New Member
Posts: 2
Registered: ‎02-25-2019

how to identify compromised computer behind an edgerouter?

[ Edited ]

Hello,

 

I was notified by the ISP that a SSH bruteforce attack was identified from our IP. Is it possible to log the traffic coming from LAN to internet with destination port 22?

 

Thanks!

Established Member
Posts: 1,915
Registered: ‎03-02-2016
Kudos: 469
Solutions: 148

Re: how to identify compromised computer behind an edgerouter?

Sure, create a new LAN_IN firewall attached to your ER's LAN interface's "in" direction. Default action accept. Create a single rule to allow (or reject, depending on what you want to do) traffic with destination port 22 and set the logging to enable.
New Member
Posts: 2
Registered: ‎02-25-2019

Re: how to identify compromised computer behind an edgerouter?

Than how can I access/search that log?
Veteran Member
Posts: 7,958
Registered: ‎03-24-2016
Kudos: 2076
Solutions: 912

Re: how to identify compromised computer behind an edgerouter?

If attack is active, command below might already show all those connections, and source IP

 

Spoiler
sudo conntrack -L | grep tcp | grep dport=22
New Member
Posts: 1
Registered: ‎02-25-2019

Re: how to identify compromised computer behind an edgerouter?

I dont understand why are you trying to divert the traffic? What is the logic that you are actually trying to solve the issue?

Established Member
Posts: 1,915
Registered: ‎03-02-2016
Kudos: 469
Solutions: 148

Re: how to identify compromised computer behind an edgerouter?


@adv_ro wrote:
Than how can I access/search that log?

 

Everything will be logged to the system log, which is in /var/log/messages. Or you can access it with the show system log... commands.