with some work, you can limit the filter on capture to screen out all but the traffic you want to see.
the web should have lots of 'how to' clips. good luck, ... On Thu, Jan 30, 2020 at 5:12 PM Michael Eager <[email protected]> wrote: > Thanks. I'll give that a try. > > On 1/30/20 1:49 PM, Jack Craig wrote: > > wireshark -> tcpdump on dst=port# src = all > > ?? > > > > > > On Thu, Jan 30, 2020 at 1:13 PM Michael Eager <[email protected] > > <mailto:[email protected]>> wrote: > > > > When I look at /var/log/secure or run journalctl on my workstation, I > > see failed SSH login attempts from a variety of IP addresses. The > > attempts are every 3-12 minutes. > > > > /etc/ssh/sshd_config contains: > > PasswordAuthentication no > > > > The workstation is on a LAN behind an EdgeRouter firewall. No > Internet- > > accessible ports are forwarded to the workstation. The LAN has a > > variety of servers, NAS boxes, WiFi access points, WiFi-connected > > laptops, etc. > > > > A typical /var/log/secure entry looks like this: > > Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from > > 124.204.36.138 port 37394 > > Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from > > 124.204.36.138 port 37394:11: Bye Bye [preauth] > > Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user > > jackiehulu 124.204.36.138 port 37394 [preauth] > > > > The corresponding journalctl is: > > Jan 30 12:43:51 redwood.eagercon.com <http://redwood.eagercon.com> > > audit[21228]: USER_ERR pid=21228 > > uid=0 auid=4294967295 ses=4294967295 > > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident > > grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138 > > addr=124.204.36.138 terminal=ssh res=failed' > > > > I'm assuming that something on the network has been compromised, > > allowing SSH login attempts on the LAN. Other than turning off > > each server/AP/laptop/etc, one at a time, to find when the accesses > > stop, is there any way to find out where the SSH attempt is coming > from? > > > > -- Mike Eager > > _______________________________________________ > > users mailing list -- [email protected] > > <mailto:[email protected]> > > To unsubscribe send an email to [email protected] > > <mailto:[email protected]> > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > > https://lists.fedoraproject.org/archives/list/[email protected] > > > > > > _______________________________________________ > > users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > > > > > -- > Michael Eager [email protected] > 1960 Park Blvd., Palo Alto, CA 94306 > _______________________________________________ > users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] >
_______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
