Enabling Remote Login shows people immediately trying to login

Discussion in 'OS X El Capitan (10.11)' started by Bubbler328, Dec 12, 2015.

  1. Bubbler328 macrumors newbie

    Joined:
    Sep 28, 2014
    #1
    When I enable remote login/remote management on my Mac Mini, I almost immediately get console entries that seem to indicate my computer it receiving login attempts from multiple IP addresses. The IPs are registered to entities in Iran, Lithuania, Japan etc... I am in the US.

    I see entries such as :
    12/12/15 10:58:53.731 AM sshd[51027]: error: PAM: authentication error for root from 43.229.53.103 via 10.0.1.20
    or
    12/11/15 6:46:31.007 AM screensharingd[16337]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 77.237.88.149 :: Type: VNC DES
    12/11/15 6:46:32.202 AM screensharingd[16337]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 213.159.37.46 :: Type: VNC DES

    I don't understand what could be causing this on this machine because aside from DropBox, and CrashPlan nothing else is consistently running. Im not sure what would be broadcasting the fact that these services are enabled on this machine vs the two others on my network that are not receiving such requests when the same things are enabled

    All of my software is 100% up to date on 10.11.2. Im ready to wipe the machine but I'd really rather not.



    Any ideas/advice is appreciated.
     
  2. Dragoro macrumors 6502

    Dragoro

    Joined:
    Nov 27, 2010
    #2
    I would guess it would be programs, like drop box, apple mail and stuff like that. I don't know for sure, just a guess.
     
  3. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #3
    None of those will attempt to login as root.
    Have you exposed that machine direct to the internet?
     
  4. leman macrumors 604

    Joined:
    Oct 14, 2008
    #4
    There are a lot of hackers out there trying to find vulnerable computers. They would send login request to any connected IP address and try to break in using a standard password dictionary. I get thousands of these per day on our servers. Mostly, you are safe, because OS X does not offer a root user. Still, I would recommend you to a) use a proper firewall b) do not connect your computer to internet directly (use a router) c) use public keys for SSH instead of passwords d) make sure that your passwords are really secure.
     
  5. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #5
    There's no need to wipe the machine as these are all failed attempts. It's what happens when you have these ports facing the public internet.
    You could change SSH to require keys for login rather than accept passwords, and this will prevent any password from working, thereby hardening that login process considerably.
    If you don't need VNC/Screen Sharing facing the internet, you should close off those ports to the public internet. You'd be best off to harden up SSH to require keys then only allow screen sharing tunneled through SSH.
     
  6. raab macrumors member

    Joined:
    Jul 23, 2010
    #6
    This is normal unfortunately.. they just scan entire subnets on various ports trying to brute force into devices
     
  7. Bubbler328 thread starter macrumors newbie

    Joined:
    Sep 28, 2014
    #7
    Thanks for the info. This machine is on wifi via my AirPort Extreme (latest model). But I haven't set it as "default host" (aka dmz I guess) or anything. Just have the ports for Remote Desktop/VNC forwarded to it's internal IP.
     
  8. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #8
    You also have the ports for "Remote Login" (ssh) open. You do not need that forwarded to remotely connect via Screen Sharing.
    If you can use Back to My Mac, you don't need to open any ports and your computer will be more secure.
     

Share This Page