Reality check: IPFW sees SSH traffic that sshd does not?



This note is essentially a request for a reality check.

I use IPFW & natd on the box that provides the interface between my home
networks and the Internet; the connection is (static) residential DSL.

I configured IPFW to accept & log all SSH "setup" requests, and use natd
to forward such requests to an internal machine that only accepts public
key authentication; that machine's sshd logs SSH-specific information.

Usually, the SSH setup requests logged by IPFW correspond with sshd
activity (whether authorized or not); I expect this.

What has come as rather a surprise, though, is that every once in a
while, I will see IPFW logging setup requests that have no corresponding
sshd activity logged at all.

This morning (in reviewing the logs from yesterday), I found a set of
580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06
(US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148
(part of a VAULT-NETWORKS netblock). The sshd on the internal machine
never logged anything corresponding to any of this.

I cannot imagine any valid reason for SSH traffic to my home to be
originating from that netblock. I perceive nothing comforting in the
lack of sshd logging the apparent activity.

Lacking rationale to do otherwise, I interpret this as an attack:
I've modified my IPFW rules to include a reference to a table rather
early on; IP addresses found in this table are not permitted to
establish SSH sessions to my networks, and the attempted activity
is logged. (I also use the same technique on my laptop and my work
desktop, and -- manually, so far -- keep the tables in question
synchronized.)

I have accordingly added the VAULT-NETWORKS netblocks to this table,
pending either information or reason to remove those specifications.

Granted, there appears to be no access granted, but the lack of sshd
logging makes me nervous.

Have other folks noticed this type of behavior? Have I gone off the
deep end of paranoia? (Yes, I expect that some of "them" really are out
to get me. What can I say; it's an occupational hazard.)

Thanks!

Peace,
david
--
David H. Wolfskill david@xxxxxxxxxxxxxx
Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 1999.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

Attachment: pgpgDtYvDfdB5.pgp
Description: PGP signature



Relevant Pages

  • Re: Reality check: IPFW sees SSH traffic that sshd does not?
    ... I use IPFW & natd on the box that provides the interface between my home ... I configured IPFW to accept & log all SSH "setup" requests, ... that machine's sshd logs SSH-specific information. ...
    (FreeBSD-Security)
  • SSH ACL .
    ... Is posible to make an ACK with ipfw or something else to deny all ssh ... trafic even when is made on sshd that are running on port's gt 1022 ?? ... - something like sniffing the packets, and deny anything regarding SSH ...
    (FreeBSD-Security)
  • Re: Reality check: IPFW sees SSH traffic that sshd does not?
    ... I use IPFW & natd on the box that provides the interface between my home ... networks and the Internet; the connection is residential DSL. ... that machine's sshd logs SSH-specific information. ... the SSH setup requests logged by IPFW correspond with sshd ...
    (FreeBSD-Security)
  • Re[3]: VERY slow performance on igb+FreeBSD8.2+mpd5.6
    ... # ipfw show | grep queue ... requests for sfbufs delayed ...
    (freebsd-questions)
  • Re: Network performance in a dual CPU system
    ... On Friday 10 February 2006 20:54, Julian Elischer wrote: ... I have found that most people can optimise there ipfw rulests considerably. ... As I indicated before, polling is currently disabled. ... requests for sfbufs delayed ...
    (freebsd-net)