wireshark -> tcpdump on dst=port# src = all ??
On Thu, Jan 30, 2020 at 1:13 PM Michael Eager <ea...@eagercon.com> wrote: > When I look at /var/log/secure or run journalctl on my workstation, I > see failed SSH login attempts from a variety of IP addresses. The > attempts are every 3-12 minutes. > > /etc/ssh/sshd_config contains: > PasswordAuthentication no > > The workstation is on a LAN behind an EdgeRouter firewall. No Internet- > accessible ports are forwarded to the workstation. The LAN has a > variety of servers, NAS boxes, WiFi access points, WiFi-connected > laptops, etc. > > A typical /var/log/secure entry looks like this: > Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from > 124.204.36.138 port 37394 > Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from > 124.204.36.138 port 37394:11: Bye Bye [preauth] > Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user > jackiehulu 124.204.36.138 port 37394 [preauth] > > The corresponding journalctl is: > Jan 30 12:43:51 redwood.eagercon.com audit[21228]: USER_ERR pid=21228 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident > grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138 > addr=124.204.36.138 terminal=ssh res=failed' > > I'm assuming that something on the network has been compromised, > allowing SSH login attempts on the LAN. Other than turning off > each server/AP/laptop/etc, one at a time, to find when the accesses > stop, is there any way to find out where the SSH attempt is coming from? > > -- Mike Eager > _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org >
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
