On 26/07/13 07:42, J B wrote:
Dear list,
I'm suffering with a very serious issue and seek guidance.
I have a debian server functional at my place which is attached with a leased
line connection.
Iand I use this box as a gateway.
This debian box administer a remote opensuse linux server through this debian
box and I use pubkey auth
mechanism to log into the remote linux server.
At the remote linux server, I can found huge brute force ssh attempt at the
different
port and surprisingly the attempt is made with the same username which I
actually use
to llog into the remote box. Some of the messages from log are as below
```````````````````````````````
accepted public key from<username_of_my_local_box>
from<WAN_IP_of_my_local_box> port 50574 ssh2
```````````````````````````
The attack is random with a serially increment at port number.
If I bloack the ssh connection limit through firewall at the remote box, It
actually blocks me to log into in further.
Could any one suggest what is happening in my local box ?
rootkit ? local box compromising ? What is it ?
Please suggest.
Thanks
That doesn't look like a "brute force attack", that's just a normal
*successful* ssh login.
Do you have anything on your local box that performs any ssh connection
to the remote box, like rsync, scp, sftp etc? Perhaps a cron job.
Do these "attacks" happen at fixed times or regular intervals?
Do you use ssh to connect between the boxes a lot?
If you still can't identify the source of these connections, it could be
that your login on your local box has been compromised. Check the auth
log on that to see when 'username' has been accessed.
--
Dom
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51f226d4.2010...@rpdom.net