Sshd[26703]: Failed password for invalid user webadmin from 192.168.2.104 port 53613 ssh2

General discussion
1

On the source LAN address is a station with a fresh installation of Windows 10 22H2. There is no SW SSH client installed to access the router (Not even a user with the necessary knowledge). This exception in logs lasted about 30 sec. Please provide some explanatory comments.

Mar  6 07:17:04 Turris_JB sshd[26386]: Received disconnect from 192.168.2.104 port 53526:11:  [preauth]
Mar  6 07:17:04 Turris_JB sshd[26386]: Disconnected from 192.168.2.104 port 53526 [preauth]
Mar  6 07:17:18 Turris_JB sshd[26452]: Invalid user  from 192.168.2.104 port 53530
Mar  6 07:17:18 Turris_JB sshd[26452]: Failed none for invalid user  from 192.168.2.104 port 53530 ssh2
Mar  6 07:17:18 Turris_JB sshd[26452]: Received disconnect from 192.168.2.104 port 53530:11:  [preauth]
Mar  6 07:17:18 Turris_JB sshd[26452]: Disconnected from invalid user  192.168.2.104 port 53530 [preauth]
Mar  6 07:17:18 Turris_JB sshd[26456]: Invalid user admin from 192.168.2.104 port 53534
Mar  6 07:17:18 Turris_JB sshd[26456]: error: Could not get shadow information for NOUSER
Mar  6 07:17:18 Turris_JB sshd[26456]: Failed password for invalid user admin from 192.168.2.104 port 53534 ssh2
Mar  6 07:17:18 Turris_JB sshd[26456]: Received disconnect from 192.168.2.104 port 53534:11:  [preauth]
Mar  6 07:17:18 Turris_JB sshd[26456]: Disconnected from invalid user admin 192.168.2.104 port 53534 [preauth]
Mar  6 07:17:18 Turris_JB sshd[26458]: Connection closed by 192.168.2.104 port 53535 [preauth]
Mar  6 07:17:18 Turris_JB sshd[26460]: Failed password for root from 192.168.2.104 port 53536 ssh2
Mar  6 07:17:18 Turris_JB sshd[26460]: Received disconnect from 192.168.2.104 port 53536:11:  [preauth]
Mar  6 07:17:18 Turris_JB sshd[26460]: Disconnected from authenticating user root 192.168.2.104 port 53536 [preauth]
Mar  6 07:17:19 Turris_JB sshd[26462]: Invalid user sysadm from 192.168.2.104 port 53537
Mar  6 07:17:19 Turris_JB sshd[26462]: error: Could not get shadow information for NOUSER
Mar  6 07:17:19 Turris_JB sshd[26462]: Failed password for invalid user sysadm from 192.168.2.104 port 53537 ssh2
Mar  6 07:17:19 Turris_JB sshd[26462]: Received disconnect from 192.168.2.104 port 53537:11:  [preauth]
Mar  6 07:17:19 Turris_JB sshd[26462]: Disconnected from invalid user sysadm 192.168.2.104 port 53537 [preauth]
Mar  6 07:17:19 Turris_JB sshd[26464]: Invalid user user from 192.168.2.104 port 53538
Mar  6 07:17:19 Turris_JB sshd[26464]: error: Could not get shadow information for NOUSER
Mar  6 07:17:19 Turris_JB sshd[26464]: Failed password for invalid user user from 192.168.2.104 port 53538 ssh2
Mar  6 07:17:19 Turris_JB sshd[26464]: Received disconnect from 192.168.2.104 port 53538:11:  [preauth]
Mar  6 07:17:19 Turris_JB sshd[26464]: Disconnected from invalid user user 192.168.2.104 port 53538 [preauth]
Mar  6 07:17:19 Turris_JB sshd[26475]: Invalid user admin from 192.168.2.104 port 53539
Mar  6 07:17:19 Turris_JB sshd[26475]: error: Could not get shadow information for NOUSER
Mar  6 07:17:19 Turris_JB sshd[26475]: Failed password for invalid user admin from 192.168.2.104 port 53539 ssh2
Mar  6 07:17:19 Turris_JB sshd[26475]: Received disconnect from 192.168.2.104 port 53539:11:  [preauth]
Mar  6 07:17:19 Turris_JB sshd[26475]: Disconnected from invalid user admin 192.168.2.104 port 53539 [preauth]
Mar  6 07:17:20 Turris_JB sshd[26477]: Invalid user admin from 192.168.2.104 port 53540
Mar  6 07:17:20 Turris_JB sshd[26477]: Failed none for invalid user admin from 192.168.2.104 port 53540 ssh2
Mar  6 07:17:20 Turris_JB sshd[26477]: Received disconnect from 192.168.2.104 port 53540:11:  [preauth]
Mar  6 07:17:20 Turris_JB sshd[26477]: Disconnected from invalid user admin 192.168.2.104 port 53540 [preauth]
Mar  6 07:17:20 Turris_JB sshd[26479]: Invalid user  from 192.168.2.104 port 53541
Mar  6 07:17:20 Turris_JB sshd[26479]: error: Could not get shadow information for NOUSER
Mar  6 07:17:20 Turris_JB sshd[26479]: Failed password for invalid user  from 192.168.2.104 port 53541 ssh2
Mar  6 07:17:20 Turris_JB sshd[26479]: Received disconnect from 192.168.2.104 port 53541:11:  [preauth]
Mar  6 07:17:20 Turris_JB sshd[26479]: Disconnected from invalid user  192.168.2.104 port 53541 [preauth]
Mar  6 07:17:20 Turris_JB sshd[26481]: Connection closed by 192.168.2.104 port 53542 [preauth]
Mar  6 07:17:20 Turris_JB sshd[26483]: Invalid user admin from 192.168.2.104 port 53543
Mar  6 07:17:20 Turris_JB sshd[26483]: error: Could not get shadow information for NOUSER
Mar  6 07:17:20 Turris_JB sshd[26483]: Failed password for invalid user admin from 192.168.2.104 port 53543 ssh2
Mar  6 07:17:21 Turris_JB sshd[26483]: Received disconnect from 192.168.2.104 port 53543:11:  [preauth]
Mar  6 07:17:21 Turris_JB sshd[26483]: Disconnected from invalid user admin 192.168.2.104 port 53543 [preauth]
Mar  6 07:17:21 Turris_JB sshd[26485]: Invalid user Admin from 192.168.2.104 port 53544
Mar  6 07:17:21 Turris_JB sshd[26485]: Failed none for invalid user Admin from 192.168.2.104 port 53544 ssh2
Mar  6 07:17:21 Turris_JB sshd[26485]: Received disconnect from 192.168.2.104 port 53544:11:  [preauth]
Mar  6 07:17:21 Turris_JB sshd[26485]: Disconnected from invalid user Admin 192.168.2.104 port 53544 [preauth]
Mar  6 07:17:21 Turris_JB sshd[26487]: Failed password for root from 192.168.2.104 port 53545 ssh2
Mar  6 07:17:21 Turris_JB sshd[26487]: Received disconnect from 192.168.2.104 port 53545:11:  [preauth]
Mar  6 07:17:21 Turris_JB sshd[26487]: Disconnected from authenticating user root 192.168.2.104 port 53545 [preauth]
Mar  6 07:17:21 Turris_JB sshd[26498]: Invalid user admin from 192.168.2.104 port 53546
Mar  6 07:17:21 Turris_JB sshd[26498]: error: Could not get shadow information for NOUSER
Mar  6 07:17:21 Turris_JB sshd[26498]: Failed password for invalid user admin from 192.168.2.104 port 53546 ssh2
Mar  6 07:17:21 Turris_JB sshd[26498]: Received disconnect from 192.168.2.104 port 53546:11:  [preauth]
Mar  6 07:17:21 Turris_JB sshd[26498]: Disconnected from invalid user admin 192.168.2.104 port 53546 [preauth]
Mar  6 07:17:22 Turris_JB sshd[26500]: Invalid user guest from 192.168.2.104 port 53547
Mar  6 07:17:22 Turris_JB sshd[26500]: error: Could not get shadow information for NOUSER
Mar  6 07:17:22 Turris_JB sshd[26500]: Failed password for invalid user guest from 192.168.2.104 port 53547 ssh2
Mar  6 07:17:22 Turris_JB sshd[26500]: Received disconnect from 192.168.2.104 port 53547:11:  [preauth]
Mar  6 07:17:22 Turris_JB sshd[26500]: Disconnected from invalid user guest 192.168.2.104 port 53547 [preauth]
Mar  6 07:17:22 Turris_JB sshd[26502]: Invalid user Administrator from 192.168.2.104 port 53548
Mar  6 07:17:22 Turris_JB sshd[26502]: Failed none for invalid user Administrator from 192.168.2.104 port 53548 ssh2
Mar  6 07:17:22 Turris_JB sshd[26502]: Received disconnect from 192.168.2.104 port 53548:11:  [preauth]
Mar  6 07:17:22 Turris_JB sshd[26502]: Disconnected from invalid user Administrator 192.168.2.104 port 53548 [preauth]
Mar  6 07:17:22 Turris_JB sshd[26504]: Failed password for root from 192.168.2.104 port 53549 ssh2
Mar  6 07:17:22 Turris_JB sshd[26504]: Received disconnect from 192.168.2.104 port 53549:11:  [preauth]
Mar  6 07:17:22 Turris_JB sshd[26504]: Disconnected from authenticating user root 192.168.2.104 port 53549 [preauth]
Mar  6 07:17:23 Turris_JB sshd[26506]: Invalid user meo from 192.168.2.104 port 53550
Mar  6 07:17:23 Turris_JB sshd[26506]: error: Could not get shadow information for NOUSER
Mar  6 07:17:23 Turris_JB sshd[26506]: Failed password for invalid user meo from 192.168.2.104 port 53550 ssh2
Mar  6 07:17:23 Turris_JB sshd[26506]: Received disconnect from 192.168.2.104 port 53550:11:  [preauth]
Mar  6 07:17:23 Turris_JB sshd[26506]: Disconnected from invalid user meo 192.168.2.104 port 53550 [preauth]
Mar  6 07:17:23 Turris_JB sshd[26508]: Invalid user Admin from 192.168.2.104 port 53551
Mar  6 07:17:23 Turris_JB sshd[26508]: error: Could not get shadow information for NOUSER
Mar  6 07:17:23 Turris_JB sshd[26508]: Failed password for invalid user Admin from 192.168.2.104 port 53551 ssh2
Mar  6 07:17:23 Turris_JB sshd[26508]: Received disconnect from 192.168.2.104 port 53551:11:  [preauth]
Mar  6 07:17:23 Turris_JB sshd[26508]: Disconnected from invalid user Admin 192.168.2.104 port 53551 [preauth]
Mar  6 07:17:23 Turris_JB sshd[26510]: Invalid user admin from 192.168.2.104 port 53552
Mar  6 07:17:23 Turris_JB sshd[26510]: error: Could not get shadow information for NOUSER
Mar  6 07:17:23 Turris_JB sshd[26510]: Failed password for invalid user admin from 192.168.2.104 port 53552 ssh2
Mar  6 07:17:23 Turris_JB sshd[26510]: Received disconnect from 192.168.2.104 port 53552:11:  [preauth]
Mar  6 07:17:23 Turris_JB sshd[26510]: Disconnected from invalid user admin 192.168.2.104 port 53552 [preauth]
Mar  6 07:17:23 Turris_JB haas-proxy-start[5519]: 2023-03-06T08:17:23 CRITICAL twisted 'channel open failed, direct-tcpip is not allowed'
Mar  6 07:17:23 Turris_JB haas-proxy-start[5519]: 2023-03-06T08:17:23 CRITICAL twisted 'channel open failed, direct-tcpip is not allowed'
Mar  6 07:17:23 Turris_JB sshd[26521]: Invalid user ubnt from 192.168.2.104 port 53553
Mar  6 07:17:23 Turris_JB sshd[26521]: error: Could not get shadow information for NOUSER
Mar  6 07:17:24 Turris_JB sshd[26521]: Failed password for invalid user ubnt from 192.168.2.104 port 53553 ssh2
Mar  6 07:17:24 Turris_JB sshd[26521]: Received disconnect from 192.168.2.104 port 53553:11:  [preauth]
Mar  6 07:17:24 Turris_JB sshd[26521]: Disconnected from invalid user ubnt 192.168.2.104 port 53553 [preauth]
Mar  6 07:17:24 Turris_JB sshd[26523]: Failed password for root from 192.168.2.104 port 53554 ssh2
Mar  6 07:17:24 Turris_JB sshd[26523]: Received disconnect from 192.168.2.104 port 53554:11:  [preauth]
Mar  6 07:17:24 Turris_JB sshd[26523]: Disconnected from authenticating user root 192.168.2.104 port 53554 [preauth]
Mar  6 07:17:24 Turris_JB sshd[26525]: Invalid user admin from 192.168.2.104 port 53555
Mar  6 07:17:24 Turris_JB sshd[26525]: error: Could not get shadow information for NOUSER
Mar  6 07:17:24 Turris_JB sshd[26525]: Failed password for invalid user admin from 192.168.2.104 port 53555 ssh2
Mar  6 07:17:24 Turris_JB sshd[26525]: Received disconnect from 192.168.2.104 port 53555:11:  [preauth]
Mar  6 07:17:24 Turris_JB sshd[26525]: Disconnected from invalid user admin 192.168.2.104 port 53555 [preauth]
Mar  6 07:17:24 Turris_JB sshd[26527]: Invalid user vodafone from 192.168.2.104 port 53556
Mar  6 07:17:24 Turris_JB sshd[26527]: error: Could not get shadow information for NOUSER
Mar  6 07:17:24 Turris_JB sshd[26527]: Failed password for invalid user vodafone from 192.168.2.104 port 53556 ssh2
Mar  6 07:17:25 Turris_JB sshd[26527]: Received disconnect from 192.168.2.104 port 53556:11:  [preauth]
Mar  6 07:17:25 Turris_JB sshd[26527]: Disconnected from invalid user vodafone 192.168.2.104 port 53556 [preauth]
Mar  6 07:17:25 Turris_JB sshd[26529]: Invalid user admin from 192.168.2.104 port 53557
Mar  6 07:17:25 Turris_JB sshd[26529]: error: Could not get shadow information for NOUSER
Mar  6 07:17:25 Turris_JB sshd[26529]: Failed password for invalid user admin from 192.168.2.104 port 53557 ssh2
Mar  6 07:17:25 Turris_JB sshd[26529]: Received disconnect from 192.168.2.104 port 53557:11:  [preauth]
Mar  6 07:17:25 Turris_JB sshd[26529]: Disconnected from invalid user admin 192.168.2.104 port 53557 [preauth]
Mar  6 07:17:25 Turris_JB sshd[26531]: Invalid user Administrator from 192.168.2.104 port 53558
Mar  6 07:17:25 Turris_JB sshd[26531]: error: Could not get shadow information for NOUSER
Mar  6 07:17:25 Turris_JB sshd[26531]: Failed password for invalid user Administrator from 192.168.2.104 port 53558 ssh2
Mar  6 07:17:25 Turris_JB sshd[26531]: Received disconnect from 192.168.2.104 port 53558:11:  [preauth]
Mar  6 07:17:25 Turris_JB sshd[26531]: Disconnected from invalid user Administrator 192.168.2.104 port 53558 [preauth]
Mar  6 07:17:25 Turris_JB sshd[26542]: Failed password for root from 192.168.2.104 port 53559 ssh2
Mar  6 07:17:25 Turris_JB sshd[26542]: Received disconnect from 192.168.2.104 port 53559:11:  [preauth]
Mar  6 07:17:25 Turris_JB sshd[26542]: Disconnected from authenticating user root 192.168.2.104 port 53559 [preauth]
Mar  6 07:17:26 Turris_JB sshd[26544]: Invalid user Admin from 192.168.2.104 port 53560
Mar  6 07:17:26 Turris_JB sshd[26544]: error: Could not get shadow information for NOUSER
Mar  6 07:17:26 Turris_JB sshd[26544]: Failed password for invalid user Admin from 192.168.2.104 port 53560 ssh2
Mar  6 07:17:26 Turris_JB sshd[26544]: Received disconnect from 192.168.2.104 port 53560:11:  [preauth]
Mar  6 07:17:26 Turris_JB sshd[26544]: Disconnected from invalid user Admin 192.168.2.104 port 53560 [preauth]
Mar  6 07:17:26 Turris_JB sshd[26546]: Invalid user admim from 192.168.2.104 port 53561
Mar  6 07:17:26 Turris_JB sshd[26546]: error: Could not get shadow information for NOUSER
Mar  6 07:17:26 Turris_JB sshd[26546]: Failed password for invalid user admim from 192.168.2.104 port 53561 ssh2
Mar  6 07:17:26 Turris_JB sshd[26546]: Received disconnect from 192.168.2.104 port 53561:11:  [preauth]
Mar  6 07:17:26 Turris_JB sshd[26546]: Disconnected from invalid user admim 192.168.2.104 port 53561 [preauth]
Mar  6 07:17:26 Turris_JB sshd[26548]: Invalid user webadmin from 192.168.2.104 port 53562
Mar  6 07:17:26 Turris_JB sshd[26548]: error: Could not get shadow information for NOUSER
Mar  6 07:17:26 Turris_JB sshd[26548]: Failed password for invalid user webadmin from 192.168.2.104 port 53562 ssh2
Mar  6 07:17:26 Turris_JB sshd[26548]: Received disconnect from 192.168.2.104 port 53562:11:  [preauth]
Mar  6 07:17:26 Turris_JB sshd[26548]: Disconnected from invalid user webadmin 192.168.2.104 port 53562 [preauth]
Mar  6 07:17:27 Turris_JB sshd[26550]: Invalid user tech from 192.168.2.104 port 53563
Mar  6 07:17:27 Turris_JB sshd[26550]: error: Could not get shadow information for NOUSER
Mar  6 07:17:27 Turris_JB sshd[26550]: Failed password for invalid user tech from 192.168.2.104 port 53563 ssh2
Mar  6 07:17:27 Turris_JB sshd[26550]: Received disconnect from 192.168.2.104 port 53563:11:  [preauth]
Mar  6 07:17:27 Turris_JB sshd[26550]: Disconnected from invalid user tech 192.168.2.104 port 53563 [preauth]
Mar  6 07:17:27 Turris_JB sshd[26552]: Invalid user administrator from 192.168.2.104 port 53564
Mar  6 07:17:27 Turris_JB sshd[26552]: error: Could not get shadow information for NOUSER
Mar  6 07:17:27 Turris_JB sshd[26552]: Failed password for invalid user administrator from 192.168.2.104 port 53564 ssh2
Mar  6 07:17:27 Turris_JB sshd[26552]: Received disconnect from 192.168.2.104 port 53564:11:  [preauth]
Mar  6 07:17:27 Turris_JB sshd[26552]: Disconnected from invalid user administrator 192.168.2.104 port 53564 [preauth]
Mar  6 07:17:27 Turris_JB sshd[26563]: Invalid user manager from 192.168.2.104 port 53566
Mar  6 07:17:27 Turris_JB sshd[26563]: error: Could not get shadow information for NOUSER
Mar  6 07:17:27 Turris_JB sshd[26563]: Failed password for invalid user manager from 192.168.2.104 port 53566 ssh2
Mar  6 07:17:27 Turris_JB sshd[26563]: Received disconnect from 192.168.2.104 port 53566:11:  [preauth]
Mar  6 07:17:27 Turris_JB sshd[26563]: Disconnected from invalid user manager 192.168.2.104 port 53566 [preauth]
Mar  6 07:17:28 Turris_JB sshd[26565]: Received disconnect from 192.168.2.104 port 53567:11:  [preauth]
Mar  6 07:17:28 Turris_JB sshd[26565]: Disconnected from authenticating user root 192.168.2.104 port 53567 [preauth]
Mar  6 07:17:28 Turris_JB sshd[26567]: Invalid user sysadmin from 192.168.2.104 port 53568
Mar  6 07:17:28 Turris_JB sshd[26567]: error: Could not get shadow information for NOUSER
Mar  6 07:17:28 Turris_JB sshd[26567]: Failed password for invalid user sysadmin from 192.168.2.104 port 53568 ssh2
Mar  6 07:17:28 Turris_JB sshd[26567]: Received disconnect from 192.168.2.104 port 53568:11:  [preauth]
Mar  6 07:17:28 Turris_JB sshd[26567]: Disconnected from invalid user sysadmin 192.168.2.104 port 53568 [preauth]
Mar  6 07:17:28 Turris_JB sshd[26569]: Invalid user login from 192.168.2.104 port 53569
Mar  6 07:17:28 Turris_JB sshd[26569]: error: Could not get shadow information for NOUSER
Mar  6 07:17:28 Turris_JB sshd[26569]: Failed password for invalid user login from 192.168.2.104 port 53569 ssh2
Mar  6 07:17:28 Turris_JB sshd[26569]: Received disconnect from 192.168.2.104 port 53569:11:  [preauth]
Mar  6 07:17:28 Turris_JB sshd[26569]: Disconnected from invalid user login 192.168.2.104 port 53569 [preauth]
Mar  6 07:17:28 Turris_JB sshd[26571]: Invalid user guest from 192.168.2.104 port 53570
Mar  6 07:17:28 Turris_JB sshd[26571]: error: Could not get shadow information for NOUSER
Mar  6 07:17:28 Turris_JB sshd[26571]: Failed password for invalid user guest from 192.168.2.104 port 53570 ssh2
Mar  6 07:17:29 Turris_JB sshd[26571]: Received disconnect from 192.168.2.104 port 53570:11:  [preauth]
Mar  6 07:17:29 Turris_JB sshd[26571]: Disconnected from invalid user guest 192.168.2.104 port 53570 [preauth]
Mar  6 07:17:29 Turris_JB sshd[26573]: Invalid user admin2 from 192.168.2.104 port 53571
Mar  6 07:17:29 Turris_JB sshd[26573]: error: Could not get shadow information for NOUSER
Mar  6 07:17:29 Turris_JB sshd[26573]: Failed password for invalid user admin2 from 192.168.2.104 port 53571 ssh2
Mar  6 07:17:29 Turris_JB sshd[26573]: Received disconnect from 192.168.2.104 port 53571:11:  [preauth]
Mar  6 07:17:29 Turris_JB sshd[26573]: Disconnected from invalid user admin2 192.168.2.104 port 53571 [preauth]
Mar  6 07:17:29 Turris_JB sshd[26575]: Invalid user user from 192.168.2.104 port 53572
Mar  6 07:17:29 Turris_JB sshd[26575]: error: Could not get shadow information for NOUSER
Mar  6 07:17:29 Turris_JB sshd[26575]: Failed password for invalid user user from 192.168.2.104 port 53572 ssh2
Mar  6 07:17:29 Turris_JB sshd[26575]: Received disconnect from 192.168.2.104 port 53572:11:  [preauth]
Mar  6 07:17:29 Turris_JB sshd[26575]: Disconnected from invalid user user 192.168.2.104 port 53572 [preauth]
Mar  6 07:17:29 Turris_JB sshd[26586]: Failed password for root from 192.168.2.104 port 53573 ssh2
Mar  6 07:17:29 Turris_JB sshd[26586]: Received disconnect from 192.168.2.104 port 53573:11:  [preauth]
Mar  6 07:17:29 Turris_JB sshd[26586]: Disconnected from authenticating user root 192.168.2.104 port 53573 [preauth]
Mar  6 07:17:30 Turris_JB sshd[26588]: Failed password for root from 192.168.2.104 port 53574 ssh2
Mar  6 07:17:30 Turris_JB sshd[26588]: Received disconnect from 192.168.2.104 port 53574:11:  [preauth]
Mar  6 07:17:30 Turris_JB sshd[26588]: Disconnected from authenticating user root 192.168.2.104 port 53574 [preauth]
Mar  6 07:17:30 Turris_JB sshd[26590]: Failed password for root from 192.168.2.104 port 53575 ssh2
Mar  6 07:17:30 Turris_JB sshd[26590]: Received disconnect from 192.168.2.104 port 53575:11:  [preauth]
Mar  6 07:17:30 Turris_JB sshd[26590]: Disconnected from authenticating user root 192.168.2.104 port 53575 [preauth]
Mar  6 07:17:30 Turris_JB sshd[26592]: Invalid user support from 192.168.2.104 port 53576
Mar  6 07:17:30 Turris_JB sshd[26592]: error: Could not get shadow information for NOUSER
Mar  6 07:17:30 Turris_JB sshd[26592]: Failed password for invalid user support from 192.168.2.104 port 53576 ssh2
Mar  6 07:17:30 Turris_JB sshd[26592]: Received disconnect from 192.168.2.104 port 53576:11:  [preauth]
Mar  6 07:17:30 Turris_JB sshd[26592]: Disconnected from invalid user support 192.168.2.104 port 53576 [preauth]
Mar  6 07:17:31 Turris_JB sshd[26594]: Failed password for root from 192.168.2.104 port 53577 ssh2
Mar  6 07:17:31 Turris_JB sshd[26594]: Received disconnect from 192.168.2.104 port 53577:11:  [preauth]
Mar  6 07:17:31 Turris_JB sshd[26594]: Disconnected from authenticating user root 192.168.2.104 port 53577 [preauth]
Mar  6 07:17:31 Turris_JB sshd[26596]: Failed password for root from 192.168.2.104 port 53578 ssh2
Mar  6 07:17:31 Turris_JB sshd[26596]: Received disconnect from 192.168.2.104 port 53578:11:  [preauth]
Mar  6 07:17:31 Turris_JB sshd[26596]: Disconnected from authenticating user root 192.168.2.104 port 53578 [preauth]
Mar  6 07:17:31 Turris_JB sshd[26598]: Invalid user admin from 192.168.2.104 port 53579
Mar  6 07:17:31 Turris_JB sshd[26598]: error: Could not get shadow information for NOUSER
Mar  6 07:17:31 Turris_JB sshd[26598]: Failed password for invalid user admin from 192.168.2.104 port 53579 ssh2
Mar  6 07:17:31 Turris_JB sshd[26598]: Received disconnect from 192.168.2.104 port 53579:11:  [preauth]
Mar  6 07:17:31 Turris_JB sshd[26598]: Disconnected from invalid user admin 192.168.2.104 port 53579 [preauth]
Mar  6 07:17:31 Turris_JB sshd[26609]: Invalid user admin from 192.168.2.104 port 53580
Mar  6 07:17:31 Turris_JB sshd[26609]: error: Could not get shadow information for NOUSER
Mar  6 07:17:31 Turris_JB sshd[26609]: Failed password for invalid user admin from 192.168.2.104 port 53580 ssh2
Mar  6 07:17:31 Turris_JB sshd[26609]: Received disconnect from 192.168.2.104 port 53580:11:  [preauth]
Mar  6 07:17:31 Turris_JB sshd[26609]: Disconnected from invalid user admin 192.168.2.104 port 53580 [preauth]
Mar  6 07:17:32 Turris_JB sshd[26611]: Failed password for root from 192.168.2.104 port 53581 ssh2
Mar  6 07:17:32 Turris_JB sshd[26611]: Received disconnect from 192.168.2.104 port 53581:11:  [preauth]
Mar  6 07:17:32 Turris_JB sshd[26611]: Disconnected from authenticating user root 192.168.2.104 port 53581 [preauth]
Mar  6 07:17:32 Turris_JB sshd[26613]: Connection closed by 192.168.2.104 port 53582 [preauth]
Mar  6 07:17:32 Turris_JB sshd[26615]: Invalid user admin from 192.168.2.104 port 53583
Mar  6 07:17:32 Turris_JB sshd[26615]: error: Could not get shadow information for NOUSER
Mar  6 07:17:32 Turris_JB sshd[26615]: Failed password for invalid user admin from 192.168.2.104 port 53583 ssh2
Mar  6 07:17:32 Turris_JB sshd[26615]: Received disconnect from 192.168.2.104 port 53583:11:  [preauth]
Mar  6 07:17:32 Turris_JB sshd[26615]: Disconnected from invalid user admin 192.168.2.104 port 53583 [preauth]
Mar  6 07:17:32 Turris_JB sshd[26617]: Invalid user enablediag from 192.168.2.104 port 53584
Mar  6 07:17:32 Turris_JB sshd[26617]: error: Could not get shadow information for NOUSER
Mar  6 07:17:33 Turris_JB sshd[26617]: Failed password for invalid user enablediag from 192.168.2.104 port 53584 ssh2
Mar  6 07:17:33 Turris_JB sshd[26617]: Received disconnect from 192.168.2.104 port 53584:11:  [preauth]
Mar  6 07:17:33 Turris_JB sshd[26617]: Disconnected from invalid user enablediag 192.168.2.104 port 53584 [preauth]
Mar  6 07:17:33 Turris_JB sshd[26619]: Invalid user  from 192.168.2.104 port 53585
Mar  6 07:17:33 Turris_JB sshd[26619]: error: Could not get shadow information for NOUSER
Mar  6 07:17:33 Turris_JB sshd[26619]: Failed password for invalid user  from 192.168.2.104 port 53585 ssh2
Mar  6 07:17:33 Turris_JB sshd[26619]: Received disconnect from 192.168.2.104 port 53585:11:  [preauth]
Mar  6 07:17:33 Turris_JB sshd[26619]: Disconnected from invalid user  192.168.2.104 port 53585 [preauth]
Mar  6 07:17:33 Turris_JB sshd[26621]: Invalid user HPSupport from 192.168.2.104 port 53586
Mar  6 07:17:33 Turris_JB sshd[26621]: error: Could not get shadow information for NOUSER
Mar  6 07:17:33 Turris_JB sshd[26621]: Failed password for invalid user HPSupport from 192.168.2.104 port 53586 ssh2
Mar  6 07:17:33 Turris_JB sshd[26621]: Received disconnect from 192.168.2.104 port 53586:11:  [preauth]
Mar  6 07:17:33 Turris_JB sshd[26621]: Disconnected from invalid user HPSupport 192.168.2.104 port 53586 [preauth]
Mar  6 07:17:33 Turris_JB sshd[26632]: Failed password for root from 192.168.2.104 port 53587 ssh2
Mar  6 07:17:33 Turris_JB sshd[26632]: Received disconnect from 192.168.2.104 port 53587:11:  [preauth]
Mar  6 07:17:33 Turris_JB sshd[26632]: Disconnected from authenticating user root 192.168.2.104 port 53587 [preauth]
Mar  6 07:17:34 Turris_JB sshd[26634]: Failed password for root from 192.168.2.104 port 53588 ssh2
Mar  6 07:17:34 Turris_JB sshd[26634]: Received disconnect from 192.168.2.104 port 53588:11:  [preauth]
Mar  6 07:17:34 Turris_JB sshd[26634]: Disconnected from authenticating user root 192.168.2.104 port 53588 [preauth]
Mar  6 07:17:34 Turris_JB sshd[26636]: Failed password for root from 192.168.2.104 port 53589 ssh2
Mar  6 07:17:34 Turris_JB sshd[26636]: Received disconnect from 192.168.2.104 port 53589:11:  [preauth]
Mar  6 07:17:34 Turris_JB sshd[26636]: Disconnected from authenticating user root 192.168.2.104 port 53589 [preauth]
Mar  6 07:17:34 Turris_JB sshd[26638]: Invalid user  from 192.168.2.104 port 53590
Mar  6 07:17:34 Turris_JB sshd[26638]: error: Could not get shadow information for NOUSER
Mar  6 07:17:34 Turris_JB sshd[26638]: Failed password for invalid user  from 192.168.2.104 port 53590 ssh2
Mar  6 07:17:34 Turris_JB sshd[26638]: Received disconnect from 192.168.2.104 port 53590:11:  [preauth]
Mar  6 07:17:34 Turris_JB sshd[26638]: Disconnected from invalid user  192.168.2.104 port 53590 [preauth]
Mar  6 07:17:34 Turris_JB sshd[26640]: Invalid user  from 192.168.2.104 port 53591
Mar  6 07:17:34 Turris_JB sshd[26640]: error: Could not get shadow information for NOUSER
Mar  6 07:17:34 Turris_JB sshd[26640]: Failed password for invalid user  from 192.168.2.104 port 53591 ssh2
Mar  6 07:17:34 Turris_JB sshd[26640]: Received disconnect from 192.168.2.104 port 53591:11:  [preauth]
Mar  6 07:17:34 Turris_JB sshd[26640]: Disconnected from invalid user  192.168.2.104 port 53591 [preauth]
Mar  6 07:17:35 Turris_JB sshd[26642]: Failed password for root from 192.168.2.104 port 53592 ssh2
Mar  6 07:17:35 Turris_JB sshd[26642]: Received disconnect from 192.168.2.104 port 53592:11:  [preauth]
Mar  6 07:17:35 Turris_JB sshd[26642]: Disconnected from authenticating user root 192.168.2.104 port 53592 [preauth]
Mar  6 07:17:35 Turris_JB sshd[26644]: Invalid user  from 192.168.2.104 port 53593
Mar  6 07:17:35 Turris_JB sshd[26644]: error: Could not get shadow information for NOUSER
Mar  6 07:17:35 Turris_JB sshd[26644]: Failed password for invalid user  from 192.168.2.104 port 53593 ssh2
Mar  6 07:17:35 Turris_JB sshd[26644]: Received disconnect from 192.168.2.104 port 53593:11:  [preauth]
Mar  6 07:17:35 Turris_JB sshd[26644]: Disconnected from invalid user  192.168.2.104 port 53593 [preauth]
Mar  6 07:17:35 Turris_JB sshd[26646]: Invalid user admin from 192.168.2.104 port 53594
Mar  6 07:17:35 Turris_JB sshd[26646]: error: Could not get shadow information for NOUSER
Mar  6 07:17:35 Turris_JB sshd[26646]: Failed password for invalid user admin from 192.168.2.104 port 53594 ssh2
Mar  6 07:17:35 Turris_JB sshd[26646]: Received disconnect from 192.168.2.104 port 53594:11:  [preauth]
Mar  6 07:17:35 Turris_JB sshd[26646]: Disconnected from invalid user admin 192.168.2.104 port 53594 [preauth]
Mar  6 07:17:36 Turris_JB sshd[26657]: Failed password for root from 192.168.2.104 port 53595 ssh2
Mar  6 07:17:36 Turris_JB sshd[26657]: Received disconnect from 192.168.2.104 port 53595:11:  [preauth]
Mar  6 07:17:36 Turris_JB sshd[26657]: Disconnected from authenticating user root 192.168.2.104 port 53595 [preauth]
Mar  6 07:17:36 Turris_JB sshd[26659]: Invalid user login from 192.168.2.104 port 53596
Mar  6 07:17:36 Turris_JB sshd[26659]: error: Could not get shadow information for NOUSER
Mar  6 07:17:36 Turris_JB sshd[26659]: Failed password for invalid user login from 192.168.2.104 port 53596 ssh2
Mar  6 07:17:36 Turris_JB sshd[26659]: Received disconnect from 192.168.2.104 port 53596:11:  [preauth]
Mar  6 07:17:36 Turris_JB sshd[26659]: Disconnected from invalid user login 192.168.2.104 port 53596 [preauth]
Mar  6 07:17:36 Turris_JB sshd[26661]: Invalid user  from 192.168.2.104 port 53597
Mar  6 07:17:36 Turris_JB sshd[26661]: error: Could not get shadow information for NOUSER
Mar  6 07:17:36 Turris_JB sshd[26661]: Failed password for invalid user  from 192.168.2.104 port 53597 ssh2
Mar  6 07:17:36 Turris_JB sshd[26661]: Received disconnect from 192.168.2.104 port 53597:11:  [preauth]
Mar  6 07:17:36 Turris_JB sshd[26661]: Disconnected from invalid user  192.168.2.104 port 53597 [preauth]
Mar  6 07:17:36 Turris_JB sshd[26663]: Invalid user  from 192.168.2.104 port 53598
Mar  6 07:17:36 Turris_JB sshd[26663]: error: Could not get shadow information for NOUSER
Mar  6 07:17:37 Turris_JB sshd[26663]: Failed password for invalid user  from 192.168.2.104 port 53598 ssh2
Mar  6 07:17:37 Turris_JB sshd[26663]: Received disconnect from 192.168.2.104 port 53598:11:  [preauth]
Mar  6 07:17:37 Turris_JB sshd[26663]: Disconnected from invalid user  192.168.2.104 port 53598 [preauth]
Mar  6 07:17:37 Turris_JB sshd[26665]: Invalid user admin from 192.168.2.104 port 53599
Mar  6 07:17:37 Turris_JB sshd[26665]: error: Could not get shadow information for NOUSER
Mar  6 07:17:37 Turris_JB sshd[26665]: Failed password for invalid user admin from 192.168.2.104 port 53599 ssh2
Mar  6 07:17:37 Turris_JB sshd[26665]: Received disconnect from 192.168.2.104 port 53599:11:  [preauth]
Mar  6 07:17:37 Turris_JB sshd[26665]: Disconnected from invalid user admin 192.168.2.104 port 53599 [preauth]
Mar  6 07:17:37 Turris_JB sshd[26667]: Invalid user guest from 192.168.2.104 port 53600
Mar  6 07:17:37 Turris_JB sshd[26667]: error: Could not get shadow information for NOUSER
Mar  6 07:17:37 Turris_JB sshd[26667]: Failed password for invalid user guest from 192.168.2.104 port 53600 ssh2
Mar  6 07:17:37 Turris_JB sshd[26667]: Received disconnect from 192.168.2.104 port 53600:11:  [preauth]
Mar  6 07:17:37 Turris_JB sshd[26667]: Disconnected from invalid user guest 192.168.2.104 port 53600 [preauth]
Mar  6 07:17:37 Turris_JB sshd[26678]: Failed password for root from 192.168.2.104 port 53601 ssh2
Mar  6 07:17:37 Turris_JB sshd[26678]: Received disconnect from 192.168.2.104 port 53601:11:  [preauth]
Mar  6 07:17:37 Turris_JB sshd[26678]: Disconnected from authenticating user root 192.168.2.104 port 53601 [preauth]
Mar  6 07:17:38 Turris_JB sshd[26680]: Invalid user admin from 192.168.2.104 port 53602
Mar  6 07:17:38 Turris_JB sshd[26680]: error: Could not get shadow information for NOUSER
Mar  6 07:17:38 Turris_JB sshd[26680]: Failed password for invalid user admin from 192.168.2.104 port 53602 ssh2
Mar  6 07:17:38 Turris_JB sshd[26680]: Received disconnect from 192.168.2.104 port 53602:11:  [preauth]
Mar  6 07:17:38 Turris_JB sshd[26680]: Disconnected from invalid user admin 192.168.2.104 port 53602 [preauth]
Mar  6 07:17:38 Turris_JB sshd[26682]: Failed password for root from 192.168.2.104 port 53603 ssh2
Mar  6 07:17:38 Turris_JB sshd[26682]: Received disconnect from 192.168.2.104 port 53603:11:  [preauth]
Mar  6 07:17:38 Turris_JB sshd[26682]: Disconnected from authenticating user root 192.168.2.104 port 53603 [preauth]
Mar  6 07:17:38 Turris_JB sshd[26684]: Invalid user admin from 192.168.2.104 port 53604
Mar  6 07:17:38 Turris_JB sshd[26684]: error: Could not get shadow information for NOUSER
Mar  6 07:17:38 Turris_JB sshd[26684]: Failed password for invalid user admin from 192.168.2.104 port 53604 ssh2
Mar  6 07:17:38 Turris_JB sshd[26684]: Received disconnect from 192.168.2.104 port 53604:11:  [preauth]
Mar  6 07:17:38 Turris_JB sshd[26684]: Disconnected from invalid user admin 192.168.2.104 port 53604 [preauth]
Mar  6 07:17:39 Turris_JB sshd[26686]: Invalid user admin from 192.168.2.104 port 53605
Mar  6 07:17:39 Turris_JB sshd[26686]: error: Could not get shadow information for NOUSER
Mar  6 07:17:39 Turris_JB sshd[26686]: Failed password for invalid user admin from 192.168.2.104 port 53605 ssh2
Mar  6 07:17:39 Turris_JB sshd[26686]: Received disconnect from 192.168.2.104 port 53605:11:  [preauth]
Mar  6 07:17:39 Turris_JB sshd[26686]: Disconnected from invalid user admin 192.168.2.104 port 53605 [preauth]
Mar  6 07:17:39 Turris_JB sshd[26688]: Invalid user admin from 192.168.2.104 port 53606
Mar  6 07:17:39 Turris_JB sshd[26688]: error: Could not get shadow information for NOUSER
Mar  6 07:17:39 Turris_JB sshd[26688]: Failed password for invalid user admin from 192.168.2.104 port 53606 ssh2
Mar  6 07:17:39 Turris_JB sshd[26688]: Received disconnect from 192.168.2.104 port 53606:11:  [preauth]
Mar  6 07:17:39 Turris_JB sshd[26688]: Disconnected from invalid user admin 192.168.2.104 port 53606 [preauth]
Mar  6 07:17:39 Turris_JB sshd[26690]: Failed password for root from 192.168.2.104 port 53608 ssh2
Mar  6 07:17:39 Turris_JB sshd[26690]: Received disconnect from 192.168.2.104 port 53608:11:  [preauth]
Mar  6 07:17:39 Turris_JB sshd[26690]: Disconnected from authenticating user root 192.168.2.104 port 53608 [preauth]
Mar  6 07:17:40 Turris_JB sshd[26701]: Invalid user tech from 192.168.2.104 port 53610
Mar  6 07:17:40 Turris_JB sshd[26701]: error: Could not get shadow information for NOUSER
Mar  6 07:17:40 Turris_JB sshd[26701]: Failed password for invalid user tech from 192.168.2.104 port 53610 ssh2
Mar  6 07:17:40 Turris_JB sshd[26701]: Received disconnect from 192.168.2.104 port 53610:11:  [preauth]
Mar  6 07:17:40 Turris_JB sshd[26701]: Disconnected from invalid user tech 192.168.2.104 port 53610 [preauth]
Mar  6 07:17:40 Turris_JB sshd[26703]: Invalid user webadmin from 192.168.2.104 port 53613
Mar  6 07:17:40 Turris_JB sshd[26703]: error: Could not get shadow information for NOUSER
Mar  6 07:17:40 Turris_JB sshd[26703]: Failed password for invalid user webadmin from 192.168.2.104 port 53613 ssh2
Mar  6 07:17:40 Turris_JB sshd[26703]: Received disconnect from 192.168.2.104 port 53613:11:  [preauth]
Mar  6 07:17:40 Turris_JB sshd[26703]: Disconnected from invalid user webadmin 192.168.2.104 port 53613 [preauth]
2

I would start by asking the user what they were doing with the computer at that particular time.

3

Something trying to hack.

4

That’s it my wife (simple user :slight_smile: ), clean install of Windows 10 Home 1 month old, Office 2007, AdobeReader, Thundebird, Opera, Cobian 11, Dropbox, GoogleDrive, Avast.

5

Never underestimate anyone :smile:

Btw it is sure that something from that host tried to hack your router.

6

I suspect your wife is a pro 1337 haxur or maybe this Avast chevked your security by checking common passwords. More likely.

EDIT:
https://forum.avast.com/index.php?topic=237595.0

7

A somewhat similar log will check the Eset wifi network from a mobile phone.

Mar  6 19:23:30 Turris_JB sshd[8776]: error: kex_exchange_identification: Connection closed by remote host
Mar  6 19:23:30 Turris_JB sshd[8776]: Connection closed by 192.168.2.101 port 40084
Mar  6 19:23:30 Turris_JB sshd[8777]: error: kex_exchange_identification: Connection closed by remote host
Mar  6 19:23:30 Turris_JB sshd[8777]: Connection closed by fd05:952:23ca:0:d6a8:8de6:f939:8898 port 43222

So I’ll have something to think about

8

The Avast test is also different from the unidentified … EDIT: I added a log of the whole attack to the first post

Mar  6 19:37:36 Turris_JB sshd[12973]: error: kex_exchange_identification: Connection closed by remote host
Mar  6 19:37:36 Turris_JB sshd[12973]: Connection closed by 192.168.2.120 port 52663
Mar  6 19:38:11 Turris_JB sshd[13136]: Received disconnect from 192.168.2.120 port 52786:11:  [preauth]
Mar  6 19:38:11 Turris_JB sshd[13136]: Disconnected from 192.168.2.120 port 52786 [preauth]
Mar  6 19:38:49 Turris_JB ATLAS[2427]: condmv: not moving, destination '/usr/libexec/atlas-probe-scripts/data/out/v6addr.txt' exists
Mar  6 19:38:49 Turris_JB ATLAS[2427]: condmv: not moving, destination '/usr/libexec/atlas-probe-scripts/data/out/simpleping' exists
Mar  6 20:39:05 Turris_JB dnsmasq-dhcp[4629]: DHCPINFORM(br-lan) 192.168.2.120 d8:bb:c1:ec:e9:06 
Mar  6 20:39:05 Turris_JB dnsmasq-dhcp[4629]: DHCPACK(br-lan) 192.168.2.120 d8:bb:c1:ec:e9:06 Lenovo
Mar  6 19:39:13 Turris_JB sshd[13449]: error: kex_exchange_identification: Connection closed by remote host
Mar  6 19:39:13 Turris_JB sshd[13449]: Connection closed by 192.168.2.120 port 52897
Mar  6 19:39:49 Turris_JB sshd[13603]: error: kex_exchange_identification: Connection closed by remote host
Mar  6 19:39:49 Turris_JB sshd[13603]: Connection closed by fd05:952:23ca:0:355d:2ee6:c78d:d0de port 53704
Mar  6 19:40:01 Turris_JB crond[13660]: (root) CMD (/usr/bin/notifier)
Mar  6 19:40:01 Turris_JB crond[13659]: (root) CMDOUT (There is no message to send.)
Mar  6 19:40:01 Turris_JB crond[13659]: (root) CMDEND (/usr/bin/notifier)
Mar  6 19:40:25 Turris_JB sshd[13805]: Received disconnect from 192.168.2.120 port 54080:11:  [preauth]
Mar  6 19:40:25 Turris_JB sshd[13805]: Disconnected from 192.168.2.120 port 54080 [preauth]
9

You say clean install of Windows but 1 month old. In a month that pc could have been infected easily from malicious sites eg by clicking links from spam emails or by clicking ads etc.

That pc already might be a zombie of some botnet.

Recommending you to do a new clean install.

10

At least Office 2007 is anything but up-to-date.

11

I believe my admittedly isolated case suggests the need to incorporate an autoblock for recurring failed logins to the router from both the WAN and LAN for normal users … fail2ban

12

I don’t see the point in installing fail2ban. How does that improve your situation?
Are you bothered by these log entries on your router? They are not the problem.

If I where you, I would be concerned about the infected Windows-PC.
I would use an SSH key to login on the router and have password logins disabled.

3 Likes
13

I once installed Windows on a brand new PC and left it running, without doing anything. It took only 90 minutes to get infected and starting to send out spam. Albeit this was WindowsXP, 20 years ago. With a mandatory ISP-cable-modem/router.

14

attempts to log in to the router with different logins are not a problem?

15

They are only attempts. And they are a symptom. Not the problem.

If your password is so weak that a bot can get in, then that is a problem.

If you have infected Windows-PC in your house, that is a problem. Who knows what other nasty things it is doing, besides failing to get into your router?

4 Likes
16

try running:
nmap -sT -p1-65535 192.168.2.120
on some computer in your network.
to see what’s on that machine.
obviously malware or kind of proxy

17

The problem has occurred only once so far

wife :slight_smile: problematic Windows 10 Home

root@Turris_JB:~# nmap -sT -p1-65535 192.168.2.104
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-08 19:22 CET
Nmap scan report for 192.168.2.104
Host is up (0.00085s latency).
Not shown: 65527 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
5357/tcp  open  wsdapi
7680/tcp  open  pando-pub
17500/tcp open  db-lsp
49668/tcp open  unknown
MAC Address: D0:BB:BB:BB:BB:BB (Asustek Computer)

Nmap done: 1 IP address (1 host up) scanned in 104.90 seconds
root@Turris_JB:~#

my own machine

root@Turris_JB:~# nmap -sT -p1-65535 192.168.2.120
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-08 19:19 CET
Nmap scan report for 192.168.2.120
Host is up (0.00062s latency).
Not shown: 65527 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
5357/tcp  open  wsdapi
17500/tcp open  db-lsp
49668/tcp open  unknown
59869/tcp open  unknown
MAC Address: D8:AA:AA:AA:AA:AA (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 105.43 seconds
root@Turris_JB:~#
18

59869/tcp may but needs not to be the malware

cn you see what uses that TCP port on the machine?
(I have no idea today’s malware are, if they can hide from process list, open ports list etc).

19

Port 59869 is on the computer 192.168.2.120 from which the psw attack didn’t come … it’s tan added for comparison

Problematic is the first IP listing 192.168.2.104 where 7680/tcp open pando-pub stands out differently

20

Depends on malware quality. If infected system files can hide from anything.