Should I worry about this ? I have never seen an established coneection before from a known bad IP see here . This IP address is not listed in recent logons so I guess they have connected to webmin another way? any thoughts ?
Submitted by JamieCameron on Fri, 12/11/2020 - 22:22 Comment #1
Does that IP show up in /var/webmin/miniserv.log ?
No it does not, but I did shut webmin down and it took about five mins for the connection to clear. After restarting webmin I had a good look around using the webmin interface for any signs of interference .. the only thing I found was in firewalld ports 1024-65535 (tcp) were set open is this normal ? tbf the only time I went to the module was at installation to add the custom ssh/ftp ports. I'm guessing it to be normal as my other server was set the same, however this also had the same ip connected to it
Submitted by JamieCameron on Sat, 12/12/2020 - 12:07 Comment #3
If there is no entry in the logs for that IP, it means that someone connected but didn't login or send any requests. So I wouldn't worry..
Ok no worries ...I have had an IP connected for a couple of days now (well everytime I check there is a connection) & I managed to reproduce this effect by telneting to the webmin server, manually, if you connect this way you get the https error page typed to the console and webmin closes the telnet connection. So as this appears to be a persistent connection is there anything to be gained by an attacker sat connected to the port for days ? Nothing is ever logged to miniserv.log when you get this server response could you add something to the log so fail2ban can be triggered to ban the IP just to be on the safe side ?
Submitted by JamieCameron on Fri, 12/18/2020 - 13:42 Comment #5
No, I can't see how the attacker could gain anything from making an unused connection like this.
Well I got rid of them by using a mixture of psad & fail2ban ... The reason for using fail2ban on top of psad was to get persistent bans on reboots which I could not get psad to do for some reason