[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Continuous brute force attempt from own server !!!

On 26/07/13 07:42, J B wrote:

Dear list,

I'm suffering with a very serious issue and seek guidance.

I have a debian server functional at my place which is attached with a leased line connection.
Iand I use this box as a gateway.
This debian box administer a remote opensuse linux server through this debian box and I use pubkey auth
mechanism to log into the remote linux server.

At the remote linux server, I can found huge brute force ssh attempt at the different
port and surprisingly the attempt is made with the same username which I actually use
to llog into the remote box. Some of the messages from log are as below

```````````````````````````````
accepted public key from<username_of_my_local_box>  from<WAN_IP_of_my_local_box>  port 50574 ssh2
```````````````````````````

The attack is random with a serially increment at port number.
If I bloack the ssh connection limit through firewall at the remote box, It actually blocks me to log into in further.

Could any one suggest what is happening in my local box ?
rootkit ? local box compromising ? What is it ?

Please suggest.
Thanks
That doesn't look like a "brute force attack", that's just a normal *successful* ssh login.
Do you have anything on your local box that performs any ssh connection to the remote box, like rsync, scp, sftp etc? Perhaps a cron job. 

Do these "attacks" happen at fixed times or regular intervals?

Do you use ssh to connect between the boxes a lot?
If you still can't identify the source of these connections, it could be that your login on your local box has been compromised. Check the auth log on that to see when 'username' has been accessed. 

--
Dom
Reply to: