Date: Wed, 21 Mar 2007 06:32:21 -0700 From: David Wolfskill <david@catwhisker.org> To: Tadas Miniotas <tadas@bofh.lt> Cc: freebsd-security@freebsd.org Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? Message-ID: <20070321133221.GG31533@bunrab.catwhisker.org> In-Reply-To: <46012D37.5060603@bofh.lt> References: <20070321123033.GD31533@bunrab.catwhisker.org> <46012D37.5060603@bofh.lt>
next in thread | previous in thread | raw e-mail | index | archive | help
--hcut4fGOf7Kh6EdG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 21, 2007 at 03:03:51PM +0200, Tadas Miniotas wrote: > David Wolfskill wrote: > > <...> > > This morning (in reviewing the logs from yesterday), I found a set of > > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > > never logged anything corresponding to any of this. >=20 > Might be a SYN scan. I believe SSH will not log anything if a three-way > handshake has not been completed. Fair enough. The thrust of the query was whether or not a sequence of 580 of these within a roughly 10-minute interval from a netblock with which I have no known relationship might plausibly be benign. > Of course, it would help if you provided ipfw logs to determine exactly > what kind of packets it was. Well, if you think it would actually help, here's a sample: Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:08 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33103 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:09 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33191 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:10 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33286 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:12 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33387 1= 72.16.8.11:22 out via vr0 =2E.. Mar 20 19:40:06 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:58784 1= 72.16.8.11:22 out via vr0 Peace, david --=20 David H. Wolfskill david@catwhisker.org Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 19= 99. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --hcut4fGOf7Kh6EdG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkYBM+UACgkQmprOCmdXAD3pkwCfX8I2bYt6gM7FiTuKtCbMbKtR xhkAnjK3KVHoVMG0XIo3gN7BCyfWDfqJ =taAm -----END PGP SIGNATURE----- --hcut4fGOf7Kh6EdG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070321133221.GG31533>