On Thu, 30 Jan 2020 at 17:13, Michael Eager <ea...@eagercon.com> wrote:
> When I look at /var/log/secure or run journalctl on my workstation, I > see failed SSH login attempts from a variety of IP addresses. The > attempts are every 3-12 minutes. > > /etc/ssh/sshd_config contains: > PasswordAuthentication no > > The workstation is on a LAN behind an EdgeRouter firewall. No Internet- > accessible ports are forwarded to the workstation. The LAN has a > variety of servers, NAS boxes, WiFi access points, WiFi-connected > laptops, etc. > Do you manage the network so you can check things like the firewall's software version and have access to a list of mac addresses for devices on your network? Is the firewall running the current software? Does the router do NAT translation? Are there other (external 3rd party) WiFi networks visible to systems on your LAN? Are there BYOD's such as smart phones that could be connected to the internet via cellular data networks? > > A typical /var/log/secure entry looks like this: > Jan 30 12:43:50 redwood sshd[21228]: Invalid user jackiehulu from > 124.204.36.138 port 37394 > Jan 30 12:43:51 redwood sshd[21228]: Received disconnect from > 124.204.36.138 port 37394:11: Bye Bye [preauth] > Jan 30 12:43:51 redwood sshd[21228]: Disconnected from invalid user > jackiehulu 124.204.36.138 port 37394 [preauth] > > The corresponding journalctl is: > Jan 30 12:43:51 redwood.eagercon.com audit[21228]: USER_ERR pid=21228 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident > grantors=? acct="?" exe="/usr/sbin/sshd" hostname=124.204.36.138 > addr=124.204.36.138 terminal=ssh res=failed' > > I'm assuming that something on the network has been compromised, > allowing SSH login attempts on the LAN. Other than turning off > each server/AP/laptop/etc, one at a time, to find when the accesses > stop, is there any way to find out where the SSH attempt is coming from? > A compromised system is unlikely to allow access to a large number of external sites, so it is more likely to be a device (maybe inadvertently) bridging a cellular data network or an external system connecting to your LAN. There have been cases where bad actors just plugged in a small system to gain access to a LAN. As Ed suggested, getting the mac address is a start, but it may be spoofed or a device you didn't know existed: personal device, IoT device (HVAC, security camera, etc.), or computer used to control equipment that was not supposed to be connected to the network. -- George N. White III
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
