You 🧑
Anything suspicious, security wise in the logs?
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u sshd --]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u sshd --]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "cat /var/log/auth.log* 2>/]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl --no-pager]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command="ip addr show 2>/dev/null | grep 'inet ' | head -5"]
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u nftable]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo nft list set ip nat s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo nft list ruleset 2>/d]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='for ip in 45.194.67.148 85.111.68.99 87.251.64.144]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='for ip in 45.194.67.148 85.111.68.99 87.251.64.144]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u dnsmasq]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -k --since]…
▶ Tool: web_search [max_results=3, query='45.194.67.148 IP address location abu]…
▶ Tool: web_search [max_results=3, query='85.111.68.99 IP address location']
▶ Tool: web_search [max_results=3, query='87.251.64.144 IP address location']
▶ Tool: web_search [max_results=3, query='173.249.52.138 IP address location ab]…
▶ Tool: fetch_url [url='https://www.abuseipdb.com/check/45.194.67.148']
▶ Tool: fetch_url [url='https://www.abuseipdb.com/check/85.111.68.99']
▶ Tool: fetch_url [url='https://www.abuseipdb.com/check/87.251.64.144']
▶ Tool: fetch_url [url='https://www.abuseipdb.com/check/173.249.52.138']
▶ Tool: run_python [code='import urllib.request\nimport json\n\nips = [\'45.194]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "ss -tlnp 2>/dev/null"']
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "ps aux | grep -E \'python3]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.6 "crontab -l 2>/dev/null; ec]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u openai-]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.6 "ps aux | grep -i ssh 2>/de]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo nft list table ip nat]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "count=0; while read line; ]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo nft list chain ip nat]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.2 "journalctl --since \'2026-]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "which fail2ban 2>/dev/null]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "sudo journalctl -u ssh --s]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "grep -E \'PasswordAuthenti]…
▶ Tool: run_bash [command='ssh beholder@10.0.23.3 "cat /etc/ssh/sshd_config 2]…
Assistant 🤖
Here's the full security rundown for the router and related systems:
|
Layer |
Status |
Details |
|
Router SSH (direct) |
🟢 Clean |
No external failed attempts hitting the router itself. Only LAN/WireGuard SSH allowed in via firewall. |
|
Firewall rules |
🟢 Solid |
Default-drop input/forward policies, only specific ports open. IPv6 also well-locked-down. |
|
SSH rate-limiting |
🟢 Active |
nftables drops WAN SSH attempts exceeding 5/min per IP. Currently tracking offenders in the rate-limit set. |
|
ACPI BIOS errors |
🟡 Harmless |
Just firmware bugs on the N5105 at boot — no security impact. |
|
Key-based auth only |
🟢 Good |
No password prompts needed (sudo via passwordless config is LAN-only and command-restricted). |
The router forwards WAN port 22 to miniserv (10.0.23.3), and miniserv is getting absolutely hammered:
Top attacking IPs (all from Poland, likely a botnet): | IP | Attempts | Origin | |:--:|:--------:|:------| | 87.251.64.149 | 23,983 🇵🇱 Poland (ISAEV Igor) | | 87.251.64.145 | 6,750 🇵🇱 | | 87.251.64.144 | 4,815 🇵🇱 — also caught in rate-limit set | | 87.251.64.147 | 3,960 🇵🇱 | | Others | Various EU IPs, ~1k each |
Usernames being tried: root, admin, test2, oracle, lighthouse, 123456, pi, splunk, debian, deployer, minecraft... full dictionary attack.
Just today (last ~4 hours): 2,381 attempts — this is actively ongoing right now.