From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 13:18:26 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D7CF116A400 for ; Wed, 21 Mar 2007 13:18:26 +0000 (UTC) (envelope-from tadas@bofh.lt) Received: from bagira.bofh.lt (bagira.bofh.lt [62.75.161.130]) by mx1.freebsd.org (Postfix) with ESMTP id A1E1E13C4BE for ; Wed, 21 Mar 2007 13:18:26 +0000 (UTC) (envelope-from tadas@bofh.lt) Message-ID: <46012D37.5060603@bofh.lt> Date: Wed, 21 Mar 2007 15:03:51 +0200 From: Tadas Miniotas User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20070321123033.GD31533@bunrab.catwhisker.org> In-Reply-To: <20070321123033.GD31533@bunrab.catwhisker.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 13:18:26 -0000 David Wolfskill wrote: > <...> > This morning (in reviewing the logs from yesterday), I found a set of > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > never logged anything corresponding to any of this. Might be a SYN scan. I believe SSH will not log anything if a three-way handshake has not been completed. Of course, it would help if you provided ipfw logs to determine exactly what kind of packets it was. -- Tadas Miniotas