
I can confirm it has been resolved after turning of the old firewall.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[Solved] Beginner question: should i be conserned about this firewall logs?