0

I run a small Ubuntu server which I access from outside and within my local network. I have it configured to mail me some data from the auth.log file on a daily basis so I can monitor what happens there.

On todays mail I received the following info on ssh successful connections:

09:53:46 myuser from XX.XX.XX.XX port 10890
21:07:25 myuser from 192.168.1.59 port 32772
21:07:27 myuser from 192.168.1.1 port 37479
21:11:47 myuser from 192.168.1.59 port 32782
21:46:50 myuser from 192.168.1.59 port 32796 
22:48:28 myuser from 192.168.1.43 port 52898

I can identify the outside logging as well as the two local addresses (.59 and .43) but I have never seen any connection from 192.168.1.1 as it is the router address. What could this be? Apparently there is nothing out of ordinary on the machine.

@MadHatter: (can´t comment) I use port redirection and it was an internal access through the external address. That was it!, Thanks :)

SomeGuy
  • 3
  • 1
SomeGuy
  • 1
  • I'm guessing access from outside is done via port forwarding on the router. It's possible that this is an access from an *internal* machine via the *external* ip address, as part of a mechanism designed to enable [hairpin NAT](https://serverfault.com/questions/55611/loopback-to-forwarded-public-ip-address-from-local-network-hairpin-nat). You want to try logging in via the external ip from an internal machine and report back? – MadHatter Jun 14 '18 at 09:55

1 Answers1

1

It seems that there is Source NAT configured on the router. To confirm this, you can telnet to server on 22 port using public IP and run netstat on the server to check source IP in open connections.

But remember that, with this kind of configuration anyone from internet can get into your network, because source address will be seen as 192.168.1.1 by internal servers. I hope there are firewalls in place to take this NAT into account.

Tejas Sarade
  • 201
  • 1
  • 5