LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Need help with understanding some ssh attacks I'm experiencing and possibly identify their source (https://www.linuxquestions.org/questions/linux-security-4/need-help-with-understanding-some-ssh-attacks-im-experiencing-and-possibly-identify-their-source-4175632411/)

ardabro 06-21-2018 03:36 PM
Need help with understanding some ssh attacks I'm experiencing and possibly identify their source
 
Hi all

I have r-pi machine with ssh server set up in my home. From time to time I connect to it from corporate network. I have iptables setup that bans attackers after a certain number of failed attempts. The typical attack scenario is that I see a couple of failed attempts logged in my btmp and after the limit is exceeded I see log entries from iptables in system log using journalctl.
That is OK.
But recently I observe strange ssh attacks from my corporate network. They are identified and logged by iptables but surprisingly there are no failed attempts in btmp!
How to understand this fact?
And how to interpret all these numbers logged by iptables?
Code:
IN=eth0 OUT= MAC=b8:27:eb:9a:5b:1f:00:1b:c5:02:f4:b0:08:00:45:00:00:3c:b2:b3:40:00:38:06:73:57 SRC=<corporate_external_ip> DST=192.168.200.107 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=45747 DF PROTO=TC
b8:27:eb:9a:5b:1f - this is destination MAC
00:1b:c5:02:f4:b0 - this is my router MAC
08:00 - this is frame type
But what do all these remaining bytes mean: 45:00:00:3c:b2:b3:40:00:38:06:73:57 ?
Some of them looks like simple counters, that change from frame to frame.

Is there any way to identify the attacker? esp. find their internal IP or at least MAC address?

regards

Habitual 06-21-2018 03:58 PM
https://duckduckgo.com/?q=45%3A00%3A00%3A3c
sure is Interesting

Just sayin'

Habitual 06-22-2018 10:55 AM
"mining" ???


All times are GMT -5. The time now is 12:08 PM.