On 1/30/20 1:12 PM, Michael Eager wrote:
When I look at /var/log/secure or run journalctl on my workstation, I
see failed SSH login attempts from a variety of IP addresses. The
attempts are every 3-12 minutes.
The workstation is on a LAN behind an EdgeRouter firewall. No Internet-
accessible ports are forwarded to the workstation. The LAN has a
variety of servers, NAS boxes, WiFi access points, WiFi-connected
laptops, etc.
A typical /var/log/secure entry looks like this:
Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from
124.204.36.138 port 37394
Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from
124.204.36.138 port 37394:11: Bye Bye [preauth]
Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user
jackiehulu 124.204.36.138 port 37394 [preauth]
I'm assuming that something on the network has been compromised,
allowing SSH login attempts on the LAN. Other than turning off
each server/AP/laptop/etc, one at a time, to find when the accesses
stop, is there any way to find out where the SSH attempt is coming from?
From the attacking IP address, unless you're in China, your computer
must be internet accessible somehow. That's not an IP address on your
LAN, right?
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
