The log in wireshark is recorded today. And with the key word
searching in auth.log and auth.log.1 only shows the attempting to
login failure.
Jun 21 15:15:25 server02 sshd[5523]: Did not receive identification
string from 68.168.113.155
Jun 21 15:27:57 server02 sshd[5937]: Invalid user webmaster from 68.168.113.155
Jun 21 15:27:57 server02 sshd[5937]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155
Jun 21 15:27:59 server02 sshd[5937]: Failed password for invalid user
webmaster from 68.168.113.155 port 33025 ssh2
Jun 21 15:28:01 server02 sshd[5940]: Invalid user admin from 68.168.113.155
Jun 21 15:28:01 server02 sshd[5940]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155
Jun 21 15:28:03 server02 sshd[5940]: Failed password for invalid user
admin from 68.168.113.155 port 33304 ssh2
Jun 21 15:28:06 server02 sshd[5942]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155 user=root
Jun 21 15:28:08 server02 sshd[5942]: Failed password for root from
68.168.113.155 port 33514 ssh2
The TCP transmission message is observed when launching wireshark on
host machine recording server02 with capture filter string `host
xxx.xxx.xxx.112'.
Is this the right way to monitor the completely interaction between
ssh client and server? Or what is the right way to monitor the ssh
interaction (client executes `ssh user@host_name` until it
successfully login or returns timeout)?
And which key word I can use for checking successful/unsuccessful
attempts on ssh? I scroll through wireshark log, but could not figure
it out well.
My host is Debian wheezy/sid.
All guest machines are Debian squeeze/sid with kernel 2.6.32-5-686.
Version of OpenSSH_5.5p1 Debian-5+b1, and OpenSSL 0.9.8o 01 Jun 2010.
Thank you for advice. I appreciate it.
On Tue, Jun 21, 2011 at 5:17 PM, Shain Singh <shain.singh@xxxxxxxxx> wrote:
xxx.xxx.xxx.112 68.168.113.155 SSH [TCP Retransmission] Encrypted
response packet len=35
68.168.113.155 xxx.xxx.xxx.112 TCP [TCP Previous segment lost] 33514
ssh [ACK] Seq=21 Ack=36 Win=5888 Len=0 TSV=3950744190 TSER=4316095
SLE=1 SRE=36
68.168.113.155 xxx.xxx.xxx.112 SSHv2 [TCP Retransmission] Client
Protocol: SSH-2.0-libssh-0.1\r
Haver you got SSH configured on the host computer to port forward to the
servers (Are the virtual hosts in bridged or NAT mode?) - Looks to be
bridged.
I would have thought that this could just be someone 'trying' to brute force
SSH. It doesn't necessarily mean they have been able to successfully connect
from the logs above unless I am missing something.
Have a scroll through you logs for successful/unsuccessful attempts on SSH.
--
Shaineel Singh
e: shain.singh@xxxxxxxxx
p: +61 422 921 951
w: http://buffet.shainsingh.com
--
"Too many have dispensed with generosity to practice charity" - Albert Camus
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
