When I look at /var/log/secure or run journalctl on my workstation, I
see failed SSH login attempts from a variety of IP addresses. The
attempts are every 3-12 minutes.
/etc/ssh/sshd_config contains:
PasswordAuthentication no
The workstation is on a LAN behind an EdgeRouter firewall. No Internet-
accessible ports are forwarded to the workstation. The LAN has a
variety of servers, NAS boxes, WiFi access points, WiFi-connected
laptops, etc.
A typical /var/log/secure entry looks like this:
Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from
124.204.36.138 port 37394
Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from
124.204.36.138 port 37394:11: Bye Bye [preauth]
Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user
jackiehulu 124.204.36.138 port 37394 [preauth]
The corresponding journalctl is:
Jan 30 12:43:51 redwood.eagercon.com audit[21228]: USER_ERR pid=21228
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident
grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138
addr=124.204.36.138 terminal=ssh res=failed'
I'm assuming that something on the network has been compromised,
allowing SSH login attempts on the LAN. Other than turning off
each server/AP/laptop/etc, one at a time, to find when the accesses
stop, is there any way to find out where the SSH attempt is coming from?
-- Mike Eager
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
