Re: Reality check: IPFW sees SSH traffic that sshd does not?

On Wed, Mar 21, 2007 at 03:03:51PM +0200, Tadas Miniotas wrote:
David Wolfskill wrote:
<...>
This morning (in reviewing the logs from yesterday), I found a set of
580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06
(US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148
(part of a VAULT-NETWORKS netblock). The sshd on the internal machine
never logged anything corresponding to any of this.

Might be a SYN scan. I believe SSH will not log anything if a three-way
handshake has not been completed.

Fair enough. The thrust of the query was whether or not a sequence of
580 of these within a roughly 10-minute interval from a netblock with
which I have no known relationship might plausibly be benign.

Of course, it would help if you provided ipfw logs to determine exactly
what kind of packets it was.

Well, if you think it would actually help, here's a sample:

Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102 172.16.8.11:22 out via vr0
Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000 172.16.8.11:22 out via vr0
Mar 20 19:30:08 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33103 172.16.8.11:22 out via vr0
Mar 20 19:30:09 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33191 172.16.8.11:22 out via vr0
Mar 20 19:30:10 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33286 172.16.8.11:22 out via vr0
Mar 20 19:30:12 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33387 172.16.8.11:22 out via vr0
...
Mar 20 19:40:06 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:58784 172.16.8.11:22 out via vr0

Peace,
david
--
David H. Wolfskill david@xxxxxxxxxxxxxx
Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 1999.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

Attachment: pgpCRKMGwikl3.pgp
Description: PGP signature

Relevant Pages

  • Re: Reality check: IPFW sees SSH traffic that sshd does not?
    ... This morning (in reviewing the logs from yesterday), ... currently 7 hrs. west of GMT/UTC), ... it would help if you provided ipfw logs to determine exactly ...
    (FreeBSD-Security)
  • Re: Freebsd 5.0 Named issue stops itself??
    ... > services are crahing every few hrs.. ... > Here are some logs. ... Please upgrade to FreeBSD-5.3 or later, and you will get a newer named ...
    (freebsd-questions)
  • Exch IS doubled in size overnight
    ... Suddenly my clients SBS backups took ~5 hrs to run compared to ~3 hrs before. ... When examining the logs I discovered that the IS\First Storage Group had ...
    (microsoft.public.windows.server.sbs)