OpenSSH Port Mystery


I have OpenSSH operating on a Windows 2003 Server and recently we noticed that we where receiving brute force login attempts.

I saw that OpenSSH uses port 22 so we locked down access to the server via this port to a limited number of IP Addresses.

However we are still receiving login attempts as the below event log shows

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 2416 : Failed password for illegal user mike from port 49919 ssh2.

At first I thought our ISP hadn't configured the firewall rule correctly but if I try to telent port 22 from an unlisted IP address the server correctly refuses the connection.

Any ideas?

Thanks in advance
Who is Participating?
> How would I test for  another route ..
you can check from inside with traceroute/tracert
but you better check from internet as this is what you want to know
if your ISP's firewall denies access to port 22 and you still get these requests, I can imagine following reasons:
  - your logging is buggy
  - your sshd is buggy
  - someone managed to connect with spoofed IP
  - there is another route to the foreign IPs not through your ISP's firewall
  - you have an internal IP like that listed in your logs

I'd start with the last two.
If you identify a spoofed IP, change the ISP.
If you identify the first two, switch to a reliable system;-)
fvillenaAuthor Commented:
Thanks for that, when you say 'have an internal IP like that listed in your logs' do you mean a computer from within our organisation?

How would I test for  another route to the foreign IPs not through our ISP's firewall?

Thanks again
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.