Subsonic Forum

[elinter]

For the last several days, I'm getting this log message every 10 seconds:

"[1/24/15 8:47:56 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin"

I've got a pretty strong, totally random 128 bit password, so I'm a little less concerned. However, seems to me that the login algorithm needs to have added an anti-hacking feature to defeat automated scripts like this. I turned off my server for a couple days hoping they'd move on, but they were right back within minutes of it coming online again.

Is anyone else seeing this behavior?

Mike

[alphawave7]

I have seen this too but it wasn't nefarious..it was one of many devices I have (multiple phones, tablets, etc.) trying to log in when the app runs. See if you have any devices with the app running, even in the background.

Sent from my Nexus 6

[elinter]

I do, but they are not set up to log in as admin. I set up a limit user accounts for that purpose. Anyway, I turned them off and still am getting failed login attempts to the admin account.

[mikes]

If it's happening every 10 seconds, use Wireshark to do a capture and see what the IP is. Then block it in your firewall.

[elinter]

I guess I've got some learning to do. My subsonic server is running under FREENAS, which doesn't have Wireshark installed. If anyone has experience with installing and using Wireshark on FREENAS, I would appreciate the help.

[mikes]

It looks like freenas has tcpdump installed. You may be able to get a pcap as described here, then transfer and open it with Wireshark on a PC.

[isotopp]

It would be really useful if the log message actually included the source IP and user-agent string of the failed login attempt, and optionally the failed password.

[MonsterMuffin]

Same thing was happening to me, was pretty easy to stop.

I run PfSense as my firewall and all I had to do was filter active connections coming into port 4040, find the offender IP and create a WAN rule to block that IP.

Problem sorted.