From owner-freebsd-security@FreeBSD.ORG Tue Jul 1 04:32:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 856C937B401 for ; Tue, 1 Jul 2003 04:32:52 -0700 (PDT) Received: from smtp.uninet.ee (smtp.uninet.ee [194.204.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D7AF44022 for ; Tue, 1 Jul 2003 04:32:51 -0700 (PDT) (envelope-from tarmo@momentor.ee) Received: from linux.local (wannabe.mentor.ee [194.204.62.142]) by smtp.uninet.ee (Postfix) with ESMTP id 4539561652 for ; Tue, 1 Jul 2003 14:32:49 +0300 (EEST) From: Tarmo Renter To: freebsd-security@freebsd.org Date: Tue, 1 Jul 2003 14:32:54 +0300 User-Agent: KMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307011432.54750.tarmo@momentor.ee> Subject: tcp 22 > tcp 22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2003 11:32:52 -0000 Hi, I spotted today following line at my FreeBSD 4.6.2-RELEASE IPFIREWALL log: Jul 1 13:34:35 fbsd /kernel: ipfw: 1400 Accept TCP xxxxxx:22 yyyyy:22 in via ed1 where xxxxxx is the attacker's IP and yyyyy is my box. But in sshd log, there are no traces left behind by this connection. Normally, there is "Did not receive identification string from xxx" etc, when somebody tries to scan SSH port. Also, as you can see, the connection is made from port 22 to port 22, which is odd. Is this somekind of SYN packet trick and how come is no I/O to sshd made? sshd -v shows: sshd version OpenSSH_3.4p1 FreeBSD-20020702 --- Regards, Tarmo Renter