Audit Log puzzle
Just trying to make sense of some entries in our audit.log - One of our Asterisk servers has been subject a brute force attack on SSH. Our SSH port is not open to the public but rather only reachable through LAN and a specific public IP. The problem we're facing is that the audit.log is showing loads of failed login attempts (brute force attack) from diffrerent public IPs but public IPs are not allowed to connect via SSH based on iptables - So how can this be?
Glad if someone can shed some light onto this. In the meantime we're just going to implement something like fail2ban to dynamically block the IPs.
It seems very unlikely that ssh would make things up, so that suggests your iptables isn't configured correctly.
If you want to post the iptables config then we might be able to spot the gap.
Let us know how you get on.