From owner-freebsd-security@FreeBSD.ORG Sat Sep 14 12:05:16 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 249F9142 for ; Sat, 14 Sep 2013 12:05:16 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (mx.catwhisker.org [198.144.209.73]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DFF9A2323 for ; Sat, 14 Sep 2013 12:05:15 +0000 (UTC) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.14.7/8.14.7) with ESMTP id r8EC5Ftn048376 for ; Sat, 14 Sep 2013 05:05:15 -0700 (PDT) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.14.7/8.14.7/Submit) id r8EC5FJn048375 for freebsd-security@freebsd.org; Sat, 14 Sep 2013 05:05:15 -0700 (PDT) (envelope-from david) Resent-From: David Wolfskill Resent-Date: Sat, 14 Sep 2013 05:05:15 -0700 Resent-Message-ID: <20130914120515.GZ25357@albert.catwhisker.org> Resent-To: freebsd-security@freebsd.org Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.14.7/8.14.7) with ESMTP id r8EC1psB048343 for ; Sat, 14 Sep 2013 05:01:51 -0700 (PDT) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.14.7/8.14.7/Submit) id r8EC1p2Z048342 for freebsd-security@freebsd.org; Sat, 14 Sep 2013 05:01:51 -0700 (PDT) (envelope-from david) Date: Sat, 14 Sep 2013 05:01:51 -0700 From: David Wolfskill To: freebsd-security@freebsd.org Subject: Odd sshd entry in auth.log Message-ID: <20130914120151.GY25357@albert.catwhisker.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+mQruWSI2c46YBtV" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Sep 2013 12:05:16 -0000 --+mQruWSI2c46YBtV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable My (tiny) networks at home are sitting behind a multi-homed FreeBSD machine using IPFW & natd, with an externally-visible static /32 -- nothing particularly obscure or exotic, certainly. The packet-filter box is configured to forward incoming ssh (22/tcp) to my primary internal machine; in turn, that is configured to only permit public key authentication. Again, this isn't exactly "new and shiny" technology. One thing I do that may be a bit unusual is that I have the packet-filter's IPFW rules set up so that every attempted SSH "session-initiation" packet is logged. I have found this ... at least "of interest" a few times; below relates one of them. I am in the habit of reviewing the previous day's logs while I am running "make buildworld" ((& friends) on my laptop each morning. This morning, I found a single entry in auth.log that -- unusually -- was not obviously associated with any other auth.log entries; it's the middle of: Sep 13 11:18:38 albert sshd[43637]: Accepted publickey for david from 66.12= 9.224.36 port 5944 ssh2 Sep 13 11:18:43 albert sshd[43654]: Accepted publickey for david from 66.12= 9.224.36 port 24618 ssh2 Sep 13 12:43:24 albert sshd[43949]: fatal: Read from socket failed: Connect= ion reset by peer [preauth] Sep 13 13:10:26 albert sshd[36478]: Received disconnect from 172.17.0.254: = 11: disconnected by user Sep 13 13:10:26 albert sshd[38778]: Received disconnect from 172.17.0.254: = 11: disconnected by user So: the first couple of entries are from me accessing home from work. And the latter 2 entries are disconnections from my spouse's laptop (at home). But that middle one (this time, all by itself) seems ... odd (to me): Sep 13 12:43:24 albert sshd[43949]: fatal: Read from socket failed: Connect= ion reset by peer [preauth] I don't find any other auth.log entries that seem at all related, and that entry doesn't provide many hints about the origin of what caused it. If I look at /var/log/security (where the IPFW log entries go), the closest (temporally) entries I find (that aren't better-explained as belonging to obviously different activity are: Sep 13 10:22:28 janus kernel: ipfw: 10000 Accept TCP 216.127.84.116:10833 1= 72.16.8.13:22 out via dc0 Sep 13 12:43:13 janus kernel: ipfw: 10000 Accept TCP 216.127.84.116:54953 1= 72.16.8.13:22 out via dc0 So I'm *thinking* that someone was probing a wee bit ... but I have rather little to go on. And while I like to think that I'm not paranoid, I do have some reason to believe that there are definitely folks out there who would quite willingly take advantage of an inadequately-secured system. It's at times like this that I kinda wish that every log entry from sshd mentioned the IP address of the (would-be) SSH client. :-{ Comments? Suggestions? (I'm on the list, so I need not be Cc:ed. Private responses will be kept private, though. I've set Reply-To for convenience.) Peace, david --=20 David H. Wolfskill david@catwhisker.org Taliban: Evil cowards with guns afraid of truth from a 14-year old girl. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --+mQruWSI2c46YBtV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iEYEARECAAYFAlI0UC4ACgkQmprOCmdXAD3qhgCdGEMCP/kKWh/0zknxd/yuabnN X5IAn0HRlgImFuTjFScXyKeaCBgYUMWJ =KpfI -----END PGP SIGNATURE----- --+mQruWSI2c46YBtV--