Re: Reality check: IPFW sees SSH traffic that sshd does not?
- From: Dan Lukes <dan@xxxxxxxxx>
- Date: Wed, 21 Mar 2007 14:44:47 +0100
David Wolfskill wrote:
Might be a SYN scan. I believe SSH will not log anything if a three-way
handshake has not been completed.
The application layer can accept only "completed" connections, so handshaking must be successfully completed first before the application can accept the incoming connection. It's not SSH specific behavior.
Of course, it would help if you provided ipfw logs to determine exactly
what kind of packets it was.
Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102 172.16.8.11:22 out via vr0
Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000 172.16.8.11:22 out via vr0
It may not help. We can see packet in one direction but not in opposite. Unfortunately, we can't decide it's because there are no reply packets or the response packets are not logged by your configuration.
Dan
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- Reality check: IPFW sees SSH traffic that sshd does not?
- From: David Wolfskill
- Re: Reality check: IPFW sees SSH traffic that sshd does not?
- From: Tadas Miniotas
- Re: Reality check: IPFW sees SSH traffic that sshd does not?
- From: David Wolfskill
- Reality check: IPFW sees SSH traffic that sshd does not?
- Prev by Date: Re: Reality check: IPFW sees SSH traffic that sshd does not?
- Next by Date: Re: Reality check: IPFW sees SSH traffic that sshd does not?
- Previous by thread: Re: Reality check: IPFW sees SSH traffic that sshd does not?
- Next by thread: Re: Reality check: IPFW sees SSH traffic that sshd does not?
- Index(es):
