LAN access from remote router logs

Question

I have a Ubuntu Server into in my network with SSH open, port 22, UFW enabled for that. The SSH is protected with my password and I created another user for my SSH connection.

Today I noticed these logs.

There are some IPs which are trying to connect to my network... I don't know them though. This IP for example: 121.18.238.22 is from China, "whois" says: Baoding China Unicom Hebei Province Network

Sadly there's a log which says that they finally discovered my password and then I had to ban the IP with ufw.

Now I am using Fail2Ban to prevent these type of attacks.

[LAN access from remote] from 183.37.22.227:58298 to 192.168.0.7:22, Monday, July 04,2016 10:09:53
[admin login] from source 192.168.0.4, Monday, July 04,2016 10:08:22
[LAN access from remote] from 192.168.0.4:63385 to 192.168.0.7:80, Monday, July 04,2016 10:03:02
[admin login] from source 192.168.0.4, Monday, July 04,2016 10:02:47
[LAN access from remote] from 169.229.3.91:40301 to 192.168.0.7:80, Monday, July 04,2016 10:00:52
[LAN access from remote] from 169.229.3.91:38487 to 192.168.0.7:80, Monday, July 04,2016 10:00:52
[LAN access from remote] from 121.18.238.22:38685 to 192.168.0.7:22, Monday, July 04,2016 10:00:07
[LAN access from remote] from 121.18.238.22:54199 to 192.168.0.7:22, Monday, July 04,2016 09:59:57
[LAN access from remote] from 121.18.238.22:45582 to 192.168.0.7:22, Monday, July 04,2016 09:59:47
[LAN access from remote] from 121.18.238.22:33867 to 192.168.0.7:22, Monday, July 04,2016 09:59:37
[LAN access from remote] from 121.18.238.22:48962 to 192.168.0.7:22, Monday, July 04,2016 09:59:25
[LAN access from remote] from 121.18.238.22:42182 to 192.168.0.7:22, Monday, July 04,2016 09:59:15
[LAN access from remote] from 121.18.238.22:35939 to 192.168.0.7:22, Monday, July 04,2016 09:59:05
[LAN access from remote] from 121.18.238.22:50380 to 192.168.0.7:22, Monday, July 04,2016 09:58:53
[LAN access from remote] from 121.18.238.22:41018 to 192.168.0.7:22, Monday, July 04,2016 09:58:42
[LAN access from remote] from 121.18.238.22:56730 to 192.168.0.7:22, Monday, July 04,2016 09:58:30
[LAN access from remote] from 121.18.238.22:48769 to 192.168.0.7:22, Monday, July 04,2016 09:58:19
[DoS Attack: RST Scan] from source: 121.18.238.22, port 40454, Monday, July 04,2016 09:58:10
[LAN access from remote] from 121.18.238.22:43529 to 192.168.0.7:22, Monday, July 04,2016 09:58:08
[LAN access from remote] from 121.18.238.22:40454 to 192.168.0.7:22, Monday, July 04,2016 09:58:00
[LAN access from remote] from 121.18.238.22:56935 to 192.168.0.7:22, Monday, July 04,2016 09:57:48
[LAN access from remote] from 121.18.238.22:46752 to 192.168.0.7:22, Monday, July 04,2016 09:57:37
[LAN access from remote] from 121.18.238.22:35769 to 192.168.0.7:22, Monday, July 04,2016 09:57:26
[LAN access from remote] from 121.18.238.22:60140 to 192.168.0.7:22, Monday, July 04,2016 09:57:18
[LAN access from remote] from 121.18.238.22:53270 to 192.168.0.7:22, Monday, July 04,2016 09:57:09
[LAN access from remote] from 121.18.238.22:40038 to 192.168.0.7:22, Monday, July 04,2016 09:56:58
[LAN access from remote] from 121.18.238.22:32905 to 192.168.0.7:22, Monday, July 04,2016 09:56:49
[LAN access from remote] from 121.18.238.22:57638 to 192.168.0.7:22, Monday, July 04,2016 09:56:40
[LAN access from remote] from 192.168.0.4:63336 to 192.168.0.7:80, Monday, July 04,2016 09:56:26
[LAN access from remote] from 121.18.238.22:52719 to 192.168.0.7:22, Monday, July 04,2016 09:56:24
[LAN access from remote] from 121.18.238.22:48129 to 192.168.0.7:22, Monday, July 04,2016 09:56:13
[LAN access from remote] from 121.18.238.22:42942 to 192.168.0.7:22, Monday, July 04,2016 09:56:05
[LAN access from remote] from 192.168.0.4:63333 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 192.168.0.4:63332 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 192.168.0.4:63331 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 192.168.0.4:63330 to 192.168.0.7:80, Monday, July 04,2016 09:56:04
[LAN access from remote] from 121.18.238.22:60581 to 192.168.0.7:22, Monday, July 04,2016 09:55:57
[DoS Attack: ACK Scan] from source: 172.217.19.78, port 443, Monday, July 04,2016 09:54:40
[DoS Attack: ACK Scan] from source: 172.217.19.78, port 443, Monday, July 04,2016 09:54:28
[DoS Attack: ACK Scan] from source: 138.108.96.100, port 80, Monday, July 04,2016 09:54:25
[LAN access from remote] from 5.90.72.134:2356 to 192.168.0.7:1723, Monday, July 04,2016 09:54:15
[LAN access from remote] from 192.168.0.2:63287 to 192.168.0.7:1723, Monday, July 04,2016 09:54:01
[LAN access from remote] from 121.18.238.9:59422 to 192.168.0.7:22, Monday, July 04,2016 09:51:33
[LAN access from remote] from 121.18.238.9:49290 to 192.168.0.7:22, Monday, July 04,2016 09:51:24
[LAN access from remote] from 121.18.238.9:38058 to 192.168.0.7:22, Monday, July 04,2016 09:51:14
[LAN access from remote] from 121.18.238.9:58639 to 192.168.0.7:22, Monday, July 04,2016 09:51:05
[LAN access from remote] from 121.18.238.9:51981 to 192.168.0.7:22, Monday, July 04,2016 09:50:57
[LAN access from remote] from 121.18.238.9:40686 to 192.168.0.7:22, Monday, July 04,2016 09:50:47
[LAN access from remote] from 121.18.238.9:33384 to 192.168.0.7:22, Monday, July 04,2016 09:50:39
[LAN access from remote] from 221.194.44.227:34213 to 192.168.0.7:22, Monday, July 04,2016 09:50:31
[LAN access from remote] from 121.18.238.9:53152 to 192.168.0.7:22, Monday, July 04,2016 09:50:30
[LAN access from remote] from 221.194.44.227:56795 to 192.168.0.7:22, Monday, July 04,2016 09:50:23
[LAN access from remote] from 121.18.238.9:42253 to 192.168.0.7:22, Monday, July 04,2016 09:50:22
[LAN access from remote] from 221.194.44.227:52907 to 192.168.0.7:22, Monday, July 04,2016 09:50:13
[LAN access from remote] from 121.18.238.9:33132 to 192.168.0.7:22, Monday, July 04,2016 09:50:12
[LAN access from remote] from 121.18.238.9:54038 to 192.168.0.7:22, Monday, July 04,2016 09:50:04
[LAN access from remote] from 221.194.44.227:43711 to 192.168.0.7:22, Monday, July 04,2016 09:50:03
[LAN access from remote] from 121.18.238.9:45113 to 192.168.0.7:22, Monday, July 04,2016 09:49:56
[LAN access from remote] from 221.194.44.227:40385 to 192.168.0.7:22, Monday, July 04,2016 09:49:53
[LAN access from remote] from 121.18.238.9:39202 to 192.168.0.7:22, Monday, July 04,2016 09:49:47
[LAN access from remote] from 221.194.44.227:57962 to 192.168.0.7:22, Monday, July 04,2016 09:49:42
[LAN access from remote] from 121.18.238.9:52268 to 192.168.0.7:22, Monday, July 04,2016 09:49:37
[LAN access from remote] from 221.194.44.227:42415 to 192.168.0.7:22, Monday, July 04,2016 09:49:29
[LAN access from remote] from 121.18.238.9:42971 to 192.168.0.7:22, Monday, July 04,2016 09:49:29
[LAN access from remote] from 121.18.238.9:37777 to 192.168.0.7:22, Monday, July 04,2016 09:49:21
[LAN access from remote] from 221.194.44.227:40557 to 192.168.0.7:22, Monday, July 04,2016 09:49:21
[LAN access from remote] from 121.18.238.9:59635 to 192.168.0.7:22, Monday, July 04,2016 09:49:14
[LAN access from remote] from 121.18.238.9:59576 to 192.168.0.7:22, Monday, July 04,2016 09:49:13
[LAN access from remote] from 221.194.44.227:36473 to 192.168.0.7:22, Monday, July 04,2016 09:49:12
[LAN access from remote] from 121.18.238.9:49344 to 192.168.0.7:22, Monday, July 04,2016 09:49:05
[LAN access from remote] from 121.18.238.9:49097 to 192.168.0.7:22, Monday, July 04,2016 09:49:05
[LAN access from remote] from 221.194.44.227:58954 to 192.168.0.7:22, Monday, July 04,2016 09:49:02
[LAN access from remote] from 121.18.238.9:33639 to 192.168.0.7:22, Monday, July 04,2016 09:48:55
[LAN access from remote] from 121.18.238.9:33629 to 192.168.0.7:22, Monday, July 04,2016 09:48:55
[LAN access from remote] from 221.194.44.227:55456 to 192.168.0.7:22, Monday, July 04,2016 09:48:53
[LAN access from remote] from 121.18.238.9:49028 to 192.168.0.7:22, Monday, July 04,2016 09:48:46
[LAN access from remote] from 121.18.238.9:48956 to 192.168.0.7:22, Monday, July 04,2016 09:48:46
[LAN access from remote] from 221.194.44.227:49145 to 192.168.0.7:22, Monday, July 04,2016 09:48:41
[LAN access from remote] from 121.18.238.9:33426 to 192.168.0.7:22, Monday, July 04,2016 09:48:36
[LAN access from remote] from 121.18.238.9:33393 to 192.168.0.7:22, Monday, July 04,2016 09:48:36
[LAN access from remote] from 221.194.44.227:43452 to 192.168.0.7:22, Monday, July 04,2016 09:48:31
[LAN access from remote] from 121.18.238.9:46965 to 192.168.0.7:22, Monday, July 04,2016 09:48:27
[LAN access from remote] from 121.18.238.9:46881 to 192.168.0.7:22, Monday, July 04,2016 09:48:27
[LAN access from remote] from 221.194.44.227:37404 to 192.168.0.7:22, Monday, July 04,2016 09:48:22
[LAN access from remote] from 121.18.238.9:58887 to 192.168.0.7:22, Monday, July 04,2016 09:48:17
[LAN access from remote] from 121.18.238.9:58799 to 192.168.0.7:22, Monday, July 04,2016 09:48:17
[LAN access from remote] from 221.194.44.227:34731 to 192.168.0.7:22, Monday, July 04,2016 09:48:13
[LAN access from remote] from 121.18.238.9:47059 to 192.168.0.7:22, Monday, July 04,2016 09:48:07
[LAN access from remote] from 121.18.238.9:44687 to 192.168.0.7:22, Monday, July 04,2016 09:48:07
[LAN access from remote] from 221.194.44.227:57545 to 192.168.0.7:22, Monday, July 04,2016 09:48:04
[LAN access from remote] from 121.18.238.9:37208 to 192.168.0.7:22, Monday, July 04,2016 09:47:59
[LAN access from remote] from 221.194.44.227:49639 to 192.168.0.7:22, Monday, July 04,2016 09:47:54
[LAN access from remote] from 121.18.238.9:52557 to 192.168.0.7:22, Monday, July 04,2016 09:47:49
[LAN access from remote] from 221.194.44.227:43237 to 192.168.0.7:22, Monday, July 04,2016 09:47:45
[LAN access from remote] from 121.18.238.9:41335 to 192.168.0.7:22, Monday, July 04,2016 09:47:40
[LAN access from remote] from 221.194.44.227:34902 to 192.168.0.7:22, Monday, July 04,2016 09:47:35
[LAN access from remote] from 121.18.238.9:52772 to 192.168.0.7:22, Monday, July 04,2016 09:47:30
[LAN access from remote] from 221.194.44.227:54658 to 192.168.0.7:22, Monday, July 04,2016 09:47:26
[LAN access from remote] from 121.18.238.9:41885 to 192.168.0.7:22, Monday, July 04,2016 09:47:21
[LAN access from remote] from 221.194.44.227:46651 to 192.168.0.7:22, Monday, July 04,2016 09:47:16
[LAN access from remote] from 121.18.238.9:57163 to 192.168.0.7:22, Monday, July 04,2016 09:47:11
[LAN access from remote] from 221.194.44.227:44183 to 192.168.0.7:22, Monday, July 04,2016 09:47:07
[LAN access from remote] from 121.18.238.9:46415 to 192.168.0.7:22, Monday, July 04,2016 09:47:02
[LAN access from remote] from 121.18.238.9:58226 to 192.168.0.7:22, Monday, July 04,2016 09:46:52
[LAN access from remote] from 221.194.44.227:36430 to 192.168.0.7:22, Monday, July 04,2016 09:46:47
[LAN access from remote] from 121.18.238.9:49359 to 192.168.0.7:22, Monday, July 04,2016 09:46:43

Update #2

They have successfully attacked my machine.

I decided to switch to the Key-File Based RSA Authentication but they have installed a backdoor in my Computer (and I didn't know that, my Antivirus has failed to block it)

The RSA keys are stored in a encrypted container but the backdoor has intercepted my password and then stole the RSA Private Key.

They have created a VPN in my Ubuntu server.

I had to block any connection from the router and now I'm removing the VPN.

Answer 1

If you whois the IP you can find that most probably someone is trying to brute force your SSH credentials. Just set a strong password or, for preference, require a keypair for authentication.

There are other steps which will give further protection.

I am having attacks on my Synology NAS as well. Nothing to worry about if you have your setup correct. You should set up a maximum of 5 attempts from the same IP to also limit the impact of this kind of attack. It's probably not a real DOS attack since you would get far more packets and you would notice this by your internet speed.

You can check your SSH logs to see if these attempts are followed by a successful authentication. If you are really curious about their incentive, you can set up a honeypot and monitor their behavior. But that's a lot more advanced. I would love to see what these people do once they get in. So if anyone has ever conducted such an experiment, please let me know.