Odd sshd entry in auth.log

David Wolfskill david at catwhisker.org
Sat Sep 14 12:05:16 UTC 2013 

My (tiny) networks at home are sitting behind a multi-homed FreeBSD
machine using IPFW & natd, with an externally-visible static /32 --
nothing particularly obscure or exotic, certainly.

The packet-filter box is configured to forward incoming ssh (22/tcp) to
my primary internal machine; in turn, that is configured to only permit
public key authentication.  Again, this isn't exactly "new and shiny"
technology.

One thing I do that may be a bit unusual is that I have the
packet-filter's IPFW rules set up so that every attempted SSH
"session-initiation" packet is logged.  I have found this ... at
least "of interest" a few times; below relates one of them.

I am in the habit of reviewing the previous day's logs while I am
running "make buildworld" ((& friends) on my laptop each morning.

This morning, I found a single entry in auth.log that -- unusually
-- was not obviously associated with any other auth.log entries; it's
the middle of:

Sep 13 11:18:38 albert sshd[43637]: Accepted publickey for david from 66.129.224.36 port 5944 ssh2
Sep 13 11:18:43 albert sshd[43654]: Accepted publickey for david from 66.129.224.36 port 24618 ssh2
Sep 13 12:43:24 albert sshd[43949]: fatal: Read from socket failed: Connection reset by peer [preauth]
Sep 13 13:10:26 albert sshd[36478]: Received disconnect from 172.17.0.254: 11: disconnected by user
Sep 13 13:10:26 albert sshd[38778]: Received disconnect from 172.17.0.254: 11: disconnected by user

So: the first couple of entries are from me accessing home from
work.  And the latter 2 entries are disconnections from my spouse's
laptop (at home).

But that middle one (this time, all by itself) seems ... odd (to me):

Sep 13 12:43:24 albert sshd[43949]: fatal: Read from socket failed: Connection reset by peer [preauth]


I don't find any other auth.log entries that seem at all related,
and that entry doesn't provide many hints about the origin of what
caused it.

If I look at /var/log/security (where the IPFW log entries go), the
closest (temporally) entries I find (that aren't better-explained
as belonging to obviously different activity are:

Sep 13 10:22:28 janus kernel: ipfw: 10000 Accept TCP 216.127.84.116:10833 172.16.8.13:22 out via dc0
Sep 13 12:43:13 janus kernel: ipfw: 10000 Accept TCP 216.127.84.116:54953 172.16.8.13:22 out via dc0


So I'm *thinking* that someone was probing a wee bit ... but I have
rather little to go on.  And while I like to think that I'm not
paranoid, I do have some reason to believe that there are definitely
folks out there who would quite willingly take advantage of an
inadequately-secured system.

It's at times like this that I kinda wish that every log entry from sshd
mentioned the IP address of the (would-be) SSH client. :-{

Comments?  Suggestions?

(I'm on the list, so I need not be Cc:ed.  Private responses will be
kept private, though.  I've set Reply-To for convenience.)

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Taliban: Evil cowards with guns afraid of truth from a 14-year old girl.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130914/379f0d03/attachment.sig>

More information about the freebsd-security mailing list