Seeing strange Screen Sharing connection attempts in logs?

Is this an attempted intrusion of some sorts?

I am no expert on these matters, but it looks like an intrusion attempt to me -- unless you have authorized someone you trust to get this access and they are failing at it.

If so, how should I prevent it from happening?

Turn off Screen Sharing, or further restrict the class of Users who can connect.

Also, what does it mean that the host will be blocked???

Connection attempts from this host will be ignored for the stated time period, then they can try again.

This timeout is a compromise. You want to discourage break-ins, but if this is merely caused by an incompetent Admin, you want to have a way for them to get in eventually.

Welcome to the Wild, Wild, Web.

The systems of what appears to be a Utah dentist and a sprinkler company in New York State appear to have been breached somehow, and those systems are now probing your system. Looks like the folks involved running software there — which probably isn't the dentist or the sprinkler folks — are trying to brute-force. The attackers are probably using what's called a dictionary attack, looking for weak passwords on common accounts.

As Grant Bennet-Alder states, you can disable screen sharing or otherwise block access to those protocols. That's a task commonly performed at the network firewall. It's also possible to control access to these and other services via VPN, which means the attackers will be off poking at the VPN server, either in the firewall or a host-based VPN server — the VPN encrypts your remote traffic, and can also prevent access to most or all other services in conjunction with the firewall settings.

There are some oddities in what's shown, too — in the second set of data, 192.168.1.2 is getting blocked, and that's somewhat unexpected. That could mean there's an odd setting in the firewall, or there's possibly something else going on within the local network configuration. (And FWIW, that is among the subnets that are not particularly conducive to establishing and using VPNs, too.)

xoxorockoutloud123 wrote:

So attackers managed to breach those systems and are using them to attack mine?

Probably. On those other servers, it could be some malware got installed, some dodgy anti-virus or dodgy codecs got loaded, somebody's vulnerable web applications got breached, a user opened up one of those emailed attachments with {tax data, payment receipts, gifts, shipping info, whatever} and ran the executable, phishing, whatever. All sorts of possibilities.

These attacks and these probes are the usual "background hum" of the Internet in recent years.

Sinxe my server is NATed, do I just remove the port forwarding for Screen Sharing?

Only enable what forwarding is strictly necessary.

Don't forward everything — best to keep most of the dreck off the local network.

You'll get some dreck when you have ports open — mail and web are commonly opened to external users for instance, and commonly probed for misconfigurations and weaknesses. If you're not serving anything publicly, then a migration over to a VPN can block all traffic except that with the VPN credentials.

Even if you are serving some stuff publicly and have some ports you need to have open such as TCP port 80 for a web server for instance, configuring and using a VPN to protect your other and usually private traffic can be preferable.

Also, are these failed connections taking a tole on system resources such as CPU?

They'll chew up some CPU, some network, and fill some logs. They will be a background annoyance until and unless one hits the password jackpot, or until somebody decides to more strenuously probing your server. Then things get ugly.

I dont actually remember turning on my firewall at all.

I'd block all unnecessary traffic at your NAT box.

The built in OS X firewall is off. I read about something known as adaptive firewall so I flipped those on as the Apple supports docs said with terminal commands. However, I never did any custom configurations on it.

I'd have the NAT forwarding disabled. Recent OS X has three integrated firewalls; pf, ipfw (deprecated) and the application firewall (alf).

It's generally not necessary to have multiple layers of firewalls enabled, if you trust your innermost network. If you do have multiple layers of firewalls enabled, there'll be slight additional overhead to the network traffic processing, but it's unlikely you'll notice that.

xoxorockoutloud123 wrote:

Hmmmm I went ahead and disabled all port forwards except those I needed for websites and mail and stuff.

Those open ports will still be probed, of course. Where higher security is a consideration, then configuring the Internet-exposed servers into what is known as a DMZ is a common choice. The DMZ can restrict access from the DMZ-based servers both into the core of the local network, and can also restrict network access from the DMZ-based servers back out into the open network. Both of these blocks of which make things a little more difficult for an attacker that has successfully breached the DMZ-based servers. You would not expect a DMZ server to suddenly develop new active network services, so blocking everything other than what's expressly intended and authorized can constrain what the server can do if it's breached, for instance.

Would hosting your own VPN like I do in Server work as well to protect my traffic?

Yes. I usually prefer to use a firewall-based VPN server, as that does not depend on the target server box. That keeps the bulk of the VPN traffic and the load off of the server, keeps the log activity off of the server (unless you want that), keeps the VPN configuration settings off of the server (which means unintended or accidental changes are less likely, as you have to log into the firewall to change that stuff — same reason why I prefer a gateway-based firewall to a server-local one, as local server software configuration changes can risk opening holes through the server's own local firewall), and it means the server does not need to be operational for the VPN to work.

Also, why are they probing specifically my server? Or, do they just probe a bunch of random IP addresses like a bot??

The whole Internet IPv4 address space — all of the IP addresses — can be probed in a few minutes, these days. Using a single server. Not really a very big server, either. There are various folks doing exactly that, from various locations and from various conferences. Botnets have available massively more processing power and massively more bandwidth than that single server offers, too. Those botnet boxes can also pound away on trying to guess your mail server passwords or other service access credentials for, well, forever, and with each of those password probes arising from any of a huge variety of IP addresses.

Again, this "attack" traffic is part of the "background hum" of the Internet, and it's why you always want secure passwords (or certificate-based logins), VPNs, etc.