📋 nub audit

by anon · 2026-06-18 00:01:16
← all clips

You 🧑

Anything suspicious, security wise in the logs?

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u sshd --]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u sshd --]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "cat /var/log/auth.log* 2>/]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl --no-pager]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command="ip addr show 2>/dev/null | grep 'inet ' | head -5"]

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u nftable]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo nft list set ip nat s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo nft list ruleset 2>/d]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='for ip in 45.194.67.148 85.111.68.99 87.251.64.144]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='for ip in 45.194.67.148 85.111.68.99 87.251.64.144]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u dnsmasq]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -k --since]…

▶ Tool: web_search [max_results=3, query='45.194.67.148 IP address location abu]…

▶ Tool: web_search [max_results=3, query='85.111.68.99 IP address location']

▶ Tool: web_search [max_results=3, query='87.251.64.144 IP address location']

▶ Tool: web_search [max_results=3, query='173.249.52.138 IP address location ab]…

▶ Tool: fetch_url [url='https://www.abuseipdb.com/check/45.194.67.148']

▶ Tool: fetch_url [url='https://www.abuseipdb.com/check/85.111.68.99']

▶ Tool: fetch_url [url='https://www.abuseipdb.com/check/87.251.64.144']

▶ Tool: fetch_url [url='https://www.abuseipdb.com/check/173.249.52.138']

▶ Tool: run_python [code='import urllib.request\nimport json\n\nips = [\'45.194]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "ss -tlnp 2>/dev/null"']

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "ps aux | grep -E \'python3]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.6 "crontab -l 2>/dev/null; ec]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u openai-]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.6 "ps aux | grep -i ssh 2>/de]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo nft list table ip nat]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "count=0; while read line; ]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo nft list chain ip nat]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "journalctl --since \'2026-]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "which fail2ban 2>/dev/null]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "grep -E \'PasswordAuthenti]…

▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "cat /etc/ssh/sshd_config 2]…

Assistant 🤖

Here's the full security rundown for the router and related systems:


🔍 Security Audit Summary — behorouter & Network

✅ The Good — What's Working Well

Layer

Status

Details

Router SSH (direct)

🟢 Clean

No external failed attempts hitting the router itself. Only LAN/WireGuard SSH allowed in via firewall.

Firewall rules

🟢 Solid

Default-drop input/forward policies, only specific ports open. IPv6 also well-locked-down.

SSH rate-limiting

🟢 Active

nftables drops WAN SSH attempts exceeding 5/min per IP. Currently tracking offenders in the rate-limit set.

ACPI BIOS errors

🟡 Harmless

Just firmware bugs on the N5105 at boot — no security impact.

Key-based auth only

🟢 Good

No password prompts needed (sudo via passwordless config is LAN-only and command-restricted).

⚠️ The Concerning — What I Found

🚨 Major: 221,795 failed SSH login attempts since May 31

The router forwards WAN port 22 to miniserv (10.0.23.3), and miniserv is getting absolutely hammered:

Top attacking IPs (all from Poland, likely a botnet): | IP | Attempts | Origin | |:--:|:--------:|:------| | 87.251.64.149 | 23,983 🇵🇱 Poland (ISAEV Igor) | | 87.251.64.145 | 6,750 🇵🇱 | | 87.251.64.144 | 4,815 🇵🇱 — also caught in rate-limit set | | 87.251.64.147 | 3,960 🇵🇱 | | Others | Various EU IPs, ~1k each |

Usernames being tried: root, admin, test2, oracle, lighthouse, 123456, pi, splunk, debian, deployer, minecraft... full dictionary attack.

Just today (last ~4 hours): 2,381 attempts — this is actively ongoing right now.

🔓 Two issues on miniserv:

  1. No fail2ban installed ❌ — The router's rate-limit (5/min/IP) helps, but attackers rotate IPs to stay under the threshold.
  2. PasswordAuthentication is still default (yes) — The #PasswordAuthentication yes in sshd_config is commented out, meaning it inherits the default: enabled. Only KbdInteractiveAuthentication no is explicitly set, which blocks keyboard-interactive but not standard password auth.

📈 Other Observations

🛠️ Recommended Actions

  1. On miniserv: sudo apt install fail2ban — this would dynamically ban IPs after a few failed attempts.
  2. Set PasswordAuthentication no in /etc/ssh/sshd_config on miniserv — since you only use SSH keys, there's no reason to allow password logins.
  3. Consider tightening the router's SSH rate-limit — 5/min per IP is generous. Could drop to 3/min with burst 3.
  4. That 10.0.23.6 preauth connection might be nothing, but worth checking if something on behoserver is accidentally probing the router.