Reality check: IPFW sees SSH traffic that sshd does not?
David Wolfskill
david at catwhisker.org
Wed Mar 21 13:32:26 UTC 2007
On Wed, Mar 21, 2007 at 03:03:51PM +0200, Tadas Miniotas wrote:
> David Wolfskill wrote:
> > <...>
> > This morning (in reviewing the logs from yesterday), I found a set of
> > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06
> > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148
> > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine
> > never logged anything corresponding to any of this.
>
> Might be a SYN scan. I believe SSH will not log anything if a three-way
> handshake has not been completed.
Fair enough. The thrust of the query was whether or not a sequence of
580 of these within a roughly 10-minute interval from a netblock with
which I have no known relationship might plausibly be benign.
> Of course, it would help if you provided ipfw logs to determine exactly
> what kind of packets it was.
Well, if you think it would actually help, here's a sample:
Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102 172.16.8.11:22 out via vr0
Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000 172.16.8.11:22 out via vr0
Mar 20 19:30:08 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33103 172.16.8.11:22 out via vr0
Mar 20 19:30:09 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33191 172.16.8.11:22 out via vr0
Mar 20 19:30:10 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33286 172.16.8.11:22 out via vr0
Mar 20 19:30:12 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33387 172.16.8.11:22 out via vr0
...
Mar 20 19:40:06 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:58784 172.16.8.11:22 out via vr0
Peace,
david
--
David H. Wolfskill david at catwhisker.org
Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 1999.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070321/f69086d2/attachment.pgp
More information about the freebsd-security
mailing list