Re: Tracking down SSH access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



one more bit, when you get to the command line ssh ... , throw in a bunch of -v to crank up verbosity

On Thu, Jan 30, 2020 at 5:18 PM Jack Craig <jack.craig.aptos@xxxxxxxxx> wrote:
with some work, you can limit the filter on capture to screen out all but the traffic you want to see.

the web should have lots of 'how to' clips.

good luck, ...

On Thu, Jan 30, 2020 at 5:12 PM Michael Eager <eager@xxxxxxxxxxxx> wrote:
Thanks.  I'll give that a try.

On 1/30/20 1:49 PM, Jack Craig wrote:
> wireshark -> tcpdump on dst=port# src = ""> > ??
>
>
> On Thu, Jan 30, 2020 at 1:13 PM Michael Eager <eager@xxxxxxxxxxxx
> <mailto:eager@xxxxxxxxxxxx>> wrote:
>
>     When I look at /var/log/secure or run journalctl on my workstation, I
>     see failed SSH login attempts from a variety of IP addresses.  The
>     attempts are every 3-12 minutes.
>
>     /etc/ssh/sshd_config contains:
>     PasswordAuthentication no
>
>     The workstation is on a LAN behind an EdgeRouter firewall.  No Internet-
>     accessible ports are forwarded to the workstation.  The LAN has a
>     variety of servers, NAS boxes, WiFi access points, WiFi-connected
>     laptops, etc.
>
>     A typical /var/log/secure entry looks like this:
>     Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from
>     124.204.36.138 port 37394
>     Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from
>     124.204.36.138 port 37394:11: Bye Bye [preauth]
>     Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user
>     jackiehulu 124.204.36.138 port 37394 [preauth]
>
>     The corresponding journalctl is:
>     Jan 30 12:43:51 redwood.eagercon.com <http://redwood.eagercon.com>
>     audit[21228]: USER_ERR pid=21228
>     uid=0 auid=4294967295 ses=4294967295
>     subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident
>     grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138
>     addr=124.204.36.138 terminal=ssh res=failed'
>
>     I'm assuming that something on the network has been compromised,
>     allowing SSH login attempts on the LAN.  Other than turning off
>     each server/AP/laptop/etc, one at a time, to find when the accesses
>     stop, is there any way to find out where the SSH attempt is coming from?
>
>     -- Mike Eager
>     _______________________________________________
>     users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
>     <mailto:users@xxxxxxxxxxxxxxxxxxxxxxx>
>     To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>     <mailto:users-leave@xxxxxxxxxxxxxxxxxxxxxxx>
>     Fedora Code of Conduct:
>     https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>     List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>     List Archives:
>     https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
>
>
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
>


--
Michael Eager    eager@xxxxxxxxxxxx
1960 Park Blvd., Palo Alto, CA 94306
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux