Date: Sat, 14 Sep 2013 05:01:51 -0700 From: David Wolfskill <david@catwhisker.org> To: freebsd-security@freebsd.org Subject: Odd sshd entry in auth.log Message-ID: <20130914120151.GY25357@albert.catwhisker.org> Resent-Message-ID: <20130914120515.GZ25357@albert.catwhisker.org>
next in thread | raw e-mail | index | archive | help
--+mQruWSI2c46YBtV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable My (tiny) networks at home are sitting behind a multi-homed FreeBSD machine using IPFW & natd, with an externally-visible static /32 -- nothing particularly obscure or exotic, certainly. The packet-filter box is configured to forward incoming ssh (22/tcp) to my primary internal machine; in turn, that is configured to only permit public key authentication. Again, this isn't exactly "new and shiny" technology. One thing I do that may be a bit unusual is that I have the packet-filter's IPFW rules set up so that every attempted SSH "session-initiation" packet is logged. I have found this ... at least "of interest" a few times; below relates one of them. I am in the habit of reviewing the previous day's logs while I am running "make buildworld" ((& friends) on my laptop each morning. This morning, I found a single entry in auth.log that -- unusually -- was not obviously associated with any other auth.log entries; it's the middle of: Sep 13 11:18:38 albert sshd[43637]: Accepted publickey for david from 66.12= 9.224.36 port 5944 ssh2 Sep 13 11:18:43 albert sshd[43654]: Accepted publickey for david from 66.12= 9.224.36 port 24618 ssh2 Sep 13 12:43:24 albert sshd[43949]: fatal: Read from socket failed: Connect= ion reset by peer [preauth] Sep 13 13:10:26 albert sshd[36478]: Received disconnect from 172.17.0.254: = 11: disconnected by user Sep 13 13:10:26 albert sshd[38778]: Received disconnect from 172.17.0.254: = 11: disconnected by user So: the first couple of entries are from me accessing home from work. And the latter 2 entries are disconnections from my spouse's laptop (at home). But that middle one (this time, all by itself) seems ... odd (to me): Sep 13 12:43:24 albert sshd[43949]: fatal: Read from socket failed: Connect= ion reset by peer [preauth] I don't find any other auth.log entries that seem at all related, and that entry doesn't provide many hints about the origin of what caused it. If I look at /var/log/security (where the IPFW log entries go), the closest (temporally) entries I find (that aren't better-explained as belonging to obviously different activity are: Sep 13 10:22:28 janus kernel: ipfw: 10000 Accept TCP 216.127.84.116:10833 1= 72.16.8.13:22 out via dc0 Sep 13 12:43:13 janus kernel: ipfw: 10000 Accept TCP 216.127.84.116:54953 1= 72.16.8.13:22 out via dc0 So I'm *thinking* that someone was probing a wee bit ... but I have rather little to go on. And while I like to think that I'm not paranoid, I do have some reason to believe that there are definitely folks out there who would quite willingly take advantage of an inadequately-secured system. It's at times like this that I kinda wish that every log entry from sshd mentioned the IP address of the (would-be) SSH client. :-{ Comments? Suggestions? (I'm on the list, so I need not be Cc:ed. Private responses will be kept private, though. I've set Reply-To for convenience.) Peace, david --=20 David H. Wolfskill david@catwhisker.org Taliban: Evil cowards with guns afraid of truth from a 14-year old girl. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --+mQruWSI2c46YBtV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iEYEARECAAYFAlI0UC4ACgkQmprOCmdXAD3qhgCdGEMCP/kKWh/0zknxd/yuabnN X5IAn0HRlgImFuTjFScXyKeaCBgYUMWJ =KpfI -----END PGP SIGNATURE----- --+mQruWSI2c46YBtV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130914120151.GY25357>