seeing random ssh/dropbear connection attempts from some local windows machines in logs

[lgkahn]

i am seeing attempts from machines that i dont think should be attempting ssh connections.. they dont seem valid or like a hack attempt as no username/password seems to be passed.. see attaqchment of attempt vs valid attempt with usersname.
virus scanning on the machines show nothing.. any ideas what is going on? maybe some sort of security (norton or malwarebytes periodic security scanning?)

thanks

 

[ColinTaylor]

What is the 192.168.10.x network used for (assuming you're using /24 netmasks)?

 

[Ripshod]

The other question is what device has that mac, 3c:e9:f7:65:62:e7?

 

[lgkahn]

i am seeing attempts from machines that i dont think should be attempting ssh connections.. they dont seem valid or like a hack attempt as no username/password seems to be passed.. see attaqchment of attempt vs valid attempt with usersname.
virus scanning on the machines show nothing.. any ideas what is going on? maybe some sort of security (norton or malwarebytes periodic security scanning?)

thanks

What is the 192.168.10.x network used for (assuming you're using /24 netmasks)?

all my local network.. i have a 255.255.254.0 mask so both 10 and 11 networks

 

[bennor]

@lgkahn, as others have asked. What specific devices are at the IP address or MAC address indicated as attempting to access SSH on the router in the captures you've posted. Have you checked those local clients to see why they might be attempting to access SSH? Have you checked them for malware?

 

[lgkahn]

as i mentioned already there are two windows machines.. i know one is attempting the port connecgtion on power up..

and as i also said they were scanned for malware by both malwarebytes and norton

 

[bennor]

as i mentioned already there are two windows machines.

For context what version of Windows are each machine? Are any being used for special purposes to run specific programs? If so which programs?

Edit to add: Both machines, 192.168.11.7:63620 and 192.168.10.179:63706 seem to be trying to use ports in the 63xxx range. Check to see if a program is configured to use ports in that range are open and running on those computers.

 

[ColinTaylor]

Edit to add: Both machines, 192.168.11.7:63620 and 192.168.10.179:63706 seem to be trying to use ports in the 63xxx range. Check to see if a program is configured to use ports in that range are open and running on those computers.

Those are ephemeral source ports. Nothing unusual there.

 

[lgkahn]

one windows 10 pro and one windows 11 pro

 

[lgkahn]

the 11.7 i posted is a valid connection with me trying to login in.. to see what it shows in the log that why ity shows a login name..
the other connections show no login name so dont think they are login attempts but some type of program doing a port scan... thats why not 100% overly worried.. if it was a real hack attempt a login name should have been passed in..

nothing is running on those computers and nothing is trying a connection when i do a portscan
ie
netstat -abn | grep 192.168.11.1:22

 

[dave14305]

If you can’t explain the behavior of a Windows machine on your network, assume the worst and disconnect it from your network until you can explain it. Who uses that machine? Are they susceptible to malware or phishing?

 

[lgkahn]

actually just did a connection and the ip was wrong in my scan it should look at wan ip..
netstat -abn | grep 173.14.x.x:22

but still nothing active unless i initiate a real ssh connection

 

[dave14305]

actually just did a connection and the ip was wrong in my scan it should look at wan ip..
netstat -abn | grep 173.14.x.x:22

but still nothing active unless i initiate a real ssh connection

Nothing should be able to ssh to the WAN IP by default.

 

[killweav]

You "may" be able to track down the process ID on the suspect machine. This will have limited scope of helpfulness but on the suspect Windows machine open a PowerShell window with admin access and paste into prompt:
netstat -ano -p TCP | Where-Object { $_ -match ":22\s+" }

Seems like your SSH listening port is default 22 if not then change the value to your listening port.

The limits are: output works only on existing or recent connections. The PID will display only if the process is still loaded.

Suggest to reboot machine and run immediately as you said it attempts port 22 connection during bootup. Maybe it will help you track down the process in task manager, maybe it won't. I believe you have only about 1 minute for TIME_WAIT entries to see anything at all in netstat.

In this example SSH client connects and you can see it's process ID but mine is configured to exit on disconnect so you also see a TIME_WAIT (recent connection) with no PID value. In this case, it would not be so helpful.

Also suggest reviewing logs that match the timestamp.

May be a good time to review your security practices regarding SSH. Use custom port, disable password logins (use SSH keys only) and absolutely disable WAN access to the service.

 

[lgkahn]

one machine was not at reboot but early in morning and seem to be a schedule task that points to here
..

 

[lgkahn]

wan access is disabled.. i will also change the port..

also need to reme3mber i changed the port and change it in winscp (i use it to backup my scripts etc) otherwise i will be pulling my hair out next time i cannot get into the router.. anyway i have an external firewall outside the asus router on a mikrotik router (i has some public ips) and the asus only maps 1 of them to my privates.. this firewall also does not allow port 22 anyway. so any external access will need to be after vpning into my router.

this is what i get for monitoring the routers logs after doing a firmware update... sigh

 

[lgkahn]

pretty sure this will disable it.. will leave it at port 22 for now and see if it stops