On 2020-01-31 05:12, Michael Eager wrote:
When I look at /var/log/secure or run journalctl on my workstation, I see failed SSH login attempts from a variety of IP addresses. The attempts are every 3-12 minutes.
/etc/ssh/sshd_config contains: PasswordAuthentication no
The workstation is on a LAN behind an EdgeRouter firewall. No Internet- accessible ports are forwarded to the workstation. The LAN has a variety of servers, NAS boxes, WiFi access points, WiFi-connected laptops, etc.
A typical /var/log/secure entry looks like this: Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from 124.204.36.138 port 37394 Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from 124.204.36.138 port 37394:11: Bye Bye [preauth] Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user jackiehulu 124.204.36.138 port 37394 [preauth]
The corresponding journalctl is: Jan 30 12:43:51 redwood.eagercon.com audit[21228]: USER_ERR pid=21228 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138 addr=124.204.36.138 terminal=ssh res=failed'
I'm assuming that something on the network has been compromised, allowing SSH login attempts on the LAN. Other than turning off each server/AP/laptop/etc, one at a time, to find when the accesses stop, is there any way to find out where the SSH attempt is coming from?
FWIW, I find the "lastb" command a bit more convenient to check for bad login attempts.
I also only allow public key authentication.