Re: Tracking down SSH access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2020-02-01 06:16, Samuel Sieb wrote:
> On 1/31/20 1:52 PM, Ed Greshko wrote:
>> On 2020-02-01 04:56, Samuel Sieb wrote:
>>> I thought about that, but it's only useful for mapping back from the MAC address and that would only work if the computers are talking directly using local addresses.  Only the attacking computer would have an arp entry for the target computer.  If the target does not normally have any communication with the attacker, it won't have an entry for it.  If he has access to the gateway computer, then that would more likely have an arp entry for the attacker.
>>
>> Well since arp is only on the LAN and since LAN communication is arp based the tcpdump packets will
>> have the MAC address of the device on the local network from which the ssh packets were routed through.
>
> I'm not sure what you're saying.  Yes, the packets will have the MAC address of the sending device.  But the local arp table will most likely not have an entry for that MAC address.  So you will have to try to track down the device only by the MAC and not by IP.  The DHCP server would be a good place to look for that.
>
> An ARP lookup is only done on sending, not receiving.  Since the incoming IP address is not local, there will be no ARP request made for the reply because it will be sending it to the default gateway.  (There might be an ARP request for the gateway if the entry is stale.)
>

I see what you're saying.  Thanks for pointing it out.

I suppose I'm use to smaller LAN segments where all systems are regularly communicating. 

But, it would not hurt to check to see if that MAC address did happen to show up in arp table.  If it were the
same as the firewall/gateway (again assuming they are one and the same) then one would have to check
the firewall to see why it isn't doing what it is assumed to be doing.


-- 
The key to getting good answers is to ask good questions.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux