On Thu, 2020-01-30 at 13:12 -0800, Michael Eager wrote:
... The LAN has a variety of servers, NAS boxes, WiFi access points, WiFi-connected laptops, etc.
...
I'm assuming that something on the network has been compromised, allowing SSH login attempts on the LAN. Other than turning off each server/AP/laptop/etc, one at a time, to find when the accesses stop, is there any way to find out where the SSH attempt is coming from?
Considering the timespan of this thread, disconnecting likely devices might have been a quicker method.
Anything that offers cloud services (doing backups, remote access to your NAS, etc), are the first things I'd look at. All it takes is for one of those remote services to be exploitable, like so many are.
e.g. WiFi surveillance cameras: They often have cloud access, and their cloud services are often easily compromised, and so are the devices. Their cameras come with predefined access codes, and someone has worked out the pattern (you don't set up a random new account, you use the code printed on a sticker to use an account already waiting for you). So they step through the permutations trying to connect.