I see many entries in /var/log/secure similar to these: . . . /var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password for root from 93.89.144.31 port 60100 ssh2 /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password for root from 93.89.144.31 port 60962 ssh2 /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password for root from 93.89.144.31 port 33612 ssh2 /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received disconnect from 93.89.144.31: 11: Bye Bye /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password for root from 93.89.144.31 port 34504 ssh2 . . . As you can see, the ports are not those associated with the service requested. SSHD is configured to listen on the standard port (22) and only on a single IP address that is supposed to be reachable only from the internal network (this is a multi-homed system configured as a gateway). These are getting through the brute force filters because the attempts are directed against unchecked ports. I suspect that these represent no immediate danger to our systems because there are no active services on any of the ports and because we have a guillotine rule at the end of our INPUT chain. The firewall is configured to only allow connections to specified ports and to drop any new connection attempts to all the others. My confusion is over why these things are making it into the logs at all when sshd does not listen on those ports and the ports themselves are supposed to inaccessible through the firewall. There presence inoculates a doubt in my mind that things are properly configured. I would appreciate any insight as to why these attempts are nonetheless logged by sshd. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
James B. Byrne wrote:> I see many entries in /var/log/secure similar to these: > > . . . > /var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password > for root from 93.89.144.31 port 60100 ssh2 > /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password > for root from 93.89.144.31 port 60962 ssh2 > /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password > for root from 93.89.144.31 port 33612 ssh2 > /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password > for root from 93.89.144.31 port 34504 ssh2 > . . . > > As you can see, the ports are not those associated with the service > requested. SSHD is configured to listen on the standard port (22) > and only on a single IP address that is supposed to be reachable > only from the internal network (this is a multi-homed system > configured as a gateway).[SNIP]> My confusion is over why these things are making it into the logs at > all when sshd does not listen on those ports and the ports > themselves are supposed to inaccessible through the firewall. There > presence inoculates a doubt in my mind that things are properly > configured.Those port numbers (60100, 60962, 33612, 34504) are source ports, not destination ports. As for why they are getting through your firewall and being seen by sshd, a thorough review of your firewall rules would be needed to determine that. Indeed, it is quite doubtful that things are properly configured. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.
James B. Byrne wrote:> I see many entries in /var/log/secure similar to these: > [...] > /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password > for root from 93.89.144.31 port 34504 ssh2 > . . . > > As you can see, the ports are not those associated with the service > requested. SSHD is configured to listen on the standard port (22) > and only on a single IP address that is supposed to be reachable > only from the internal network (this is a multi-homed system > configured as a gateway). > [...] > My confusion is over why these things are making it into the logs at > all when sshd does not listen on those ports and the ports > themselves are supposed to inaccessible through the firewall. There > presence inoculates a doubt in my mind that things are properly > configured. > > I would appreciate any insight as to why these attempts are > nonetheless logged by sshdYou are mis-interpreting the log entries. The port shown is the remote port not your local port. When a SSH connection is set up you have something like: remote_address:some_high_port <-> local_address:22 What you are seeing in the log is the 'some_high_port' of the remote address. It's a normal part of a TCP connection. If your brute force protection is not catching the repeated login failures, you should check its configuration. -- Benjamin Franz
On 01/05/2010 03:30 PM, James B. Byrne wrote:> I see many entries in /var/log/secure similar to these: > > . . . > /var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password > for root from 93.89.144.31 port 60100 ssh2 > /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password > for root from 93.89.144.31 port 60962 ssh2 > /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password > for root from 93.89.144.31 port 33612 ssh2 > /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received > disconnect from 93.89.144.31: 11: Bye Bye > /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password > for root from 93.89.144.31 port 34504 ssh2 > . . . > > As you can see, the ports are not those associated with the service > requested. SSHD is configured to listen on the standard port (22) > and only on a single IP address that is supposed to be reachable > only from the internal network (this is a multi-homed system > configured as a gateway). >Those are the *source ports* from the attacking host, not the destination port on which you are running SSH. I /assume/ the number enclosed in '[]' to be the pid of the sshd instance associated with the connection attempt. Hope that helps.
On 1/5/2010 11:49 AM, Benjamin Franz wrote:> > If your brute force protection is not catching the repeated login > failures, you should check its configuration. >Or give up and move SSH to a non-standard port, at least from the outside. (I got tired a few years ago of watching my log files fill up with attack attempts.)