Date: Sat, 14 Sep 2013 05:01:51 -0700 From: David Wolfskill <david@catwhisker.org> To: freebsd-security@freebsd.org Subject: Odd sshd entry in auth.log Message-ID: <20130914120151.GY25357@albert.catwhisker.org> Resent-Message-ID: <20130914120515.GZ25357@albert.catwhisker.org>
next in thread | raw e-mail | index | archive | help
--+mQruWSI2c46YBtV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
My (tiny) networks at home are sitting behind a multi-homed FreeBSD
machine using IPFW & natd, with an externally-visible static /32 --
nothing particularly obscure or exotic, certainly.
The packet-filter box is configured to forward incoming ssh (22/tcp) to
my primary internal machine; in turn, that is configured to only permit
public key authentication. Again, this isn't exactly "new and shiny"
technology.
One thing I do that may be a bit unusual is that I have the
packet-filter's IPFW rules set up so that every attempted SSH
"session-initiation" packet is logged. I have found this ... at
least "of interest" a few times; below relates one of them.
I am in the habit of reviewing the previous day's logs while I am
running "make buildworld" ((& friends) on my laptop each morning.
This morning, I found a single entry in auth.log that -- unusually
-- was not obviously associated with any other auth.log entries; it's
the middle of:
Sep 13 11:18:38 albert sshd[43637]: Accepted publickey for david from 66.12=
9.224.36 port 5944 ssh2
Sep 13 11:18:43 albert sshd[43654]: Accepted publickey for david from 66.12=
9.224.36 port 24618 ssh2
Sep 13 12:43:24 albert sshd[43949]: fatal: Read from socket failed: Connect=
ion reset by peer [preauth]
Sep 13 13:10:26 albert sshd[36478]: Received disconnect from 172.17.0.254: =
11: disconnected by user
Sep 13 13:10:26 albert sshd[38778]: Received disconnect from 172.17.0.254: =
11: disconnected by user
So: the first couple of entries are from me accessing home from
work. And the latter 2 entries are disconnections from my spouse's
laptop (at home).
But that middle one (this time, all by itself) seems ... odd (to me):
Sep 13 12:43:24 albert sshd[43949]: fatal: Read from socket failed: Connect=
ion reset by peer [preauth]
I don't find any other auth.log entries that seem at all related,
and that entry doesn't provide many hints about the origin of what
caused it.
If I look at /var/log/security (where the IPFW log entries go), the
closest (temporally) entries I find (that aren't better-explained
as belonging to obviously different activity are:
Sep 13 10:22:28 janus kernel: ipfw: 10000 Accept TCP 216.127.84.116:10833 1=
72.16.8.13:22 out via dc0
Sep 13 12:43:13 janus kernel: ipfw: 10000 Accept TCP 216.127.84.116:54953 1=
72.16.8.13:22 out via dc0
So I'm *thinking* that someone was probing a wee bit ... but I have
rather little to go on. And while I like to think that I'm not
paranoid, I do have some reason to believe that there are definitely
folks out there who would quite willingly take advantage of an
inadequately-secured system.
It's at times like this that I kinda wish that every log entry from sshd
mentioned the IP address of the (would-be) SSH client. :-{
Comments? Suggestions?
(I'm on the list, so I need not be Cc:ed. Private responses will be
kept private, though. I've set Reply-To for convenience.)
Peace,
david
--=20
David H. Wolfskill david@catwhisker.org
Taliban: Evil cowards with guns afraid of truth from a 14-year old girl.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
--+mQruWSI2c46YBtV
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (FreeBSD)
iEYEARECAAYFAlI0UC4ACgkQmprOCmdXAD3qhgCdGEMCP/kKWh/0zknxd/yuabnN
X5IAn0HRlgImFuTjFScXyKeaCBgYUMWJ
=KpfI
-----END PGP SIGNATURE-----
--+mQruWSI2c46YBtV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130914120151.GY25357>