LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-21-2018, 03:36 PM   #1
ardabro
LQ Newbie
 
Registered: May 2015
Location: Katowice, Poland
Distribution: Debian, Ubuntu
Posts: 28

Rep: Reputation: Disabled
Question Need help with understanding some ssh attacks I'm experiencing and possibly identify their source


Hi all

I have r-pi machine with ssh server set up in my home. From time to time I connect to it from corporate network. I have iptables setup that bans attackers after a certain number of failed attempts. The typical attack scenario is that I see a couple of failed attempts logged in my btmp and after the limit is exceeded I see log entries from iptables in system log using journalctl.
That is OK.
But recently I observe strange ssh attacks from my corporate network. They are identified and logged by iptables but surprisingly there are no failed attempts in btmp!
How to understand this fact?
And how to interpret all these numbers logged by iptables?
Code:
IN=eth0 OUT= MAC=b8:27:eb:9a:5b:1f:00:1b:c5:02:f4:b0:08:00:45:00:00:3c:b2:b3:40:00:38:06:73:57 SRC=<corporate_external_ip> DST=192.168.200.107 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=45747 DF PROTO=TC
b8:27:eb:9a:5b:1f - this is destination MAC
00:1b:c5:02:f4:b0 - this is my router MAC
08:00 - this is frame type
But what do all these remaining bytes mean: 45:00:00:3c:b2:b3:40:00:38:06:73:57 ?
Some of them looks like simple counters, that change from frame to frame.

Is there any way to identify the attacker? esp. find their internal IP or at least MAC address?

regards
 
Old 06-21-2018, 03:58 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: High Sierra
Posts: 9,209
Blog Entries: 37

Rep: Reputation: Disabled
https://duckduckgo.com/?q=45%3A00%3A00%3A3c
sure is Interesting

Just sayin'
 
Old 06-22-2018, 10:55 AM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: High Sierra
Posts: 9,209
Blog Entries: 37

Rep: Reputation: Disabled
"mining" ???
 
  


Reply

Tags
iptables, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
possible SSH dictionary attacks. rwilcher Linux - Security 3 10-09-2014 04:48 AM
SSH Bruteforce attacks yodds Linux - Security 2 05-03-2013 07:57 AM
Help understanding and possibly improving a script I found jamtat Programming 4 09-21-2012 02:21 PM
Slow ssh attacks david1941 Linux - Security 8 11-29-2009 06:17 PM
SSH attacks, a new approach david1941 Linux - Security 10 09-13-2008 01:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration