John Lucas wrote:
There is a lot of brute force password guessing going on, though, so there are probably automated scripts and perhaps trojans of some sort doing it. If you have port 22 open inbound, you'll probably see a lot of login attempts with user names that don't exist and/or bad passwords.Dictionary attacks don't look like port scanning.
I suspect they do from the originating side. I see perhaps a dozen or so attempts from one site in a day. I'm guessing, but I think that same site is probably also also sending a dozen attempts to thousands of other places to keep the traffic down to a level that nobody will notice. And it's probably probing random addresses as fast as it can as well as doing some retries on the ones that accept connections.
If you have a port that can monitor all outbound connections you can: tcpdump port 22 and watch for one internal address trying to connect to a lot of different destinations. If you've connected to the monitor host via ssh yourself, make that: tcpdump port 22 and not host my_ip_address to keep your own traffic from cluttering what you see.Right, assuming that the protocol analyzer can see the traffic and that the offending host can be identified. Many sites use NAT firewalls, making all traffic look like it comes from a single host to the outside world (i.e. the ISP).
If it is your network, you should know where to sniff or how to ask the nat device for its translations. But you could verify that the traffic exists or not even past the nat.
-- Les Mikesell les futuresource com