one more bit, when you get to the command line ssh ... , throw in a bunch of -v to crank up verbosity
On Thu, Jan 30, 2020 at 5:18 PM Jack Craig <jack.craig.ap...@gmail.com> wrote: > with some work, you can limit the filter on capture to screen out all but > the traffic you want to see. > > the web should have lots of 'how to' clips. > > good luck, ... > > On Thu, Jan 30, 2020 at 5:12 PM Michael Eager <ea...@eagercon.com> wrote: > >> Thanks. I'll give that a try. >> >> On 1/30/20 1:49 PM, Jack Craig wrote: >> > wireshark -> tcpdump on dst=port# src = all >> > ?? >> > >> > >> > On Thu, Jan 30, 2020 at 1:13 PM Michael Eager <ea...@eagercon.com >> > <mailto:ea...@eagercon.com>> wrote: >> > >> > When I look at /var/log/secure or run journalctl on my workstation, >> I >> > see failed SSH login attempts from a variety of IP addresses. The >> > attempts are every 3-12 minutes. >> > >> > /etc/ssh/sshd_config contains: >> > PasswordAuthentication no >> > >> > The workstation is on a LAN behind an EdgeRouter firewall. No >> Internet- >> > accessible ports are forwarded to the workstation. The LAN has a >> > variety of servers, NAS boxes, WiFi access points, WiFi-connected >> > laptops, etc. >> > >> > A typical /var/log/secure entry looks like this: >> > Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from >> > 124.204.36.138 port 37394 >> > Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from >> > 124.204.36.138 port 37394:11: Bye Bye [preauth] >> > Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user >> > jackiehulu 124.204.36.138 port 37394 [preauth] >> > >> > The corresponding journalctl is: >> > Jan 30 12:43:51 redwood.eagercon.com <http://redwood.eagercon.com> >> > audit[21228]: USER_ERR pid=21228 >> > uid=0 auid=4294967295 ses=4294967295 >> > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident >> > grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138 >> > addr=124.204.36.138 terminal=ssh res=failed' >> > >> > I'm assuming that something on the network has been compromised, >> > allowing SSH login attempts on the LAN. Other than turning off >> > each server/AP/laptop/etc, one at a time, to find when the accesses >> > stop, is there any way to find out where the SSH attempt is coming >> from? >> > >> > -- Mike Eager >> > _______________________________________________ >> > users mailing list -- users@lists.fedoraproject.org >> > <mailto:users@lists.fedoraproject.org> >> > To unsubscribe send an email to users-le...@lists.fedoraproject.org >> > <mailto:users-le...@lists.fedoraproject.org> >> > Fedora Code of Conduct: >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> > >> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org >> > >> > >> > _______________________________________________ >> > users mailing list -- users@lists.fedoraproject.org >> > To unsubscribe send an email to users-le...@lists.fedoraproject.org >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org >> > >> >> >> -- >> Michael Eager ea...@eagercon.com >> 1960 Park Blvd., Palo Alto, CA 94306 >> _______________________________________________ >> users mailing list -- users@lists.fedoraproject.org >> To unsubscribe send an email to users-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org >> >
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
