fvillena
asked on
OpenSSH Port Mystery
Hi,
I have OpenSSH operating on a Windows 2003 Server and recently we noticed that we where receiving brute force login attempts.
I saw that OpenSSH uses port 22 so we locked down access to the server via this port to a limited number of IP Addresses.
However we are still receiving login attempts as the below event log shows
The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 2416 : Failed password for illegal user mike from 79.125.35.214 port 49919 ssh2.
At first I thought our ISP hadn't configured the firewall rule correctly but if I try to telent port 22 from an unlisted IP address the server correctly refuses the connection.
Any ideas?
Thanks in advance
I have OpenSSH operating on a Windows 2003 Server and recently we noticed that we where receiving brute force login attempts.
I saw that OpenSSH uses port 22 so we locked down access to the server via this port to a limited number of IP Addresses.
However we are still receiving login attempts as the below event log shows
The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 2416 : Failed password for illegal user mike from 79.125.35.214 port 49919 ssh2.
At first I thought our ISP hadn't configured the firewall rule correctly but if I try to telent port 22 from an unlisted IP address the server correctly refuses the connection.
Any ideas?
Thanks in advance
ASKER
Thanks for that, when you say 'have an internal IP like that listed in your logs' do you mean a computer from within our organisation?
How would I test for another route to the foreign IPs not through our ISP's firewall?
Thanks again
How would I test for another route to the foreign IPs not through our ISP's firewall?
Thanks again
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
- your logging is buggy
- your sshd is buggy
- someone managed to connect with spoofed IP
- there is another route to the foreign IPs not through your ISP's firewall
- you have an internal IP like that listed in your logs
I'd start with the last two.
If you identify a spoofed IP, change the ISP.
If you identify the first two, switch to a reliable system;-)