Reputation: 342
SSH Server Behavior
I am investigating what could be some odd behavior on a server of mine. I got notification that packets originating from my server are attacking SSH server ports on other servers.
While monitoring TCP traffic for SYN packets, I see the following (example):
03:43:41.759343 IP [local IP].22 > [remote IP].22: Flags [S.],
In other words, the local SSHD server, at local IP and local port 22, is sending a SYN packet to the remote SSHD server at remote IP and remote port 22, but I am not sure under what circumstance this would happen as normally the source port is a high port number.
I have tried to reproduce the packet with port forwarding, but so far cannot figure it out.
Cheers, Geof.
Upvotes: 1
Views: 35
Answers (1)
Reputation: 342
Actually I believe I could be wrong here. I just realized the above is not a SYN packet, but a SYN-ACK, which is normal. So never mind.
Upvotes: 1