Why do SFTP Break-In Attempts Show As Local IPs?

Question

I have an SFTP server which I'm using to host files. The password is very strong (normal dictionary attacks or cracks will not work). I'm not too worried after reading this post. But I noticed something very peculiar. Here's a sample of the logs:

input_userauth_request: invalid user administrador [preauth] 
Failed password for invalid user administrador from 10.51.6.91 port 21788 ssh2

What? How could the IP be a local IP address? This is an external facing application, so I expect the request to come from an external IP. Am I missing something?

score 0 · Answer 1 · answered Apr 03 '19 at 18:34

0

It's possible that the local host has been compromised and is being used as a "pivot point" to attack from the inside. It may be worth investigating that host further.

It's also possible that an internal user is trying to break into that server.

answered Apr 03 '19 at 18:34

Ron Trunk

2,159
1
11
19

Why do SFTP Break-In Attempts Show As Local IPs?

1 Answers1