Date: Wed, 21 Mar 2007 09:27:24 -0400 From: Bill Moran <wmoran@collaborativefusion.com> To: David Wolfskill <david@catwhisker.org> Cc: freebsd-security@freebsd.org Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? Message-ID: <20070321092724.fd6f1541.wmoran@collaborativefusion.com> In-Reply-To: <20070321123033.GD31533@bunrab.catwhisker.org> References: <20070321123033.GD31533@bunrab.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to David Wolfskill <david@catwhisker.org>: > This note is essentially a request for a reality check. > > I use IPFW & natd on the box that provides the interface between my home > networks and the Internet; the connection is (static) residential DSL. > > I configured IPFW to accept & log all SSH "setup" requests, and use natd > to forward such requests to an internal machine that only accepts public > key authentication; that machine's sshd logs SSH-specific information. > > Usually, the SSH setup requests logged by IPFW correspond with sshd > activity (whether authorized or not); I expect this. > > What has come as rather a surprise, though, is that every once in a > while, I will see IPFW logging setup requests that have no corresponding > sshd activity logged at all. I'm only guessing, but I suspect it's port scanning. If the scanner sends the initial SYN, waits for the SYN/ACK, but never sends the final SYN/ACK, the attacker will know that port 22 _is_ open, but sshd will never get a connection request to log anything about. > This morning (in reviewing the logs from yesterday), I found a set of > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > never logged anything corresponding to any of this. > > I cannot imagine any valid reason for SSH traffic to my home to be > originating from that netblock. I perceive nothing comforting in the > lack of sshd logging the apparent activity. > > Lacking rationale to do otherwise, I interpret this as an attack: > I've modified my IPFW rules to include a reference to a table rather > early on; IP addresses found in this table are not permitted to > establish SSH sessions to my networks, and the attempted activity > is logged. (I also use the same technique on my laptop and my work > desktop, and -- manually, so far -- keep the tables in question > synchronized.) > > I have accordingly added the VAULT-NETWORKS netblocks to this table, > pending either information or reason to remove those specifications. > > Granted, there appears to be no access granted, but the lack of sshd > logging makes me nervous. > > Have other folks noticed this type of behavior? Have I gone off the > deep end of paranoia? (Yes, I expect that some of "them" really are out > to get me. What can I say; it's an occupational hazard.) Not in my opinion. I run a little script I wrote that automatically adds failed SSH attempts to a table that blocks them from _everything_ in my pf rules. I figure if they're fishing for weak ssh passwords, their next likely attack route might be HTTP or SMTP, so why wait. This is on my personal server. Here where I work, we're even more strict. Paranoid? Maybe. But I don't have the free cycles to constantly chase these attacks around trying to figure out how dangerous they really are. There are _lot_ of crooks out there trying to build botnets, I don't want to be one of them. Especially not for a personal server that I maintain in my free time as a hobby. I don't think you're paranoid. -- Bill Moran Collaborative Fusion Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070321092724.fd6f1541.wmoran>