Reply
Highlighted
New Member
Posts: 1
Registered: a week ago

logging outbound ssh attempts

got a email with someone stating they have several attempted ssh connections to them. they have since firewalled it but sent me the info to let me know. im running edgerouter pro v1.9.0 how do i log this so i can see where its originating from? i found a post stating to just create a outboutd nat rule with logging enabled. i must not be doing this right as when i test it it generates no loggs. source nat rule.jpg

New Member
Posts: 8
Registered: ‎12-13-2018
Kudos: 1

Re: logging outbound ssh attempts

Remove the source port check on ssh..  The destination of ssh is port 22, but the source port is dynamic 1024 - 65535.

 

Emerging Member
Posts: 108
Registered: ‎07-09-2016
Kudos: 35
Solutions: 4

Re: logging outbound ssh attempts

Why a nat rule? A simple firewall rule with enabled logging should do the trick.
As kpratte correctly stated only filter on destination port. And ssh is always tcp.
Veteran Member
Posts: 7,609
Registered: ‎03-24-2016
Kudos: 1979
Solutions: 871

Re: logging outbound ssh attempts

Create a WAN_OUT firewall ruleset, and apply to WAN interface in outgoing direction

-rule1 = allow established/related

-rule2 = allow dest.port==22 proto=tcp , logging enabled

default action accept

 

This will only log 1st packet belonging to new ssh session, and not overwhelm your log file.

Log in /var/log/messages , but you could use syslog to external server

 

 

Reply