Otdfbt

Risk of getting Chronic Wasting Disease (CWD) in the United States?

Can divisibility rules for digits be generalized to sum of digits

What would happen to a modern skyscraper if it rains micro blackholes?

Show that if two triangles built on parallel lines, with equal bases have the same perimeter only if they are congruent.

Font hinting is lost in Chrome-like browsers (for some languages )

Why dont electromagnetic waves interact with each other?

How does strength of boric acid solution increase in presence of salicylic acid?

How does one intimidate enemies without having the capacity for violence?

Is it unprofessional to ask if a job posting on GlassDoor is real?

Why don't electron-positron collisions release infinite energy?

How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?

An academic/student plagiarism

Mage Armor with Defense fighting style (for Adventurers League bladeslinger)

"You are your self first supporter", a more proper way to say it

tikz: show 0 at the axis origin

Is it legal for company to use my work email to pretend I still work there?

What's the point of deactivating Num Lock on login screens?

Theorems that impeded progress

Test whether all array elements are factors of a number

The use of multiple foreign keys on same column in SQL Server

Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?

How is it possible to have an ability score that is less than 3?

What does "Puller Prush Person" mean?

Expeditious Retreat

Why do SFTP Break-In Attempts Show As Local IPs?

Is it normal to get hundreds of break-in attempts per day?Possible to use SFTP to transfer files from local to local?Why won't Cyberduck connect via SFTP?Why are SFTP bridges so painfully slow?SFTP is working but SSH failed why?SFTP password wrong from remote, but not from localWhy am I still prompted for a password using sftp?A simple, step-by-step way of setting up of “jailed” SFTP-only accountsHow to get usernames to show in chrooted SFTP?Why isn't SFTP logging working?Bash SFTP Script - Too many login attempts looks like a DOS attack

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I have an SFTP server which I'm using to host files. The password is very strong (normal dictionary attacks or cracks will not work). I'm not too worried after reading this post. But I noticed something very peculiar. Here's a sample of the logs:

input_userauth_request: invalid user administrador [preauth] 
Failed password for invalid user administrador from 10.51.6.91 port 21788 ssh2

What? How could the IP be a local IP address? This is an external facing application, so I expect the request to come from an external IP. Am I missing something?

sftp

share|improve this question

asked Apr 3 at 18:01

Thomas ZhangThomas Zhang

1

New contributor

Thomas Zhang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

I have an SFTP server which I'm using to host files. The password is very strong (normal dictionary attacks or cracks will not work). I'm not too worried after reading this post. But I noticed something very peculiar. Here's a sample of the logs:

input_userauth_request: invalid user administrador [preauth] 
Failed password for invalid user administrador from 10.51.6.91 port 21788 ssh2

What? How could the IP be a local IP address? This is an external facing application, so I expect the request to come from an external IP. Am I missing something?

sftp

share|improve this question

asked Apr 3 at 18:01

Thomas ZhangThomas Zhang

1

New contributor

Thomas Zhang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

I have an SFTP server which I'm using to host files. The password is very strong (normal dictionary attacks or cracks will not work). I'm not too worried after reading this post. But I noticed something very peculiar. Here's a sample of the logs:

input_userauth_request: invalid user administrador [preauth] 
Failed password for invalid user administrador from 10.51.6.91 port 21788 ssh2

What? How could the IP be a local IP address? This is an external facing application, so I expect the request to come from an external IP. Am I missing something?

sftp

share|improve this question

asked Apr 3 at 18:01

Thomas ZhangThomas Zhang

1

New contributor

Thomas Zhang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

input_userauth_request: invalid user administrador [preauth] 
Failed password for invalid user administrador from 10.51.6.91 port 21788 ssh2

share|improve this question

asked Apr 3 at 18:01

Thomas ZhangThomas Zhang

1

New contributor

Thomas Zhang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked Apr 3 at 18:01

Thomas ZhangThomas Zhang

1

New contributor

Thomas Zhang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked Apr 3 at 18:01

Thomas ZhangThomas Zhang

1

New contributor

Thomas Zhang is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked Apr 3 at 18:01

Thomas ZhangThomas Zhang

1

1 Answer
1

active

oldest

votes

0

It's possible that the local host has been compromised and is being used as a "pivot point" to attack from the inside. It may be worth investigating that host further.

It's also possible that an internal user is trying to break into that server.

share|improve this answer

answered Apr 3 at 18:34

Ron TrunkRon Trunk

307111

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Thomas Zhang is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961361%2fwhy-do-sftp-break-in-attempts-show-as-local-ips%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

It's possible that the local host has been compromised and is being used as a "pivot point" to attack from the inside. It may be worth investigating that host further.

It's also possible that an internal user is trying to break into that server.

share|improve this answer

answered Apr 3 at 18:34

Ron TrunkRon Trunk

307111

add a comment | 

0

It's possible that the local host has been compromised and is being used as a "pivot point" to attack from the inside. It may be worth investigating that host further.

It's also possible that an internal user is trying to break into that server.

share|improve this answer

answered Apr 3 at 18:34

Ron TrunkRon Trunk

307111

add a comment | 

It's possible that the local host has been compromised and is being used as a "pivot point" to attack from the inside. It may be worth investigating that host further.

It's also possible that an internal user is trying to break into that server.

share|improve this answer

answered Apr 3 at 18:34

Ron TrunkRon Trunk

307111

share|improve this answer

answered Apr 3 at 18:34

Ron TrunkRon Trunk

307111

answered Apr 3 at 18:34

Ron TrunkRon Trunk

307111

answered Apr 3 at 18:34

Ron TrunkRon Trunk

307111