Enabling Remote Login shows people immediately trying to login

[Bubbler328]

When I enable remote login/remote management on my Mac Mini, I almost immediately get console entries that seem to indicate my computer it receiving login attempts from multiple IP addresses. The IPs are registered to entities in Iran, Lithuania, Japan etc... I am in the US.

I see entries such as :
12/12/15 10:58:53.731 AM sshd[51027]: error: PAM: authentication error for root from 43.229.53.103 via 10.0.1.20
or
12/11/15 6:46:31.007 AM screensharingd[16337]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 77.237.88.149 :: Type: VNC DES
12/11/15 6:46:32.202 AM screensharingd[16337]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 213.159.37.46 :: Type: VNC DES

I don't understand what could be causing this on this machine because aside from DropBox, and CrashPlan nothing else is consistently running. Im not sure what would be broadcasting the fact that these services are enabled on this machine vs the two others on my network that are not receiving such requests when the same things are enabled

All of my software is 100% up to date on 10.11.2. Im ready to wipe the machine but I'd really rather not.



Any ideas/advice is appreciated.

 

[Dragoro]

I would guess it would be programs, like drop box, apple mail and stuff like that. I don't know for sure, just a guess.

 

[simonsi]

None of those will attempt to login as root.
Have you exposed that machine direct to the internet?

 

[leman]

There are a lot of hackers out there trying to find vulnerable computers. They would send login request to any connected IP address and try to break in using a standard password dictionary. I get thousands of these per day on our servers. Mostly, you are safe, because OS X does not offer a root user. Still, I would recommend you to a) use a proper firewall b) do not connect your computer to internet directly (use a router) c) use public keys for SSH instead of passwords d) make sure that your passwords are really secure.

 

[chrfr]

When I enable remote login/remote management on my Mac Mini, I almost immediately get console entries that seem to indicate my computer it receiving login attempts from multiple IP addresses. The IPs are registered to entities in Iran, Lithuania, Japan etc... I am in the US.

There's no need to wipe the machine as these are all failed attempts. It's what happens when you have these ports facing the public internet.
You could change SSH to require keys for login rather than accept passwords, and this will prevent any password from working, thereby hardening that login process considerably.
If you don't need VNC/Screen Sharing facing the internet, you should close off those ports to the public internet. You'd be best off to harden up SSH to require keys then only allow screen sharing tunneled through SSH.

 

[raab]

This is normal unfortunately.. they just scan entire subnets on various ports trying to brute force into devices

 

[Bubbler328]

Thanks for the info. This machine is on wifi via my AirPort Extreme (latest model). But I haven't set it as "default host" (aka dmz I guess) or anything. Just have the ports for Remote Desktop/VNC forwarded to it's internal IP.

 

[chrfr]

Just have the ports for Remote Desktop/VNC forwarded to it's internal IP.

You also have the ports for "Remote Login" (ssh) open. You do not need that forwarded to remotely connect via Screen Sharing.
If you can use Back to My Mac, you don't need to open any ports and your computer will be more secure.