Re: Tracking down SSH access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 30 Jan 2020 at 17:13, Michael Eager <eager@xxxxxxxxxxxx> wrote:
When I look at /var/log/secure or run journalctl on my workstation, I
see failed SSH login attempts from a variety of IP addresses.  The
attempts are every 3-12 minutes.

/etc/ssh/sshd_config contains:
PasswordAuthentication no

The workstation is on a LAN behind an EdgeRouter firewall.  No Internet-
accessible ports are forwarded to the workstation.  The LAN has a
variety of servers, NAS boxes, WiFi access points, WiFi-connected
laptops, etc.

Do you manage the network so you can check things like the firewall's software
version and have access to a list of mac addresses for devices on your
network?   Is the firewall running the current software?    Does the router do NAT 
translation?   Are there other (external 3rd party) WiFi networks visible to systems 
on your LAN?   Are there BYOD's such as smart phones that could be 
connected to the internet via cellular data networks?

 

A typical /var/log/secure entry looks like this:
Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from
124.204.36.138 port 37394
Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from
124.204.36.138 port 37394:11: Bye Bye [preauth]
Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user
jackiehulu 124.204.36.138 port 37394 [preauth]

The corresponding journalctl is:
Jan 30 12:43:51 redwood.eagercon.com audit[21228]: USER_ERR pid=21228
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident
grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138
addr=124.204.36.138 terminal=ssh res=failed'

I'm assuming that something on the network has been compromised,
allowing SSH login attempts on the LAN.  Other than turning off
each server/AP/laptop/etc, one at a time, to find when the accesses
stop, is there any way to find out where the SSH attempt is coming from?

A compromised system is unlikely to allow access to a large number of
external sites, so it is more likely to be a device (maybe inadvertently)  
bridging a cellular data network or an external system connecting to your
LAN.   There have been cases where bad actors just plugged in a small
system to gain access to a LAN.
 
As Ed suggested, getting the mac address is a start, but it may be spoofed 
or a device you didn't know existed: personal device, IoT device (HVAC, security
camera, etc.), or computer used to control equipment that was not supposed 
to be connected to the network.   

--
George N. White III

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux