On Thu, 30 Jan 2020 at 17:13, Michael Eager eager@eagercon.com wrote:
When I look at /var/log/secure or run journalctl on my workstation, I see failed SSH login attempts from a variety of IP addresses. The attempts are every 3-12 minutes.
/etc/ssh/sshd_config contains: PasswordAuthentication no
The workstation is on a LAN behind an EdgeRouter firewall. No Internet- accessible ports are forwarded to the workstation. The LAN has a variety of servers, NAS boxes, WiFi access points, WiFi-connected laptops, etc.
Do you manage the network so you can check things like the firewall's software version and have access to a list of mac addresses for devices on your network? Is the firewall running the current software? Does the router do NAT translation? Are there other (external 3rd party) WiFi networks visible to systems on your LAN? Are there BYOD's such as smart phones that could be connected to the internet via cellular data networks?
A typical /var/log/secure entry looks like this: Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from 124.204.36.138 port 37394 Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from 124.204.36.138 port 37394:11: Bye Bye [preauth] Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user jackiehulu 124.204.36.138 port 37394 [preauth]
The corresponding journalctl is: Jan 30 12:43:51 redwood.eagercon.com audit[21228]: USER_ERR pid=21228 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138 addr=124.204.36.138 terminal=ssh res=failed'
I'm assuming that something on the network has been compromised, allowing SSH login attempts on the LAN. Other than turning off each server/AP/laptop/etc, one at a time, to find when the accesses stop, is there any way to find out where the SSH attempt is coming from?
A compromised system is unlikely to allow access to a large number of external sites, so it is more likely to be a device (maybe inadvertently) bridging a cellular data network or an external system connecting to your LAN. There have been cases where bad actors just plugged in a small system to gain access to a LAN.
As Ed suggested, getting the mac address is a start, but it may be spoofed or a device you didn't know existed: personal device, IoT device (HVAC, security camera, etc.), or computer used to control equipment that was not supposed to be connected to the network.