On 1/30/20 1:12 PM, Michael Eager wrote:
When I look at /var/log/secure or run journalctl on my workstation, I see failed SSH login attempts from a variety of IP addresses. The attempts are every 3-12 minutes.
/etc/ssh/sshd_config contains: PasswordAuthentication no
The workstation is on a LAN behind an EdgeRouter firewall. No Internet- accessible ports are forwarded to the workstation. The LAN has a variety of servers, NAS boxes, WiFi access points, WiFi-connected laptops, etc.
A typical /var/log/secure entry looks like this: Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from 124.204.36.138 port 37394 Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from 124.204.36.138 port 37394:11: Bye Bye [preauth] Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user jackiehulu 124.204.36.138 port 37394 [preauth]
The corresponding journalctl is: Jan 30 12:43:51 redwood.eagercon.com audit[21228]: USER_ERR pid=21228 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138 addr=124.204.36.138 terminal=ssh res=failed'
I'm assuming that something on the network has been compromised, allowing SSH login attempts on the LAN. Other than turning off each server/AP/laptop/etc, one at a time, to find when the accesses stop, is there any way to find out where the SSH attempt is coming from?
-- Mike Eager
Thanks for all the suggestions.
I used tcpdump to collect access to port 22, after shutting off all other SSH connections. Running tcpdump with -e gave me the MAC address of the sending device, and arp led me to the right device.
It was the firewall router. It was forwarding a non-standard port to my workstation's port 22. I had thought that I had disabled all port forwarding, but that apparently was not the case. The access attempts were infrequent because someone had to run a port scanner and find the non-standard port, rather than just banging on port 22.
-- Mike Eager