Re: Tracking down SSH access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2020-02-01 12:40, Samuel Sieb wrote:
> On 1/31/20 8:33 PM, Ed Greshko wrote:
>> On 2020-02-01 06:16, Samuel Sieb wrote:
>>> An ARP lookup is only done on sending, not receiving.
>>
>> Humm....  That appears to be incorrect.
>
> [snip arp test]
>
> You're missing an important piece.  When you make a tcp connection, the target computer has to send packets back, so needs to arp.  In the OP's case, the sending IP address is not on the local subnet, so to send a reply, the targeted computer has to arp the gateway to send a reply.  In your example, all the computers are on the same subnet. 

Yes, but if the packets aren't coming via the firewall as the OP contends (and he hasn't revealed if the fw and gware one and the same) then it must be coming from a rogue system with an alternate internet connection.

If that rogue system is also on the same LAN then the targeted system needs to know the ARP address ofwhere to send the rejection packets.

It has been close to 15 years, but we had that situation at a company I worked at.  When the company was bought by British Telecom they installed their networking and firewall with restrictions that chaffed atone department.  One restriction being that the firewall would not allow incoming connections.  They wantedtheir remote workers to be able to telnet in.  VPN wasn't an option either.

But the folks in that department had enough weight that they were able to order a circuit
from Chungwa Telecom for their own use without BT's knowledge.  They "goofed" and packets from their connection found their way onto the BT side.

I'm pretty sure we tracked down what happened using arp to some degree.

-- 
The key to getting good answers is to ask good questions.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux