[lug] Mystery SSH diagnostic lines
Mike Witt
msg2mw at gmail.com
Sun Aug 1 13:19:37 MDT 2021
On 08/01/2021 01:03:11 PM, Simos wrote:
> On Sun, 01 Aug 2021 12:27:02 -0600 Mike Witt <msg2mw at gmail.com> wrote:
> >
> > On 08/01/2021 11:42:20 AM, Simos wrote:
> > > Hi,
> > >
> > > Looks like a port scan to me.
> >
> > Wouldn't that have tried more than just those two ports?
>
> Maybe for now it's just probing open SSH ports? Also, how do you know
> that
> nothing else is being port scanned? The log lines you forwarded seem
> to be
> from standard syslog/auth logs which would not necessarily log port
> scan
> attempts unless the individual services themselves (like sshd) did so.
sshd is only configured to listen on port 22 (I'm using the standard
port and it's NOT accessible to the outside work through my comcast
modem/router).
If I do ssh -p to one of those ports, I DON'T get those log lines and
the connection is simply refused.
I have no idea what the [preauth] thing is and I don't see that when I
make or break regular ssh connections to either of these machines.
I obviously don't know what's going on, but when I look at those lines
it seems almost like 10.0.0.8 is sending an (unsolicited) disconnect to
the other machines(???)
Good tip about MalwareBytes, I'll look into that.
More information about the LUG
mailing list