OpenSSH Port Mystery

Posted on 2009-12-18
Last Modified: 2013-11-16

I have OpenSSH operating on a Windows 2003 Server and recently we noticed that we where receiving brute force login attempts.

I saw that OpenSSH uses port 22 so we locked down access to the server via this port to a limited number of IP Addresses.

However we are still receiving login attempts as the below event log shows

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 2416 : Failed password for illegal user mike from port 49919 ssh2.

At first I thought our ISP hadn't configured the firewall rule correctly but if I try to telent port 22 from an unlisted IP address the server correctly refuses the connection.

Any ideas?

Thanks in advance
Question by:fvillena
    LVL 51

    Expert Comment

    if your ISP's firewall denies access to port 22 and you still get these requests, I can imagine following reasons:
      - your logging is buggy
      - your sshd is buggy
      - someone managed to connect with spoofed IP
      - there is another route to the foreign IPs not through your ISP's firewall
      - you have an internal IP like that listed in your logs

    I'd start with the last two.
    If you identify a spoofed IP, change the ISP.
    If you identify the first two, switch to a reliable system;-)

    Author Comment

    Thanks for that, when you say 'have an internal IP like that listed in your logs' do you mean a computer from within our organisation?

    How would I test for  another route to the foreign IPs not through our ISP's firewall?

    Thanks again
    LVL 51

    Accepted Solution

    > How would I test for  another route ..
    you can check from inside with traceroute/tracert
    but you better check from internet as this is what you want to know

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Superior storage. Superior surveillance.

    WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

    PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
    UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
    This video discusses moving either the default database or any database to a new volume.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now