David Wolfskill
2007-Mar-21 12:45 UTC
Reality check: IPFW sees SSH traffic that sshd does not?
This note is essentially a request for a reality check. I use IPFW & natd on the box that provides the interface between my home networks and the Internet; the connection is (static) residential DSL. I configured IPFW to accept & log all SSH "setup" requests, and use natd to forward such requests to an internal machine that only accepts public key authentication; that machine's sshd logs SSH-specific information. Usually, the SSH setup requests logged by IPFW correspond with sshd activity (whether authorized or not); I expect this. What has come as rather a surprise, though, is that every once in a while, I will see IPFW logging setup requests that have no corresponding sshd activity logged at all. This morning (in reviewing the logs from yesterday), I found a set of 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 (part of a VAULT-NETWORKS netblock). The sshd on the internal machine never logged anything corresponding to any of this. I cannot imagine any valid reason for SSH traffic to my home to be originating from that netblock. I perceive nothing comforting in the lack of sshd logging the apparent activity. Lacking rationale to do otherwise, I interpret this as an attack: I've modified my IPFW rules to include a reference to a table rather early on; IP addresses found in this table are not permitted to establish SSH sessions to my networks, and the attempted activity is logged. (I also use the same technique on my laptop and my work desktop, and -- manually, so far -- keep the tables in question synchronized.) I have accordingly added the VAULT-NETWORKS netblocks to this table, pending either information or reason to remove those specifications. Granted, there appears to be no access granted, but the lack of sshd logging makes me nervous. Have other folks noticed this type of behavior? Have I gone off the deep end of paranoia? (Yes, I expect that some of "them" really are out to get me. What can I say; it's an occupational hazard.) Thanks! Peace, david -- David H. Wolfskill david@catwhisker.org Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 1999. See http://www.catwhisker.org/~david/publickey.gpg for my public key. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070321/f4a682b8/attachment.pgp
Tadas Miniotas
2007-Mar-21 13:18 UTC
Reality check: IPFW sees SSH traffic that sshd does not?
David Wolfskill wrote:> <...> > This morning (in reviewing the logs from yesterday), I found a set of > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > never logged anything corresponding to any of this.Might be a SYN scan. I believe SSH will not log anything if a three-way handshake has not been completed. Of course, it would help if you provided ipfw logs to determine exactly what kind of packets it was. -- Tadas Miniotas
In response to David Wolfskill <david@catwhisker.org>:> This note is essentially a request for a reality check. > > I use IPFW & natd on the box that provides the interface between my home > networks and the Internet; the connection is (static) residential DSL. > > I configured IPFW to accept & log all SSH "setup" requests, and use natd > to forward such requests to an internal machine that only accepts public > key authentication; that machine's sshd logs SSH-specific information. > > Usually, the SSH setup requests logged by IPFW correspond with sshd > activity (whether authorized or not); I expect this. > > What has come as rather a surprise, though, is that every once in a > while, I will see IPFW logging setup requests that have no corresponding > sshd activity logged at all.I'm only guessing, but I suspect it's port scanning. If the scanner sends the initial SYN, waits for the SYN/ACK, but never sends the final SYN/ACK, the attacker will know that port 22 _is_ open, but sshd will never get a connection request to log anything about.> This morning (in reviewing the logs from yesterday), I found a set of > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > never logged anything corresponding to any of this. > > I cannot imagine any valid reason for SSH traffic to my home to be > originating from that netblock. I perceive nothing comforting in the > lack of sshd logging the apparent activity. > > Lacking rationale to do otherwise, I interpret this as an attack: > I've modified my IPFW rules to include a reference to a table rather > early on; IP addresses found in this table are not permitted to > establish SSH sessions to my networks, and the attempted activity > is logged. (I also use the same technique on my laptop and my work > desktop, and -- manually, so far -- keep the tables in question > synchronized.) > > I have accordingly added the VAULT-NETWORKS netblocks to this table, > pending either information or reason to remove those specifications. > > Granted, there appears to be no access granted, but the lack of sshd > logging makes me nervous. > > Have other folks noticed this type of behavior? Have I gone off the > deep end of paranoia? (Yes, I expect that some of "them" really are out > to get me. What can I say; it's an occupational hazard.)Not in my opinion. I run a little script I wrote that automatically adds failed SSH attempts to a table that blocks them from _everything_ in my pf rules. I figure if they're fishing for weak ssh passwords, their next likely attack route might be HTTP or SMTP, so why wait. This is on my personal server. Here where I work, we're even more strict. Paranoid? Maybe. But I don't have the free cycles to constantly chase these attacks around trying to figure out how dangerous they really are. There are _lot_ of crooks out there trying to build botnets, I don't want to be one of them. Especially not for a personal server that I maintain in my free time as a hobby. I don't think you're paranoid. -- Bill Moran Collaborative Fusion Inc.
At 08:27 3/21/2007, Bill Moran, wrote: I run a little script I wrote that automatically adds>failed SSH attempts to a table that blocks them from _everything_ in my >pf rules.Do you care to share that script? Start Here to Find It Fast!? -> http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/
Julian Elischer
2007-Mar-21 23:22 UTC
Reality check: IPFW sees SSH traffic that sshd does not?
David Wolfskill wrote:> This note is essentially a request for a reality check. > > I use IPFW & natd on the box that provides the interface between my home > networks and the Internet; the connection is (static) residential DSL. > > I configured IPFW to accept & log all SSH "setup" requests, and use natd > to forward such requests to an internal machine that only accepts public > key authentication; that machine's sshd logs SSH-specific information. > > Usually, the SSH setup requests logged by IPFW correspond with sshd > activity (whether authorized or not); I expect this. > > What has come as rather a surprise, though, is that every once in a > while, I will see IPFW logging setup requests that have no corresponding > sshd activity logged at all. > > This morning (in reviewing the logs from yesterday), I found a set of > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > never logged anything corresponding to any of this. > > I cannot imagine any valid reason for SSH traffic to my home to be > originating from that netblock. I perceive nothing comforting in the > lack of sshd logging the apparent activity. > > Lacking rationale to do otherwise, I interpret this as an attack: > I've modified my IPFW rules to include a reference to a table rather > early on; IP addresses found in this table are not permitted to > establish SSH sessions to my networks, and the attempted activity > is logged. (I also use the same technique on my laptop and my work > desktop, and -- manually, so far -- keep the tables in question > synchronized.) > > I have accordingly added the VAULT-NETWORKS netblocks to this table, > pending either information or reason to remove those specifications. > > Granted, there appears to be no access granted, but the lack of sshd > logging makes me nervous.Access may not need to be granted if they think that that version of sshd can be made to 'break' (via a printf bug or stack overflow for example) before it gets as far as that. they probably haven't succeeded as they were still trying, but it's still probably worth looking at what they were trying to do. (malformed fields or something)> > Have other folks noticed this type of behavior? Have I gone off the > deep end of paranoia? (Yes, I expect that some of "them" really are out > to get me. What can I say; it's an occupational hazard.) > > Thanks! > > Peace, > david