Reality check: IPFW sees SSH traffic that sshd does not?

Bill Moran wmoran at collaborativefusion.com
Wed Mar 21 13:37:53 UTC 2007 

In response to David Wolfskill <david at catwhisker.org>:

> This note is essentially a request for a reality check.
> 
> I use IPFW & natd on the box that provides the interface between my home
> networks and the Internet; the connection is (static) residential DSL.
> 
> I configured IPFW to accept & log all SSH "setup" requests, and use natd
> to forward such requests to an internal machine that only accepts public
> key authentication; that machine's sshd logs SSH-specific information.
> 
> Usually, the SSH setup requests logged by IPFW correspond with sshd
> activity (whether authorized or not); I expect this.
> 
> What has come as rather a surprise, though, is that every once in a
> while, I will see IPFW logging setup requests that have no corresponding
> sshd activity logged at all.

I'm only guessing, but I suspect it's port scanning.  If the scanner sends
the initial SYN, waits for the SYN/ACK, but never sends the final SYN/ACK,
the attacker will know that port 22 _is_ open, but sshd will never get a
connection request to log anything about.

> This morning (in reviewing the logs from yesterday), I found a set of
> 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06
> (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148
> (part of a VAULT-NETWORKS netblock).  The sshd on the internal machine
> never logged anything corresponding to any of this.
> 
> I cannot imagine any valid reason for SSH traffic to my home to be
> originating from that netblock.  I perceive nothing comforting in the
> lack of sshd logging the apparent activity.
> 
> Lacking rationale to do otherwise, I interpret this as an attack:
> I've modified my IPFW rules to include a reference to a table rather
> early on; IP addresses found in this table are not permitted to
> establish SSH sessions to my networks, and the attempted activity
> is logged.  (I also use the same technique on my laptop and my work
> desktop, and -- manually, so far -- keep the tables in question
> synchronized.)
> 
> I have accordingly added the VAULT-NETWORKS netblocks to this table,
> pending either information or reason to remove those specifications.
> 
> Granted, there appears to be no access granted, but the lack of sshd
> logging makes me nervous.
> 
> Have other folks noticed this type of behavior?  Have I gone off the
> deep end of paranoia?  (Yes, I expect that some of "them" really are out
> to get me.  What can I say; it's an occupational hazard.)

Not in my opinion.  I run a little script I wrote that automatically adds
failed SSH attempts to a table that blocks them from _everything_ in my
pf rules.  I figure if they're fishing for weak ssh passwords, their next
likely attack route might be HTTP or SMTP, so why wait.  This is on my
personal server.  Here where I work, we're even more strict.

Paranoid?  Maybe.  But I don't have the free cycles to constantly chase these
attacks around trying to figure out how dangerous they really are.  There
are _lot_ of crooks out there trying to build botnets, I don't want to be
one of them.  Especially not for a personal server that I maintain in my
free time as a hobby.

I don't think you're paranoid.

-- 
Bill Moran
Collaborative Fusion Inc.

More information about the freebsd-security mailing list