From owner-freebsd-security@FreeBSD.ORG Wed Mar 21 13:32:26 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A494316A412 for ; Wed, 21 Mar 2007 13:32:26 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id 57A7A13C48C for ; Wed, 21 Mar 2007 13:32:25 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id l2LDWM3E035802; Wed, 21 Mar 2007 06:32:22 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id l2LDWLFk035801; Wed, 21 Mar 2007 06:32:22 -0700 (PDT) (envelope-from david) Date: Wed, 21 Mar 2007 06:32:21 -0700 From: David Wolfskill To: Tadas Miniotas Message-ID: <20070321133221.GG31533@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , Tadas Miniotas , freebsd-security@freebsd.org References: <20070321123033.GD31533@bunrab.catwhisker.org> <46012D37.5060603@bofh.lt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hcut4fGOf7Kh6EdG" Content-Disposition: inline In-Reply-To: <46012D37.5060603@bofh.lt> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 13:32:26 -0000 --hcut4fGOf7Kh6EdG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 21, 2007 at 03:03:51PM +0200, Tadas Miniotas wrote: > David Wolfskill wrote: > > <...> > > This morning (in reviewing the logs from yesterday), I found a set of > > 580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06 > > (US/Pacific; currently 7 hrs. west of GMT/UTC), each from 204.11.235.148 > > (part of a VAULT-NETWORKS netblock). The sshd on the internal machine > > never logged anything corresponding to any of this. >=20 > Might be a SYN scan. I believe SSH will not log anything if a three-way > handshake has not been completed. Fair enough. The thrust of the query was whether or not a sequence of 580 of these within a roughly 10-minute interval from a netblock with which I have no known relationship might plausibly be benign. > Of course, it would help if you provided ipfw logs to determine exactly > what kind of packets it was. Well, if you think it would actually help, here's a sample: Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:08 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33103 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:09 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33191 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:10 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33286 1= 72.16.8.11:22 out via vr0 Mar 20 19:30:12 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33387 1= 72.16.8.11:22 out via vr0 =2E.. Mar 20 19:40:06 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:58784 1= 72.16.8.11:22 out via vr0 Peace, david --=20 David H. Wolfskill david@catwhisker.org Believe SORBS at your own risk: 63.193.123.122 has been static since Aug 19= 99. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --hcut4fGOf7Kh6EdG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkYBM+UACgkQmprOCmdXAD3pkwCfX8I2bYt6gM7FiTuKtCbMbKtR xhkAnjK3KVHoVMG0XIo3gN7BCyfWDfqJ =taAm -----END PGP SIGNATURE----- --hcut4fGOf7Kh6EdG--