On Thu, 2020-01-30 at 13:12 -0800, Michael Eager wrote: > ... The LAN has a variety of servers, NAS boxes, WiFi access points, > WiFi-connected laptops, etc. > > ... > > I'm assuming that something on the network has been compromised, > allowing SSH login attempts on the LAN. Other than turning off > each server/AP/laptop/etc, one at a time, to find when the accesses > stop, is there any way to find out where the SSH attempt is coming > from? Considering the timespan of this thread, disconnecting likely devices might have been a quicker method. Anything that offers cloud services (doing backups, remote access to your NAS, etc), are the first things I'd look at. All it takes is for one of those remote services to be exploitable, like so many are. e.g. WiFi surveillance cameras: They often have cloud access, and their cloud services are often easily compromised, and so are the devices. Their cameras come with predefined access codes, and someone has worked out the pattern (you don't set up a random new account, you use the code printed on a sticker to use an account already waiting for you). So they step through the permutations trying to connect. -- uname -rsvp Linux 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
