David Baron wrote:
Someone is trying to ssh on to my system. Trying on several ports. Not the
first time, either. Thankfully, he does not have a password. Besides a bunch
of Deprecated option ReverseMappingCheck, so far no harm done.
Since my logs have this IP number, how do I find out who it is?
SSH is not exposed from local to internet!
It is to a "VMZ" which is a virtual machine that may have been running at the
time. But who is this IP (virtual machines are like 10.0.2.15 or such) ??
if SSH is blocked at your firewall, then the traffic is coming from either:
a. your firewall (e.g., if there's a port opened to the outside world)
b. somewhere on your internal network
c. a process on your own machine
and, to add to this, addresses in the range 10.0.0.0-255 are reserved
for use on internal networks
so... this would seem to be more likely a virus scanning its
environment, or some kind of legitimate internal port scannner being
used for network management purposes
a few things you might try:
dig -x 10.0.2.15
(same as dig 15.2.0.10.in-addr.arpa)
will give you a reverse lookup on the address, if one is registered -
but... it's unlikely a reverse pointer will be registered
traceroute to the address - it might show you something useful
netstat - will show you what connections are open on your machine, and
give you some idea of what programs are behind them - might show you if
a program on your machine has bound that address (if have a small
network, you could run netstat on each machine) - read the man page and
play with the different options
Miles
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
