From owner-freebsd-security@FreeBSD.ORG  Wed Mar 21 14:27:58 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id AE37B16A40D
	for <freebsd-security@freebsd.org>;
	Wed, 21 Mar 2007 14:27:58 +0000 (UTC) (envelope-from dan@obluda.cz)
Received: from smtp2.ms.mff.cuni.cz (sns.ms.mff.cuni.cz [195.113.20.77])
	by mx1.freebsd.org (Postfix) with ESMTP id 3412113C4BF
	for <freebsd-security@freebsd.org>;
	Wed, 21 Mar 2007 14:27:57 +0000 (UTC) (envelope-from dan@obluda.cz)
Received: from [195.113.19.244] (dan.ms.mff.cuni.cz [195.113.19.244])
	by smtp2.ms.mff.cuni.cz (8.13.8/8.13.8) with ESMTP id l2LDil4K083025
	for <freebsd-security@freebsd.org>;
	Wed, 21 Mar 2007 14:44:49 +0100 (CET) (envelope-from dan@obluda.cz)
Message-ID: <460136CF.8030700@obluda.cz>
Date: Wed, 21 Mar 2007 14:44:47 +0100
From: Dan Lukes <dan@obluda.cz>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.8.0.9) Gecko/20070105 SeaMonkey/1.0.7
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <20070321123033.GD31533@bunrab.catwhisker.org>	<46012D37.5060603@bofh.lt>
	<20070321133221.GG31533@bunrab.catwhisker.org>
In-Reply-To: <20070321133221.GG31533@bunrab.catwhisker.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: freebsd-security@freebsd.org
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2007 14:27:58 -0000

David Wolfskill wrote:
>> Might be a SYN scan. I believe SSH will not log anything if a three-way
>> handshake has not been completed.

	The application layer can accept only "completed" connections, so 
handshaking must be successfully completed first before the application 
can accept the incoming connection. It's not SSH specific behavior.

>> Of course, it would help if you provided ipfw logs to determine exactly
>> what kind of packets it was.

> Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102 172.16.8.11:22 out via vr0
> Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000 172.16.8.11:22 out via vr0

	It may not help. We can see packet in one direction but not in 
opposite. Unfortunately, we can't decide it's because there are no reply 
packets or the response packets are not logged by your configuration.

						Dan