Show Posts
1
General Discussion / Many ssh conncetion attempts from WAN interface
« on: March 29, 2024, 12:53:22 pm »
Hi
I'm trying to figure out why the firewall (WAN ip: 192.168.0.157) is trying to ssh to almost every host on the WAN net. This happens every 15mins
Interface Time Source Destination Proto Label
wan 2024-03-29T12:30:46 192.168.0.157:1186 192.168.0.50:22 tcp
wan 2024-03-29T12:30:45 192.168.0.157:1184 192.168.0.50:22 tcp
wan 2024-03-29T12:30:45 192.168.0.157:1183 192.168.0.40:22 tcp
wan 2024-03-29T12:30:44 192.168.0.157:1181 192.168.0.40:22 tcp
wan 2024-03-29T12:30:44 192.168.0.157:1180 192.168.0.33:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1177 192.168.0.33:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1176 192.168.0.27:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1173 192.168.0.27:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1172 192.168.0.25:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1170 192.168.0.25:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1169 192.168.0.229:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1167 192.168.0.229:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1166 192.168.0.224:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1164 192.168.0.224:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1163 192.168.0.220:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1161 192.168.0.220:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1160 192.168.0.22:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1158 192.168.0.22:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1157 192.168.0.21:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1155 192.168.0.21:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1154 192.168.0.208:22 tcp
wan 2024-03-29T12:30:41 192.168.0.157:1152 192.168.0.208:22 tcp
wan 2024-03-29T12:30:41 192.168.0.157:1151 192.168.0.204:22 tcp
wan 2024-03-29T12:30:40 192.168.0.157:1149 192.168.0.204:22 tcp
wan 2024-03-29T12:30:40 192.168.0.157:1148 192.168.0.201:22 tcp
wan 2024-03-29T12:30:39 192.168.0.157:1146 192.168.0.201:22 tcp
wan 2024-03-29T12:30:39 192.168.0.157:1145 192.168.0.200:22 tcp
wan 2024-03-29T12:30:38 192.168.0.157:1143 192.168.0.200:22 tcp
wan 2024-03-29T12:30:38 192.168.0.157:1142 192.168.0.20:22 tcp
wan 2024-03-29T12:30:38 192.168.0.157:1140 192.168.0.20:22 tcp
wan 2024-03-29T12:30:38 192.168.0.157:1139 192.168.0.199:22 tcp
wan 2024-03-29T12:30:37 192.168.0.157:1137 192.168.0.199:22 tcp
wan 2024-03-29T12:30:37 192.168.0.157:1136 192.168.0.198:22 tcp
wan 2024-03-29T12:30:37 192.168.0.157:1134 192.168.0.198:22 tcp
wan 2024-03-29T12:30:37 192.168.0.157:1133 192.168.0.171:22 tcp
wan 2024-03-29T12:30:36 192.168.0.157:1131 192.168.0.171:22 tcp
wan 2024-03-29T12:30:36 192.168.0.157:1130 192.168.0.163:22 tcp
wan 2024-03-29T12:30:36 192.168.0.157:1128 192.168.0.163:22 tcp
wan 2024-03-29T12:30:36 192.168.0.157:1127 192.168.0.162:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1125 192.168.0.162:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1124 192.168.0.161:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1122 192.168.0.161:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1121 192.168.0.160:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1119 192.168.0.160:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1117 192.168.0.16:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1116 192.168.0.159:22 tcp
wan 2024-03-29T12:30:34 192.168.0.157:1114 192.168.0.159:22 tcp
I've also spotted a couple of forign IP's
PR DIR SRC DEST STATE AGE EXP PKTS BYTES
tcp Out 192.168.0.157:4685 90.201.245.177:22 SYN_SENT:CLOSED 00:01:51 00:00:09 1 60
tcp Out 192.168.0.157:9815 92.10.20.150:22 SYN_SENT:CLOSED 00:01:48 00:00:12 1 60
tcp Out 192.168.0.157:35230 97.106.22.123:22 SYN_SENT:CLOSED 00:01:42 00:00:18 1 60
tcp Out 192.168.0.157:48424 97.227.172.3:22 TIME_WAIT:TIME_WAIT 00:01:35 00:00:00 2 100
tcp Out 192.168.0.157:64406 98.90.241.255:22 TIME_WAIT:TIME_WAIT 00:01:32 00:00:00 2 100
tcp Out 192.168.0.157:45567 99.129.42.74:80 SYN_SENT:CLOSED 00:01:29 00:00:31 1 60
tcp Out 192.168.0.157:30475 99.129.42.74:22 TIME_WAIT:TIME_WAIT 00:01:28 00:00:02 2 100
tcp Out 192.168.0.157:4522 9.0.0.0:22 TIME_WAIT:TIME_WAIT 00:01:17 00:00:14 3 160
I have not been able to find a PID claiming responcibility of the connections.
/Peter
I'm trying to figure out why the firewall (WAN ip: 192.168.0.157) is trying to ssh to almost every host on the WAN net. This happens every 15mins
Interface Time Source Destination Proto Label
wan 2024-03-29T12:30:46 192.168.0.157:1186 192.168.0.50:22 tcp
wan 2024-03-29T12:30:45 192.168.0.157:1184 192.168.0.50:22 tcp
wan 2024-03-29T12:30:45 192.168.0.157:1183 192.168.0.40:22 tcp
wan 2024-03-29T12:30:44 192.168.0.157:1181 192.168.0.40:22 tcp
wan 2024-03-29T12:30:44 192.168.0.157:1180 192.168.0.33:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1177 192.168.0.33:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1176 192.168.0.27:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1173 192.168.0.27:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1172 192.168.0.25:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1170 192.168.0.25:22 tcp
wan 2024-03-29T12:30:43 192.168.0.157:1169 192.168.0.229:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1167 192.168.0.229:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1166 192.168.0.224:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1164 192.168.0.224:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1163 192.168.0.220:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1161 192.168.0.220:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1160 192.168.0.22:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1158 192.168.0.22:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1157 192.168.0.21:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1155 192.168.0.21:22 tcp
wan 2024-03-29T12:30:42 192.168.0.157:1154 192.168.0.208:22 tcp
wan 2024-03-29T12:30:41 192.168.0.157:1152 192.168.0.208:22 tcp
wan 2024-03-29T12:30:41 192.168.0.157:1151 192.168.0.204:22 tcp
wan 2024-03-29T12:30:40 192.168.0.157:1149 192.168.0.204:22 tcp
wan 2024-03-29T12:30:40 192.168.0.157:1148 192.168.0.201:22 tcp
wan 2024-03-29T12:30:39 192.168.0.157:1146 192.168.0.201:22 tcp
wan 2024-03-29T12:30:39 192.168.0.157:1145 192.168.0.200:22 tcp
wan 2024-03-29T12:30:38 192.168.0.157:1143 192.168.0.200:22 tcp
wan 2024-03-29T12:30:38 192.168.0.157:1142 192.168.0.20:22 tcp
wan 2024-03-29T12:30:38 192.168.0.157:1140 192.168.0.20:22 tcp
wan 2024-03-29T12:30:38 192.168.0.157:1139 192.168.0.199:22 tcp
wan 2024-03-29T12:30:37 192.168.0.157:1137 192.168.0.199:22 tcp
wan 2024-03-29T12:30:37 192.168.0.157:1136 192.168.0.198:22 tcp
wan 2024-03-29T12:30:37 192.168.0.157:1134 192.168.0.198:22 tcp
wan 2024-03-29T12:30:37 192.168.0.157:1133 192.168.0.171:22 tcp
wan 2024-03-29T12:30:36 192.168.0.157:1131 192.168.0.171:22 tcp
wan 2024-03-29T12:30:36 192.168.0.157:1130 192.168.0.163:22 tcp
wan 2024-03-29T12:30:36 192.168.0.157:1128 192.168.0.163:22 tcp
wan 2024-03-29T12:30:36 192.168.0.157:1127 192.168.0.162:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1125 192.168.0.162:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1124 192.168.0.161:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1122 192.168.0.161:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1121 192.168.0.160:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1119 192.168.0.160:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1117 192.168.0.16:22 tcp
wan 2024-03-29T12:30:35 192.168.0.157:1116 192.168.0.159:22 tcp
wan 2024-03-29T12:30:34 192.168.0.157:1114 192.168.0.159:22 tcp
I've also spotted a couple of forign IP's
PR DIR SRC DEST STATE AGE EXP PKTS BYTES
tcp Out 192.168.0.157:4685 90.201.245.177:22 SYN_SENT:CLOSED 00:01:51 00:00:09 1 60
tcp Out 192.168.0.157:9815 92.10.20.150:22 SYN_SENT:CLOSED 00:01:48 00:00:12 1 60
tcp Out 192.168.0.157:35230 97.106.22.123:22 SYN_SENT:CLOSED 00:01:42 00:00:18 1 60
tcp Out 192.168.0.157:48424 97.227.172.3:22 TIME_WAIT:TIME_WAIT 00:01:35 00:00:00 2 100
tcp Out 192.168.0.157:64406 98.90.241.255:22 TIME_WAIT:TIME_WAIT 00:01:32 00:00:00 2 100
tcp Out 192.168.0.157:45567 99.129.42.74:80 SYN_SENT:CLOSED 00:01:29 00:00:31 1 60
tcp Out 192.168.0.157:30475 99.129.42.74:22 TIME_WAIT:TIME_WAIT 00:01:28 00:00:02 2 100
tcp Out 192.168.0.157:4522 9.0.0.0:22 TIME_WAIT:TIME_WAIT 00:01:17 00:00:14 3 160
I have not been able to find a PID claiming responcibility of the connections.
/Peter