From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 12:45:32 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D024F16A403 for ; Wed, 21 Mar 2007 12:45:32 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id 8624013C48C for ; Wed, 21 Mar 2007 12:45:32 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id l2LCUXUC035516 for ; Wed, 21 Mar 2007 05:30:33 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id l2LCUXtB035515 for freebsd-security@freebsd.org; Wed, 21 Mar 2007 05:30:33 -0700 (PDT) (envelope-from david) Date: Wed, 21 Mar 2007 05:30:33 -0700 From: David Wolfskill To: freebsd-security@freebsd.org Message-ID: <20070321123033.GD31533@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OROCMA9jn6tkzFBc" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 12:45:32 -0000 --OROCMA9jn6tkzFBc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This note is essentially a request for a reality check. I use IPFW & natd on the box that provides the interface between my home networks and the Internet; the connection is (static) residential DSL. I configured IPFW to accept & log all SSH "setup" requests, and use natd to forward such requests to an internal machine that only accepts public key authentication; that machine's sshd logs SSH-specific information. Usually, the SSH setup requests logged by IPFW correspond with sshd activity (whether authorized or not); I expect this. What has come as rather a surprise, though, is that every once in a while, I will see IPFW logging setup requests that have no corresponding sshd activity logged at all. This morning (in reviewing the logs from yesterday), I found a set of 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 (part of a VAULT-NETWORKS netblock). The sshd on the internal machine never logged anything corresponding to any of this. I cannot imagine any valid reason for SSH traffic to my home to be originating from that netblock. I perceive nothing comforting in the lack of sshd logging the apparent activity. Lacking rationale to do otherwise, I interpret this as an attack: I've modified my IPFW rules to include a reference to a table rather early on; IP addresses found in this table are not permitted to establish SSH sessions to my networks, and the attempted activity is logged. (I also use the same technique on my laptop and my work desktop, and -- manually, so far -- keep the tables in question synchronized.) I have accordingly added the VAULT-NETWORKS netblocks to this table, pending either information or reason to remove those specifications. Granted, there appears to be no access granted, but the lack of sshd logging makes me nervous. Have other folks noticed this type of behavior? Have I gone off the deep end of paranoia? (Yes, I expect that some of "them" really are out to get me. What can I say; it's an occupational hazard.) Thanks! Peace, david --=20 David H. Wolfskill david@catwhisker.org Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 19= 99. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --OROCMA9jn6tkzFBc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkYBJWgACgkQmprOCmdXAD0yzACeP2VqJM2X9JumVvjXaXX8MZKN RagAnixt3DpxWLMGcenBPB4GqK0Nh2wM =eMTe -----END PGP SIGNATURE----- --OROCMA9jn6tkzFBc--