• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 492
  • Last Modified:

OpenSSH Port Mystery


I have OpenSSH operating on a Windows 2003 Server and recently we noticed that we where receiving brute force login attempts.

I saw that OpenSSH uses port 22 so we locked down access to the server via this port to a limited number of IP Addresses.

However we are still receiving login attempts as the below event log shows

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 2416 : Failed password for illegal user mike from port 49919 ssh2.

At first I thought our ISP hadn't configured the firewall rule correctly but if I try to telent port 22 from an unlisted IP address the server correctly refuses the connection.

Any ideas?

Thanks in advance
  • 2
1 Solution
if your ISP's firewall denies access to port 22 and you still get these requests, I can imagine following reasons:
  - your logging is buggy
  - your sshd is buggy
  - someone managed to connect with spoofed IP
  - there is another route to the foreign IPs not through your ISP's firewall
  - you have an internal IP like that listed in your logs

I'd start with the last two.
If you identify a spoofed IP, change the ISP.
If you identify the first two, switch to a reliable system;-)
fvillenaAuthor Commented:
Thanks for that, when you say 'have an internal IP like that listed in your logs' do you mean a computer from within our organisation?

How would I test for  another route to the foreign IPs not through our ISP's firewall?

Thanks again
> How would I test for  another route ..
you can check from inside with traceroute/tracert
but you better check from internet as this is what you want to know

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now