Sky have advised us of multiple SSH attack attempts originating from a device on our network.

Log details below :

failed – POSSIBLE BREAK-IN ATTEMPT!
Dec 12 15:41:34 hzr10202 sshd[5251]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=90.219.208.63 user=root
Dec 12 15:41:36 hzr10202 sshd[5251]: Failed password for root from 90.219.208.63 port 50613 ssh2
Dec 12 15:41:39 hzr10202 sshd[5251]: Failed password for root from 90.219.208.63 port 50613 ssh2
Dec 12 15:41:40 hzr10202 sshd[5251]: Failed password for root from 90.219.208.63 port 50613 ssh2
Dec 12 15:41:40 hzr10202 sshd[5251]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=90.219.208.63 user=root
The log above is an example of multiple unauthorised access attempts targeting an SSH (port 22) server on a private network and originating from your Sky Broadband connection.

Virus scanners come up clean.

Any ideas?
Are all my devices best binned?

MBAM.

Are you sure it’s a genuine email? Does https://www.whatismyip.com/ return the same address?

Did they disclose the destination?

It’s genuine, we’ve spoken to a technician at sky.

They can’t say what device it’s originating from and quite vague about what it’s actually doing. Just you need to sort it else your connection will be terminated.

I should point out we don’t have a desktop PC of any description on the network, all devices are Android or simple (Linux?) based like NAS,sky box and media steamers etc.

Is someone else unknown on your wifi? try changing your wifi password

Otherwise see if you have enough control on the sky box to block that traffic

Nothing else on the network, all IPs accounted for.

Is it still happening? Ie, if you talk to support and start switching off devices, can that isolate it?

I’d suggest looking at the router logs to track down the device, but I’m with Sky and I know the logging available to the end user is pretty pish.

Yes Cougar that would be a logical way of fault finding wouldn’t it! Unfortunately Sky don’t seem to think so. It’s been reinstated once and if they activate it again and it persists they’ll disconnect us.
Not too bothered about that as it stands as service has been utter crap for ages.
However we’d still be host to a virus and will experience the same report from another provider.

and media steamers etc.

have you got something like a Kodi box? Is it possible that whatever software you are using for streaming is doing this?

If you are using NAS boxes and media streamers I’m guessing they are hard wired into the sky box. In that case you might be able to insert a PC in between running wireshark to work out which device is trying to do the connect

painful though 🙁

No Kodi box. Have ran it from an app on the tablet but uninstalled it months ago.
The Streamer is just a simple WD TV live doubt it has the capabilities to conduct the attacks.

I wonder if it was someone temporarily on your wifi and then isn’t there when you are checking. I’d change the wifi password as if you are sure your devices are clean it’s the most likely option left

Again, knowing the target might be useful. Is the destination one address or many? I suspect the latter, which might help pin down what it is.

If you’re very lucky your router might have an option somewhere to list all the established TCP connections that it’s NATing for you.

If that doesn’t work, then you could try to set up a tame hotspot which you can run wireshark or tcpdump on. Just need a Raspberry Pi (or really anything that can run Linux from a USB stick) with a wireless port and an ethernet (and some instructions).

Wondering why traceroute is showing my PS4 as constantly generating new “hops” when it’s connected directly to the router via WiFi?