On Thu, 30 Jan 2020 at 17:13, Michael Eager <eager@xxxxxxxxxxxx> wrote:
When I look at /var/log/secure or run journalctl on my workstation, I
see failed SSH login attempts from a variety of IP addresses. The
attempts are every 3-12 minutes.
/etc/ssh/sshd_config contains:
PasswordAuthentication no
The workstation is on a LAN behind an EdgeRouter firewall. No Internet-
accessible ports are forwarded to the workstation. The LAN has a
variety of servers, NAS boxes, WiFi access points, WiFi-connected
laptops, etc.
Do you manage the network so you can check things like the firewall's software
version and have access to a list of mac addresses for devices on your
network? Is the firewall running the current software? Does the router do NAT
translation? Are there other (external 3rd party) WiFi networks visible to systems
on your LAN? Are there BYOD's such as smart phones that could be
connected to the internet via cellular data networks?
A typical /var/log/secure entry looks like this:
Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from
124.204.36.138 port 37394
Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from
124.204.36.138 port 37394:11: Bye Bye [preauth]
Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user
jackiehulu 124.204.36.138 port 37394 [preauth]
The corresponding journalctl is:
Jan 30 12:43:51 redwood.eagercon.com audit[21228]: USER_ERR pid=21228
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident
grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138
addr=124.204.36.138 terminal=ssh res=failed'
I'm assuming that something on the network has been compromised,
allowing SSH login attempts on the LAN. Other than turning off
each server/AP/laptop/etc, one at a time, to find when the accesses
stop, is there any way to find out where the SSH attempt is coming from?
A compromised system is unlikely to allow access to a large number of
external sites, so it is more likely to be a device (maybe inadvertently)
bridging a cellular data network or an external system connecting to your
LAN. There have been cases where bad actors just plugged in a small
system to gain access to a LAN.
As Ed suggested, getting the mac address is a start, but it may be spoofed
or a device you didn't know existed: personal device, IoT device (HVAC, security
camera, etc.), or computer used to control equipment that was not supposed
to be connected to the network.
George N. White III
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx