Re: Tracking down SSH access

2020-02-01 Thread Ed Greshko
On 2020-02-02 04:05, Michael Eager wrote: > The access attempts > were infrequent because someone had to run a port scanner and find > the non-standard port, rather than just banging on port 22. No need to run a port scanner when you pick port . -- The key to getting good answers is to ask g

Re: Tracking down SSH access

2020-02-01 Thread Michael Eager
On 1/30/20 1:12 PM, Michael Eager wrote: When I look at /var/log/secure or run journalctl on my workstation, I see failed SSH login attempts from a variety of IP addresses.  The attempts are every 3-12 minutes. /etc/ssh/sshd_config contains: PasswordAuthentication no The workstation is on a LAN

Re: Tracking down SSH access

2020-02-01 Thread Samuel Sieb
On 2/1/20 12:58 AM, Bill Shirley wrote: Assuming the subnet is 192.168.0.0/24: nmap -sP 192.168.0.0/24 should populate the ARP table. Have you tried that? I was surprised by it because however nmap works, it does not create entries in the ARP table. Maybe because it's creating raw packets a

Re: Tracking down SSH access

2020-02-01 Thread Tim via users
On Thu, 2020-01-30 at 13:12 -0800, Michael Eager wrote: > ... The LAN has a variety of servers, NAS boxes, WiFi access points, > WiFi-connected laptops, etc. > > ... > > I'm assuming that something on the network has been compromised, > allowing SSH login attempts on the LAN. Other than turning of

Re: Tracking down SSH access

2020-02-01 Thread Bill Shirley
Assuming the subnet is 192.168.0.0/24: nmap -sP 192.168.0.0/24 should populate the ARP table. Bill On 1/31/2020 5:16 PM, Samuel Sieb wrote: On 1/31/20 1:52 PM, Ed Greshko wrote: On 2020-02-01 04:56, Samuel Sieb wrote: I thought about that, but it's only useful for mapping back from the MAC add

Re: Tracking down SSH access

2020-01-31 Thread Ed Greshko
On 2020-02-01 13:26, Ed Greshko wrote: > I'm pretty sure we tracked down what happened using arp to some degree. OK  Maybe it wasn't that simple. I just found my emails from 15 years ago.  Glad I didn't delete them.  :-) Turns out we saw the return/reject packets at the GW/FW which had I

Re: Tracking down SSH access

2020-01-31 Thread Ed Greshko
On 2020-02-01 12:40, Samuel Sieb wrote: > On 1/31/20 8:33 PM, Ed Greshko wrote: >> On 2020-02-01 06:16, Samuel Sieb wrote: >>> An ARP lookup is only done on sending, not receiving. >> >> Humm  That appears to be incorrect. > > [snip arp test] > > You're missing an important piece.  When you mak

Re: Tracking down SSH access

2020-01-31 Thread Samuel Sieb
On 1/31/20 8:33 PM, Ed Greshko wrote: On 2020-02-01 06:16, Samuel Sieb wrote: An ARP lookup is only done on sending, not receiving. Humm  That appears to be incorrect. [snip arp test] You're missing an important piece. When you make a tcp connection, the target computer has to send pa

Re: Tracking down SSH access

2020-01-31 Thread Ed Greshko
On 2020-02-01 06:16, Samuel Sieb wrote: > An ARP lookup is only done on sending, not receiving.  Humm  That appears to be incorrect. I have 3 systems on a LAN. 192.168.122.1 meimei   (also the gateway) 192.168.122.2 frk 192.168.122.152   f31k I ssh into frk and f31k from meimei and

Re: Tracking down SSH access

2020-01-31 Thread Ed Greshko
On 2020-02-01 06:16, Samuel Sieb wrote: > On 1/31/20 1:52 PM, Ed Greshko wrote: >> On 2020-02-01 04:56, Samuel Sieb wrote: >>> I thought about that, but it's only useful for mapping back from the MAC >>> address and that would only work if the computers are talking directly >>> using local addres

Re: Tracking down SSH access

2020-01-31 Thread Samuel Sieb
On 1/31/20 1:52 PM, Ed Greshko wrote: On 2020-02-01 04:56, Samuel Sieb wrote: I thought about that, but it's only useful for mapping back from the MAC address and that would only work if the computers are talking directly using local addresses.  Only the attacking computer would have an arp en

Re: Tracking down SSH access

2020-01-31 Thread Roger Heflin
Do you have anything defined as a DMZ node/ipaddress on the firewall? On Fri, Jan 31, 2020 at 3:53 PM Ed Greshko wrote: > > On 2020-02-01 04:56, Samuel Sieb wrote: > > On 1/31/20 12:35 PM, Ed Greshko wrote: > >> On 2020-02-01 04:31, Samuel Sieb wrote: > >>> Your original post was completely clear

Re: Tracking down SSH access

2020-01-31 Thread Ed Greshko
On 2020-02-01 04:56, Samuel Sieb wrote: > On 1/31/20 12:35 PM, Ed Greshko wrote: >> On 2020-02-01 04:31, Samuel Sieb wrote: >>> Your original post was completely clear.  However, something is happening >>> on your network that you aren't aware of.  The fact that you are getting >>> connections fr

Re: Tracking down SSH access

2020-01-31 Thread Samuel Sieb
On 1/31/20 12:35 PM, Ed Greshko wrote: On 2020-02-01 04:31, Samuel Sieb wrote: Your original post was completely clear.  However, something is happening on your network that you aren't aware of.  The fact that you are getting connections from an external IP address means that somehow there is

Re: Tracking down SSH access

2020-01-31 Thread Ed Greshko
On 2020-02-01 04:31, Samuel Sieb wrote: > On 1/31/20 6:37 AM, Michael Eager wrote: >> Apparently, my original post was not as clear as I thought. >> >> Password authentication on the workstation is disabled and port 22 >> is not forwarded by the firewall. >> >> Fail2ban would not answer the questio

Re: Tracking down SSH access

2020-01-31 Thread Samuel Sieb
On 1/31/20 6:37 AM, Michael Eager wrote: Apparently, my original post was not as clear as I thought. Password authentication on the workstation is disabled and port 22 is not forwarded by the firewall. Fail2ban would not answer the question of where the SSH access is coming from on the LAN.  If

Re: Tracking down SSH access

2020-01-31 Thread George N. White III
On Thu, 30 Jan 2020 at 17:13, Michael Eager wrote: > When I look at /var/log/secure or run journalctl on my workstation, I > see failed SSH login attempts from a variety of IP addresses. The > attempts are every 3-12 minutes. > > /etc/ssh/sshd_config contains: > PasswordAuthentication no > > The

Re: Tracking down SSH access

2020-01-31 Thread Ed Greshko
On 2020-01-31 22:37, Michael Eager wrote: > Apparently, my original post was not as clear as I thought. > > Password authentication on the workstation is disabled and port 22 > is not forwarded by the firewall. > > Fail2ban would not answer the question of where the SSH access is coming > from on t

Re: Tracking down SSH access

2020-01-31 Thread Michael Eager
Apparently, my original post was not as clear as I thought. Password authentication on the workstation is disabled and port 22 is not forwarded by the firewall. Fail2ban would not answer the question of where the SSH access is coming from on the LAN. If something on the LAN is forwarding SSH co

Re: Tracking down SSH access

2020-01-30 Thread Ed Greshko
On 2020-01-31 05:12, Michael Eager wrote: > When I look at /var/log/secure or run journalctl on my workstation, I > see failed SSH login attempts from a variety of IP addresses.  The > attempts are every 3-12 minutes. > > /etc/ssh/sshd_config contains: > PasswordAuthentication no > > The workstatio

Re: Tracking down SSH access

2020-01-30 Thread Roger Heflin
Echoing what samuel says. If you have non-local ip address from lot of different ranges, then port 22 from internet is being forwarded by something to this server. I have a port 22 forwarded to a machine, and it does get almost continuous attempts (many an hour) trying various accounts. #1: disa

Re: Tracking down SSH access

2020-01-30 Thread Jack Craig
one more bit, when you get to the command line ssh ... , throw in a bunch of -v to crank up verbosity On Thu, Jan 30, 2020 at 5:18 PM Jack Craig wrote: > with some work, you can limit the filter on capture to screen out all but > the traffic you want to see. > > the web should have lots of 'how

Re: Tracking down SSH access

2020-01-30 Thread Jack Craig
with some work, you can limit the filter on capture to screen out all but the traffic you want to see. the web should have lots of 'how to' clips. good luck, ... On Thu, Jan 30, 2020 at 5:12 PM Michael Eager wrote: > Thanks. I'll give that a try. > > On 1/30/20 1:49 PM, Jack Craig wrote: > >

Re: Tracking down SSH access

2020-01-30 Thread Michael Eager
Thanks. I'll give that a try. On 1/30/20 1:49 PM, Jack Craig wrote: wireshark -> tcpdump on dst=port# src = all ?? On Thu, Jan 30, 2020 at 1:13 PM Michael Eager > wrote: When I look at /var/log/secure or run journalctl on my workstation, I see failed SSH l

Re: Tracking down SSH access

2020-01-30 Thread Jack Craig
wireshark -> tcpdump on dst=port# src = all ?? On Thu, Jan 30, 2020 at 1:13 PM Michael Eager wrote: > When I look at /var/log/secure or run journalctl on my workstation, I > see failed SSH login attempts from a variety of IP addresses. The > attempts are every 3-12 minutes. > > /etc/ssh/sshd_c

Re: Tracking down SSH access

2020-01-30 Thread Samuel Sieb
On 1/30/20 1:12 PM, Michael Eager wrote: When I look at /var/log/secure or run journalctl on my workstation, I see failed SSH login attempts from a variety of IP addresses.  The attempts are every 3-12 minutes. The workstation is on a LAN behind an EdgeRouter firewall.  No Internet- accessible p

Tracking down SSH access

2020-01-30 Thread Michael Eager
When I look at /var/log/secure or run journalctl on my workstation, I see failed SSH login attempts from a variety of IP addresses. The attempts are every 3-12 minutes. /etc/ssh/sshd_config contains: PasswordAuthentication no The workstation is on a LAN behind an EdgeRouter firewall. No Intern