01-10-2021 02:07 PM
Hey Guys,
I would like to ask for advise from the community.
I recently detect that there has been some SSH attempts on our server and would like to identify the culprit IP address.
I decided to go with the SPAN configuration and put a laptop with wireshark on it.
The attack happens between 3 am to 7 am in the morning.
Now, this is where I dont quite understand the issue where I am facing.
I am able to see logs on the wireshark.
Whenever I try to ping or access the server via https, I am able to see traffic logs on the wireshark.
I conclude with these, that my SPAN configuration (not RSPAN) is working fine because I am able to see something accessing the traffic.
But when I try to SSH to the device, I am not able to see any output on the wireshark.
Even with filters like tcp.port == 22 or just SSH in the filter doesn't have any output.
But I am able to login to the server via SSH just fine, but with no output on wireshark.
I tried multiple "source" for the monitoring configuration, be it vlan 50 or port-channel 1 but the output is the same.
When I try to SSH the switch (where the wireshark is connected to and the SVI is on vlan 50), I am also not able to see any output of SSH.
So the issue here is, am I configuring it wrongly because I am not able to see SSH traffic but ICMP and HTTPS traffic can be seen in the wireshark logs.
Configuration for my monitoring sessions are...
monitor session 1 source interface Po1 (or even vlan 50)
monitor session 1 destination interface Gi1/0/48
There is no much traffic on this switch apart from vlan 50 and vlan 15 and there is no uplink apart from Po1.
Thank you.
01-10-2021 02:19 PM
Session 1
---------
Type : Local Session
Description : -
Source Ports :
RX Only : None
TX Only : None
Both : Po1
Source VLANs :
RX Only : None
TX Only : None
Both : None
Source RSPAN VLAN : None
Destination Ports : Gi1/0/48
Encapsulation : Native
Ingress : Disabled
Filter VLANs : None
Dest RSPAN VLAN : None
IP Access-group : None
MAC Access-group : None
IPv6 Access-group : None
01-10-2021 02:36 PM
Hello,
SSH is typically directed at the management IP address of the switch. Which IP address is that, is it configured on Vlan interface 50 ?
01-10-2021 04:01 PM
Hi Georg,
I tested SSH to the Linux server as well as to the switch (via putty) and though both is successfull (i.e. putting is asking to put in the credentials to login), I am not able to see any attempts on the wireshark.
I do not have the same issue if I were to access the Linux server via web (https), I was able to see the logs in wireshark.
Vlan50 IP is 10.19.0.236 and the Linux Server is 10.19.0.207 (/25 subnet mask).
Thank you.
Regards
Han
01-10-2021 02:37 PM
we want to see more on the config of your port-channel 1 and interface config of gi1/0/48
show monitor
from what IP address you doing SSH ? to test ?
what is this server ? Linux or windows ?
01-10-2021 03:59 PM
show run int gi1/0/48
Building configuration...
Current configuration : 68 bytes
!
interface GigabitEthernet1/0/48
description :: WIRESHARK ::
end
show run int po1
Building configuration...
Current configuration : 119 bytes
!
interface Port-channel1
description To Nexus-9K
switchport trunk allowed vlan 15,40,50
switchport mode trunk
end
show monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Po1
Destination Ports : Gi1/0/48
Encapsulation : Native
Ingress : Disabled
I believe the servers are a Linux server and the L3 for the vlan 50 resides in the Nexus (its uplink).
I am trying to access via the IP 10.19.163.220 which is not within vlan 50 (10.19.0.128/25).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide