I set up vpn server on my vyos and after some time i noticed, that someone is getting access to my vyos.
Part of auth.log
Mar 10 15:54:09 hostname1 sshd[10658]: pam_unix(sshd:session): session closed for user alturew
Mar 10 16:17:01 hostname1 CRON[11463]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 10 16:17:01 hostname1 CRON[11463]: pam_unix(cron:session): session closed for user root
Mar 10 17:17:01 hostname1 CRON[11609]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 10 17:17:01 hostname1 CRON[11609]: pam_unix(cron:session): session closed for user root
Mar 10 18:17:01 hostname1 CRON[11735]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 10 18:17:01 hostname1 CRON[11735]: pam_unix(cron:session): session closed for user root
Mar 10 19:17:01 hostname1 CRON[11863]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 10 19:17:01 hostname1 CRON[11863]: pam_unix(cron:session): session closed for user root
Mar 10 20:17:01 hostname1 CRON[11996]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 10 20:17:01 hostname1 CRON[11996]: pam_unix(cron:session): session closed for user root
Mar 10 21:17:01 hostname1 CRON[12122]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 10 21:17:01 hostname1 CRON[12122]: pam_unix(cron:session): session closed for user root
Mar 10 22:02:56 hostname1 pluto[11306]: packet from 93.174.95.106:4500: initial Main Mode message received on 130.0.34.184:4500 but no connection has been authorized with policy=PSK+PUBKEY
Mar 10 22:17:01 hostname1 CRON[12251]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 10 22:17:01 hostname1 CRON[12251]: pam_unix(cron:session): session closed for user root
Mar 10 23:17:01 hostname1 CRON[12378]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 10 23:17:01 hostname1 CRON[12378]: pam_unix(cron:session): session closed for user root
Mar 11 00:17:01 hostname1 CRON[12506]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 00:17:01 hostname1 CRON[12506]: pam_unix(cron:session): session closed for user root
Mar 11 01:17:01 hostname1 CRON[12632]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 01:17:01 hostname1 CRON[12632]: pam_unix(cron:session): session closed for user root
Mar 11 02:17:01 hostname1 CRON[12758]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 02:17:01 hostname1 CRON[12758]: pam_unix(cron:session): session closed for user root
Mar 11 03:17:01 hostname1 CRON[12884]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 03:17:01 hostname1 CRON[12884]: pam_unix(cron:session): session closed for user root
Mar 11 04:00:15 hostname1 pluto[11306]: packet from 216.218.206.122:2542: initial Main Mode message received on 130.0.34.184:500 but no connection has been authorized
Mar 11 04:17:01 hostname1 CRON[13012]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 04:17:01 hostname1 CRON[13012]: pam_unix(cron:session): session closed for user root
Mar 11 05:17:02 hostname1 CRON[13138]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 05:17:02 hostname1 CRON[13138]: pam_unix(cron:session): session closed for user root
Mar 11 06:17:01 hostname1 CRON[13264]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 06:17:01 hostname1 CRON[13264]: pam_unix(cron:session): session closed for user root
Mar 11 06:25:01 hostname1 CRON[13286]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 06:30:31 hostname1 su[13371]: Successful su for www-data by root
Mar 11 06:30:31 hostname1 su[13371]: + ??? root:www-data
Mar 11 06:30:31 hostname1 su[13371]: pam_unix(su:session): session opened for user www-data by (uid=0)
Mar 11 06:30:31 hostname1 su[13371]: pam_unix(su:session): session closed for user www-data
Mar 11 06:30:31 hostname1 su[13376]: Successful su for www-data by root
Mar 11 06:30:31 hostname1 su[13376]: + ??? root:www-data
Mar 11 06:30:31 hostname1 su[13376]: pam_unix(su:session): session opened for user www-data by (uid=0)
Mar 11 06:30:31 hostname1 su[13376]: pam_unix(su:session): session closed for user www-data
Mar 11 06:30:32 hostname1 CRON[13286]: pam_unix(cron:session): session closed for user root
Mar 11 07:17:01 hostname1 CRON[13558]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 07:17:01 hostname1 CRON[13558]: pam_unix(cron:session): session closed for user root
Mar 11 08:17:01 hostname1 CRON[13686]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 08:17:01 hostname1 CRON[13686]: pam_unix(cron:session): session closed for user root
Mar 11 09:17:01 hostname1 CRON[13812]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 09:17:01 hostname1 CRON[13812]: pam_unix(cron:session): session closed for user root
Mar 11 10:17:01 hostname1 CRON[13939]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 10:17:01 hostname1 CRON[13939]: pam_unix(cron:session): session closed for user root
Mar 11 11:17:01 hostname1 CRON[14068]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 11:17:01 hostname1 CRON[14068]: pam_unix(cron:session): session closed for user root
Mar 11 12:17:01 hostname1 CRON[14196]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 12:17:01 hostname1 CRON[14196]: pam_unix(cron:session): session closed for user root
Mar 11 13:17:01 hostname1 CRON[14326]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 13:17:01 hostname1 CRON[14326]: pam_unix(cron:session): session closed for user root
Mar 11 14:17:01 hostname1 CRON[14453]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 14:17:01 hostname1 CRON[14453]: pam_unix(cron:session): session closed for user root
Mar 11 15:17:01 hostname1 CRON[14581]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 15:17:01 hostname1 CRON[14581]: pam_unix(cron:session): session closed for user root
Mar 11 16:17:01 hostname1 CRON[14710]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 16:17:01 hostname1 CRON[14710]: pam_unix(cron:session): session closed for user root
Mar 11 17:17:01 hostname1 CRON[14844]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 17:17:01 hostname1 CRON[14844]: pam_unix(cron:session): session closed for user root
Mar 11 18:17:01 hostname1 CRON[14973]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 18:17:01 hostname1 CRON[14973]: pam_unix(cron:session): session closed for user root
Mar 11 19:17:01 hostname1 CRON[15100]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 19:17:01 hostname1 CRON[15100]: pam_unix(cron:session): session closed for user root
Mar 11 20:17:01 hostname1 CRON[15236]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 20:17:01 hostname1 CRON[15236]: pam_unix(cron:session): session closed for user root
Mar 11 21:17:01 hostname1 CRON[15364]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 21:17:01 hostname1 CRON[15364]: pam_unix(cron:session): session closed for user root
Mar 11 22:17:01 hostname1 CRON[15490]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 22:17:01 hostname1 CRON[15490]: pam_unix(cron:session): session closed for user root
Mar 11 23:17:01 hostname1 CRON[15619]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 11 23:17:01 hostname1 CRON[15619]: pam_unix(cron:session): session closed for user root
Mar 12 00:17:01 hostname1 CRON[15746]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 00:17:01 hostname1 CRON[15746]: pam_unix(cron:session): session closed for user root
Mar 12 00:57:01 hostname1 CRON[15834]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 00:57:01 hostname1 CRON[15834]: pam_unix(cron:session): session closed for user root
Mar 12 01:17:01 hostname1 CRON[15880]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 01:17:01 hostname1 CRON[15880]: pam_unix(cron:session): session closed for user root
Mar 12 02:17:01 hostname1 CRON[16010]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 02:17:02 hostname1 CRON[16010]: pam_unix(cron:session): session closed for user root
Mar 12 03:17:01 hostname1 CRON[16146]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 03:17:01 hostname1 CRON[16146]: pam_unix(cron:session): session closed for user root
Mar 12 03:21:12 hostname1 pluto[11306]: packet from 216.218.206.66:60333: initial Main Mode message received on 130.0.34.184:500 but no connection has been authorized
Mar 12 04:17:01 hostname1 CRON[16273]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 04:17:01 hostname1 CRON[16273]: pam_unix(cron:session): session closed for user root
Mar 12 05:17:01 hostname1 CRON[16399]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 05:17:01 hostname1 CRON[16399]: pam_unix(cron:session): session closed for user root
Mar 12 06:17:01 hostname1 CRON[16525]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 06:17:01 hostname1 CRON[16525]: pam_unix(cron:session): session closed for user root
Mar 12 06:25:01 hostname1 CRON[16547]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 06:44:32 hostname1 su[16631]: Successful su for www-data by root
Mar 12 06:44:32 hostname1 su[16631]: + ??? root:www-data
Mar 12 06:44:32 hostname1 su[16631]: pam_unix(su:session): session opened for user www-data by (uid=0)
Mar 12 06:44:32 hostname1 su[16631]: pam_unix(su:session): session closed for user www-data
Mar 12 06:44:32 hostname1 su[16636]: Successful su for www-data by root
Mar 12 06:44:32 hostname1 su[16636]: + ??? root:www-data
Mar 12 06:44:32 hostname1 su[16636]: pam_unix(su:session): session opened for user www-data by (uid=0)
Mar 12 06:44:32 hostname1 su[16636]: pam_unix(su:session): session closed for user www-data
Mar 12 06:44:32 hostname1 CRON[16547]: pam_unix(cron:session): session closed for user root
Mar 12 06:47:01 hostname1 CRON[16689]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 06:47:03 hostname1 CRON[16689]: pam_unix(cron:session): session closed for user root
Mar 12 07:17:01 hostname1 CRON[16761]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 07:17:01 hostname1 CRON[16761]: pam_unix(cron:session): session closed for user root
Mar 12 08:17:01 hostname1 CRON[16891]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 08:17:01 hostname1 CRON[16891]: pam_unix(cron:session): session closed for user root
Mar 12 09:17:01 hostname1 CRON[17022]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 09:17:01 hostname1 CRON[17022]: pam_unix(cron:session): session closed for user root
Mar 12 10:17:01 hostname1 CRON[17149]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 10:17:01 hostname1 CRON[17149]: pam_unix(cron:session): session closed for user root
Mar 12 11:17:01 hostname1 CRON[17282]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 11:17:01 hostname1 CRON[17282]: pam_unix(cron:session): session closed for user root
Mar 12 12:17:01 hostname1 CRON[17416]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 12:17:01 hostname1 CRON[17416]: pam_unix(cron:session): session closed for user root
Mar 12 13:17:01 hostname1 CRON[17542]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 13:17:02 hostname1 CRON[17542]: pam_unix(cron:session): session closed for user root
Mar 12 14:17:01 hostname1 CRON[17670]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 14:17:01 hostname1 CRON[17670]: pam_unix(cron:session): session closed for user root
Mar 12 15:17:01 hostname1 CRON[17798]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 15:17:01 hostname1 CRON[17798]: pam_unix(cron:session): session closed for user root
Mar 12 16:17:01 hostname1 CRON[17925]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 16:17:01 hostname1 CRON[17925]: pam_unix(cron:session): session closed for user root
Mar 12 17:17:01 hostname1 CRON[18052]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 17:17:01 hostname1 CRON[18052]: pam_unix(cron:session): session closed for user root
Mar 12 18:17:01 hostname1 CRON[18180]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 18:17:01 hostname1 CRON[18180]: pam_unix(cron:session): session closed for user root
Mar 12 19:17:01 hostname1 CRON[18307]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 19:17:01 hostname1 CRON[18307]: pam_unix(cron:session): session closed for user root
Mar 12 20:17:01 hostname1 CRON[18440]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 20:17:01 hostname1 CRON[18440]: pam_unix(cron:session): session closed for user root
Mar 12 21:17:01 hostname1 CRON[18567]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 21:17:01 hostname1 CRON[18567]: pam_unix(cron:session): session closed for user root
Mar 12 22:17:01 hostname1 CRON[18695]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 22:17:01 hostname1 CRON[18695]: pam_unix(cron:session): session closed for user root
Mar 12 22:30:26 hostname1 pluto[11306]: packet from 89.248.172.16:500: initial Main Mode message received on 130.0.34.184:500 but no connection has been authorized with policy=PSK+PUBKEY
Mar 12 23:17:01 hostname1 CRON[18825]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 12 23:17:01 hostname1 CRON[18825]: pam_unix(cron:session): session closed for user root
Mar 13 00:17:01 hostname1 CRON[18953]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 00:17:01 hostname1 CRON[18953]: pam_unix(cron:session): session closed for user root
Mar 13 01:17:01 hostname1 CRON[19081]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 01:17:01 hostname1 CRON[19081]: pam_unix(cron:session): session closed for user root
Mar 13 02:17:01 hostname1 CRON[19207]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 02:17:01 hostname1 CRON[19207]: pam_unix(cron:session): session closed for user root
Mar 13 03:17:01 hostname1 CRON[19334]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 03:17:01 hostname1 CRON[19334]: pam_unix(cron:session): session closed for user root
Mar 13 03:17:48 hostname1 pluto[11306]: packet from 216.218.206.70:28188: initial Main Mode message received on 130.0.34.184:500 but no connection has been authorized
Mar 13 04:17:01 hostname1 CRON[19461]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 04:17:01 hostname1 CRON[19461]: pam_unix(cron:session): session closed for user root
Mar 13 05:17:01 hostname1 CRON[19592]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 05:17:01 hostname1 CRON[19592]: pam_unix(cron:session): session closed for user root
Mar 13 06:17:01 hostname1 CRON[19718]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 06:17:01 hostname1 CRON[19718]: pam_unix(cron:session): session closed for user root
Mar 13 06:25:01 hostname1 CRON[19740]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 06:52:25 hostname1 su[19839]: Successful su for www-data by root
Mar 13 06:52:25 hostname1 su[19839]: + ??? root:www-data
Mar 13 06:52:25 hostname1 su[19839]: pam_unix(su:session): session opened for user www-data by (uid=0)
Mar 13 06:52:25 hostname1 su[19839]: pam_unix(su:session): session closed for user www-data
Mar 13 06:52:25 hostname1 su[19844]: Successful su for www-data by root
Mar 13 06:52:25 hostname1 su[19844]: + ??? root:www-data
Mar 13 06:52:25 hostname1 su[19844]: pam_unix(su:session): session opened for user www-data by (uid=0)
Mar 13 06:52:25 hostname1 su[19844]: pam_unix(su:session): session closed for user www-data
Mar 13 06:52:26 hostname1 CRON[19740]: pam_unix(cron:session): session closed for user root
Mar 13 07:17:01 hostname1 CRON[19941]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 07:17:01 hostname1 CRON[19941]: pam_unix(cron:session): session closed for user root
Mar 13 08:17:01 hostname1 CRON[20070]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 08:17:01 hostname1 CRON[20070]: pam_unix(cron:session): session closed for user root
Part of messages
Mar 10 22:02:56 hostname1 pluto[11306]: packet from 93.174.95.106:4500: initial Main Mode message received on XXX.XXX.XXX.XXX:4500 but no connection has been authorized with policy=PSK+PUBKEY
Mar 11 04:00:15 hostname1 pluto[11306]: packet from 216.218.206.122:2542: initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized
Mar 12 03:21:12 hostname1 pluto[11306]: packet from 216.218.206.66:60333: initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized
Mar 12 22:30:26 hostname1 pluto[11306]: packet from 89.248.172.16:500: initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized with policy=PSK+PUBKEY
Mar 13 03:17:48 hostname1 pluto[11306]: packet from 216.218.206.70:28188: initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized
My local firewall rule:
show firewall name wan_local
default-action drop
rule 1 {
action drop
protocol icmp
}
rule 3 {
action drop
destination {
port 22,23,20,21
}
protocol tcp_udp
}
rule 4 {
action drop
destination {
port ssh
}
protocol tcp_udp
}
rule 5 {
action drop
destination {
port 23
}
protocol tcp_udp
}
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 40 {
action accept
disable
protocol esp
}
rule 41 {
action accept
destination {
port 500
}
protocol udp
}
rule 42 {
action accept
destination {
port 4500
}
protocol udp
}
rule 43 {
action accept
destination {
port 1701
}
protocol udp
}
My ssh setup:
show service ssh
listen-address 192.168.1.1
port 9355
What did i missed?