one more bit, when you get to the command line ssh ... , throw in a bunch of -v to crank up verbosity
On Thu, Jan 30, 2020 at 5:18 PM Jack Craig <jack.craig.aptos@xxxxxxxxx> wrote:
with some work, you can limit the filter on capture to screen out all but the traffic you want to see.the web should have lots of 'how to' clips.good luck, ...On Thu, Jan 30, 2020 at 5:12 PM Michael Eager <eager@xxxxxxxxxxxx> wrote:Thanks. I'll give that a try.
On 1/30/20 1:49 PM, Jack Craig wrote:
> wireshark -> tcpdump on dst=port# src = ""> > ??
>
>
> On Thu, Jan 30, 2020 at 1:13 PM Michael Eager <eager@xxxxxxxxxxxx
> <mailto:eager@xxxxxxxxxxxx>> wrote:
>
> When I look at /var/log/secure or run journalctl on my workstation, I
> see failed SSH login attempts from a variety of IP addresses. The
> attempts are every 3-12 minutes.
>
> /etc/ssh/sshd_config contains:
> PasswordAuthentication no
>
> The workstation is on a LAN behind an EdgeRouter firewall. No Internet-
> accessible ports are forwarded to the workstation. The LAN has a
> variety of servers, NAS boxes, WiFi access points, WiFi-connected
> laptops, etc.
>
> A typical /var/log/secure entry looks like this:
> Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from
> 124.204.36.138 port 37394
> Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from
> 124.204.36.138 port 37394:11: Bye Bye [preauth]
> Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user
> jackiehulu 124.204.36.138 port 37394 [preauth]
>
> The corresponding journalctl is:
> Jan 30 12:43:51 redwood.eagercon.com <http://redwood.eagercon.com>
> audit[21228]: USER_ERR pid=21228
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident
> grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138
> addr=124.204.36.138 terminal=ssh res=failed'
>
> I'm assuming that something on the network has been compromised,
> allowing SSH login attempts on the LAN. Other than turning off
> each server/AP/laptop/etc, one at a time, to find when the accesses
> stop, is there any way to find out where the SSH attempt is coming from?
>
> -- Mike Eager
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> <mailto:users@xxxxxxxxxxxxxxxxxxxxxxx>
> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> <mailto:users-leave@xxxxxxxxxxxxxxxxxxxxxxx>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
>
>
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Michael Eager eager@xxxxxxxxxxxx
1960 Park Blvd., Palo Alto, CA 94306
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx