Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-21-2018, 04:36 PM   #1
LQ Newbie
Registered: May 2015
Location: Katowice, Poland
Distribution: Debian, Ubuntu
Posts: 28

Rep: Reputation: Disabled
Question Need help with understanding some ssh attacks I'm experiencing and possibly identify their source

Hi all

I have r-pi machine with ssh server set up in my home. From time to time I connect to it from corporate network. I have iptables setup that bans attackers after a certain number of failed attempts. The typical attack scenario is that I see a couple of failed attempts logged in my btmp and after the limit is exceeded I see log entries from iptables in system log using journalctl.
That is OK.
But recently I observe strange ssh attacks from my corporate network. They are identified and logged by iptables but surprisingly there are no failed attempts in btmp!
How to understand this fact?
And how to interpret all these numbers logged by iptables?
IN=eth0 OUT= MAC=b8:27:eb:9a:5b:1f:00:1b:c5:02:f4:b0:08:00:45:00:00:3c:b2:b3:40:00:38:06:73:57 SRC=<corporate_external_ip> DST= LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=45747 DF PROTO=TC
b8:27:eb:9a:5b:1f - this is destination MAC
00:1b:c5:02:f4:b0 - this is my router MAC
08:00 - this is frame type
But what do all these remaining bytes mean: 45:00:00:3c:b2:b3:40:00:38:06:73:57 ?
Some of them looks like simple counters, that change from frame to frame.

Is there any way to identify the attacker? esp. find their internal IP or at least MAC address?

Old 06-21-2018, 04:58 PM   #2
LQ Veteran
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,345
Blog Entries: 36

Rep: Reputation: Disabled
sure is Interesting

Just sayin'
Old 06-22-2018, 11:55 AM   #3
LQ Veteran
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,345
Blog Entries: 36

Rep: Reputation: Disabled
"mining" ???


iptables, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
possible SSH dictionary attacks. rwilcher Linux - Security 3 10-09-2014 05:48 AM
SSH Bruteforce attacks yodds Linux - Security 2 05-03-2013 08:57 AM
Help understanding and possibly improving a script I found jamtat Programming 4 09-21-2012 03:21 PM
Slow ssh attacks david1941 Linux - Security 8 11-29-2009 07:17 PM
SSH attacks, a new approach david1941 Linux - Security 10 09-13-2008 02:16 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:46 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration