Solved: SSH query

Shawnw4401 · ‎11-22-2016

I have a question about a server continuously trying to SSH into my router and only my router. The only thing on this server functionality wise is DHCP, so there's really no reason for it to keep trying to SSH in the router, so that's why it's puzzling me of why it's trying to ssh constantly. I could understand if it was for an SNMP server with write permission for an example.

ACL:

ip access-list standard SNMP_HOME
permit 192.168.0.0 0.0.0.7 log
permit 192.168.52.0 0.0.0.7 log
permit 192.168.94.32 0.0.0.15 log
deny any log
!
ip access-list extended SSH_IN
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.0.1 any eq 22 log
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
deny ip any any log

Below is my log of the SSH:

Nov 23 04:20:12.625: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(63385) -> 0.0.0.0(22), 2 packets
Nov 23 04:20:12.625: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(63402) -> 0.0.0.0(22), 2 packets
Nov 23 04:20:12.629: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(63115) -> 0.0.0.0(22), 2 packets
LAN_Router_1#
.Nov 23 04:21:12.626: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(63682) -> 0.0.0.0(22), 2 packets
.Nov 23 04:21:12.626: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(63945) -> 0.0.0.0(22), 2 packets
.Nov 23 04:21:12.630: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(63963) -> 0.0.0.0(22), 2 packets
.Nov 23 04:21:12.630: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(63656) -> 0.0.0.0(22), 2 packets
LAN_Router_1#
.Nov 23 04:21:15.518: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49191) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:21:45.030: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49210) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:21:47.774: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49217) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:22:12.626: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(64234) -> 0.0.0.0(22), 2 packets
.Nov 23 04:22:12.630: %SEC-6-IPACCESSLOGNP: list SNMP_HOME denied 0 192.168.17.18 -> 0.0.0.0, 11 packets
.Nov 23 04:22:12.630: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(64255) -> 0.0.0.0(22), 2 packets
.Nov 23 04:22:12.630: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(64504) -> 0.0.0.0(22), 2 packets
.Nov 23 04:22:12.630: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(64524) -> 0.0.0.0(22), 2 packets
LAN_Router_1#
.Nov 23 04:22:16.350: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49274) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:22:19.062: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49277) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:22:49.059: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49323) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:22:52.471: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49329) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:22:58.331: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 65.255.34.83(53012) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:23:12.631: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(64650) -> 0.0.0.0(22), 2 packets
.Nov 23 04:23:12.631: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(64630) -> 0.0.0.0(22), 2 packets
LAN_Router_1#
.Nov 23 04:23:20.295: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49386) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:23:23.903: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49389) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:23:51.440: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49433) -> 0.0.0.0(22), 1 packet
LAN_Router_1#
.Nov 23 04:23:55.048: %SEC-6-IPACCESSLOGP: list SSH_IN denied tcp 192.168.17.18(49440) -> 0.0.0.0(22), 1 packet
.Nov 23 04:26:12.630: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 8 packets

All comments are appreciated. Thank you.

johnd2310 · ‎11-23-2016

Hi,

Have you had a thorough look at the processes running on the server? Could be a malicious application trying to access your router.

Thanks

John

**Please rate posts you find helpful**

View solution in original post

johnd2310 · ‎11-23-2016

Hi,

Have you had a thorough look at the processes running on the server? Could be a malicious application trying to access your router.

Thanks

John

**Please rate posts you find helpful**

Shawnw4401 · ‎11-23-2016

John,

It did seem there was an application running that I didn't know about that was trying to SSH to the router.