Reality check: IPFW sees SSH traffic that sshd does not?

David Wolfskill david at catwhisker.org
Wed Mar 21 13:32:26 UTC 2007


On Wed, Mar 21, 2007 at 03:03:51PM +0200, Tadas Miniotas wrote:
> David Wolfskill wrote:
> > <...>
> > This morning (in reviewing the logs from yesterday), I found a set of
> > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06
> > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148
> > (part of a VAULT-NETWORKS netblock).  The sshd on the internal machine
> > never logged anything corresponding to any of this.
> 
> Might be a SYN scan. I believe SSH will not log anything if a three-way
> handshake has not been completed.

Fair enough.  The thrust of the query was whether or not a sequence of
580 of these within a roughly 10-minute interval from a netblock with
which I have no known relationship might plausibly be benign.

> Of course, it would help if you provided ipfw logs to determine exactly
> what kind of packets it was.

Well, if you think it would actually help, here's a sample:

Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102 172.16.8.11:22 out via vr0
Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000 172.16.8.11:22 out via vr0
Mar 20 19:30:08 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33103 172.16.8.11:22 out via vr0
Mar 20 19:30:09 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33191 172.16.8.11:22 out via vr0
Mar 20 19:30:10 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33286 172.16.8.11:22 out via vr0
Mar 20 19:30:12 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33387 172.16.8.11:22 out via vr0
...
Mar 20 19:40:06 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:58784 172.16.8.11:22 out via vr0

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 1999.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070321/f69086d2/attachment.pgp


More information about the freebsd-security mailing list