0

I created a reverse ssh tunnel between an internal work website and my home workstation. My aim was to work on the remote internal website from my workstation. There is only a computer between the ends and the issue comes from it. On that computer, there is a ssh client that initiates the tunnel. There is also a ssh server running on that computer but for other needs. I used this syntaxe below to build the reverse tunnel:

ssh -R 9001:internal-website.com:443 [email protected]

Everything worked fine. But when I checked the connections on the computer between the two ends, I noticed an unauthorized access, and the IP address is from China (121.18.238.125):

root@windy:~# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dhclient 3356 root 6u IPv4 5492 0t0 UDP *:bootpc ntpd 3459 ntp 16u IPv6 8537 0t0 UDP *:ntp ntpd 3459 ntp 17u IPv4 8540 0t0 UDP *:ntp ntpd 3459 ntp 18u IPv4 8544 0t0 UDP localhost:ntp ntpd 3459 ntp 19u IPv4 8546 0t0 UDP 10.4.103.17:ntp ntpd 3459 ntp 20u IPv6 8548 0t0 UDP localhost:ntp ntpd 3459 ntp 21u IPv6 8550 0t0 UDP [fe80::dc19:68ff:fe13:d008]:ntp sshd 3463 root 3u IPv4 8572 0t0 TCP 10.4.103.17:ssh->home-server:47730 (ESTABLISHED) sshd 3663 root 3u IPv4 8736 0t0 TCP *:ssh (LISTEN) sshd 3663 root 4u IPv6 8738 0t0 TCP *:ssh (LISTEN) sshd 3878 root 3u IPv4 8992 0t0 TCP 10.4.103.17:ssh->home-server:48680 (ESTABLISHED) sshd 4092 root 3u IPv4 10068 0t0 TCP 10.4.103.17:ssh->home-server:48092 (ESTABLISHED) ssh 4445 root 3u IPv4 14454 0t0 TCP 10.4.103.17:60988->home-server:ssh (ESTABLISHED) sshd 4481 root 3u IPv4 15428 0t0 TCP 10.4.103.17:ssh->121.18.238.125:53763 (ESTABLISHED) sshd 4482 sshd 3u IPv4 15428 0t0 TCP 10.4.103.17:ssh->121.18.238.125:53763 (ESTABLISHED)

In the /var/log/auth.log file, I couldn't find anything suspicious. Only normal ssh failed attempts. I even found the same address among the failed attempts. I did that experience twice. The first time I deactivated the root password login and set the public key connection. and the second time, I set the password login with a strong password for the root user. And both experiences gave me the same result (different addresses each time but still from china). How could possibly this computer between the two ends got compromised ? Am I missing something ? I can't figure out where the weak spot is.

For the home workstation to be available to the internet, I enabled a port forwarding on the local router. Once again, I used a strong password and I didn't find any suspicious connection on it.

If you didn't get me well, please don't hesitate to ask for further information.

Improve this question

1 Answer 1

Reset to default
0

Looks like your lsof -i ist just seeing one of these failed login attempts.

To see similar output you might try to ssh to windy like

ssh windy -l non-existend-user

and watch lsof output while your login attempt asks for a password.

TomTomTom

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.