[lug] Mystery SSH diagnostic lines

Bear Giles bgiles at coyotesong.com
Sun Aug 1 10:34:12 MDT 2021 

Pissed off anyone recently? Someone who could hack into your wife's
computer, run a network scan, and then try to ssh into different systems?

A bit more seriously (or not?) after I was compromised through a local
instance of Confluence that was visible from the internet (since I wanted
to be able to access it while traveling) one of the remediations was making
sure that all of my ssh private keys require passwords. A knowledgeable
attacker (or script writer) would know that ssh keys are usually located in
~/.ssh and often (usually?) unencrypted on home systems since people think
they're secure. It would be easy to attempt to access the other systems in
my network by simple enumeration of the network IP addresses (e.g., check
your network adapters and if you see 10.0.0.0/255.255.255.0 then try
10.0.0.1..10.0.0.255) and using the compromised username and ssh key.

Without checking I'm sure metasploit already knows this since it's so
obvious.

It's pain-free when you can get askpass or equivalent working (sigh), and
not *too* painful even if you have to reenter the password constantly. It's
definitely better than worrying whether an overlooked compromise has given
an attacker shell access to everything on your network.

The same logic applies to 'sudo'. Require passwords. A knowledgeable
attacker will know to try 'sudo'. At least the sudoers and sudoers.d
directory aren't world-readable to an attacker will leave a trace - they
can't check the files first to see if a user is authorized and if the
account requires a password unless they already have root access.


On Sun, Aug 1, 2021 at 9:30 AM Mike Witt <msg2mw at gmail.com> wrote:

> I have these four "mystery" lines that just popped up in my log:
>
> Aug  1 08:33:43 hp sshd[123226]: Received disconnect from 10.0.0.8 port
> 58932:11:  [preauth]
> Aug  1 08:33:43 hp sshd[123226]: Disconnected from 10.0.0.8 port 58932
> [preauth]
> Aug  1 08:34:12 hp sshd[123235]: Received disconnect from 10.0.0.8 port
> 60633:11:  [preauth]
> Aug  1 08:34:12 hp sshd[123235]: Disconnected from 10.0.0.8 port 60633
> [preauth]
>
> "hp" is my desktop linux mint system. This is where the lines showed up
> in the log.
>
> 10.0.0.8 is a Microsoft Windows laptop that my wife does video editing
> on. Unless SSH comes with Windows now-a-days, I don't *think* it has
> either an ssh client or server. But, in any event, she wasn't doing
> anything with ssh.
>
> I wondered if these were the result of my accidentily trying to ssh
> FROM the hp TO  10.0.0.8, so I tried that and it just hung. Nothing
> showed up in my log.
>
> I can't figure out what the four lines above could possibly mean.
> Anybody have any idea?
>
> Many thanks!
>
> -Mike
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20210801/5a7b4031/attachment.html>

More information about the LUG mailing list