From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 13:37:53 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 278C516A479 for ; Wed, 21 Mar 2007 13:37:53 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id EDD0A13C4C1 for ; Wed, 21 Mar 2007 13:37:52 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.pgh.priv.collaborativefusion.com (vanquish.pgh.priv.collaborativefusion.com [192.168.2.61]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 21 Mar 2007 09:27:24 -0400 id 00056430.460132BC.00013978 Date: Wed, 21 Mar 2007 09:27:24 -0400 From: Bill Moran To: David Wolfskill Message-Id: <20070321092724.fd6f1541.wmoran@collaborativefusion.com> In-Reply-To: <20070321123033.GD31533@bunrab.catwhisker.org> References: <20070321123033.GD31533@bunrab.catwhisker.org> Organization: Collaborative Fusion X-Mailer: Sylpheed 2.3.1 (GTK+ 2.10.9; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 13:37:53 -0000 In response to David Wolfskill : > This note is essentially a request for a reality check. > > I use IPFW & natd on the box that provides the interface between my home > networks and the Internet; the connection is (static) residential DSL. > > I configured IPFW to accept & log all SSH "setup" requests, and use natd > to forward such requests to an internal machine that only accepts public > key authentication; that machine's sshd logs SSH-specific information. > > Usually, the SSH setup requests logged by IPFW correspond with sshd > activity (whether authorized or not); I expect this. > > What has come as rather a surprise, though, is that every once in a > while, I will see IPFW logging setup requests that have no corresponding > sshd activity logged at all. I'm only guessing, but I suspect it's port scanning. If the scanner sends the initial SYN, waits for the SYN/ACK, but never sends the final SYN/ACK, the attacker will know that port 22 _is_ open, but sshd will never get a connection request to log anything about. > This morning (in reviewing the logs from yesterday), I found a set of > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > never logged anything corresponding to any of this. > > I cannot imagine any valid reason for SSH traffic to my home to be > originating from that netblock. I perceive nothing comforting in the > lack of sshd logging the apparent activity. > > Lacking rationale to do otherwise, I interpret this as an attack: > I've modified my IPFW rules to include a reference to a table rather > early on; IP addresses found in this table are not permitted to > establish SSH sessions to my networks, and the attempted activity > is logged. (I also use the same technique on my laptop and my work > desktop, and -- manually, so far -- keep the tables in question > synchronized.) > > I have accordingly added the VAULT-NETWORKS netblocks to this table, > pending either information or reason to remove those specifications. > > Granted, there appears to be no access granted, but the lack of sshd > logging makes me nervous. > > Have other folks noticed this type of behavior? Have I gone off the > deep end of paranoia? (Yes, I expect that some of "them" really are out > to get me. What can I say; it's an occupational hazard.) Not in my opinion. I run a little script I wrote that automatically adds failed SSH attempts to a table that blocks them from _everything_ in my pf rules. I figure if they're fishing for weak ssh passwords, their next likely attack route might be HTTP or SMTP, so why wait. This is on my personal server. Here where I work, we're even more strict. Paranoid? Maybe. But I don't have the free cycles to constantly chase these attacks around trying to figure out how dangerous they really are. There are _lot_ of crooks out there trying to build botnets, I don't want to be one of them. Especially not for a personal server that I maintain in my free time as a hobby. I don't think you're paranoid. -- Bill Moran Collaborative Fusion Inc.