Date: Sun, 1 Oct 2017 11:15:01 -0500 From: edgar <edgar@pettijohn-web.com> To: Ernie Luzar <luzar722@gmail.com>, Matthias Apitz <guru@unixarea.de>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Re: help - under attack Message-ID: <8a20fe48-bfc3-433f-9ea9-81332f670daa@localhost> In-Reply-To: <59D10B0C.1010702@gmail.com> <20171001152637.GA60730@c720-r314251> References: <59D10736.2070504@gmail.com> <20171001152637.GA60730@c720-r314251>
next in thread | previous in thread | raw e-mail | index | archive | help
=20
=20
You aren't providing nearly enough information. Is the firewall a separat=
e machine=3F Obviously it isn't working or the rules aren't as strict as =
you think they are. If you can't change it's rules. Run pf on your machin=
e. Or disable sshd if it's not needed. If it is use keys and disable pass=
word logins. =20
=20
=20
=20
=20
=20
=20
=20
=20
> =20
> On Oct 1, 2017 at 10:34 AM, <Ernie Luzar> wrote:
> =20
> =20
> Matthias Apitz wrote: > El d=C3=ADa domingo, octubre 01, 2017 a las =
11:18:14a. m. -0400, Ernie Luzar escribi=C3=B3: > >> Hello list; >> =
>> Installed 11.1 from scratch and after about 2-3 weeks I finally got=
>> around to inspecting the /var/logs. I have never seen the auth.log =
file >> roll over before, so this peaked my interest. It was full of fa=
iled >> login attempts. My firewall blocks all inbound traffic, so I am=
very >> baffled be what I see in the log. Any suggestions on how this =
can be >> happening=3F >> >> Sep 29 03:09:14 fbsd sshd=5B33675=5D: =
Connection closed by 149.202.179.216 >> port 48876 =5Bpreauth=5D >> .=
.. > > If you have a firewall (about which you have not said anything=
), how can > SYN-SYN-ACK happen on port 22=3F > > matthias My post =
says =22My firewall blocks all inbound traffic=22. The login error messag=
es do not say it on port 22. That inbound port is blocked by the firewall=
. All pc on the lan are powered off. Even disconnected the lan cable from=
the freebsd gateway host and still the error messages come out. That is =
why I am asking for help here. =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F freebsd-questions=40freebsd.org mailing list htt=
ps://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe,=
send any mail to =22freebsd-questions-unsubscribe=40freebsd.org=22 =20
> =20
From owner-freebsd-questions@freebsd.org Sun Oct 1 17:11:15 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id 193AEE29CEE
for <freebsd-questions@mailman.ysv.freebsd.org>;
Sun, 1 Oct 2017 17:11:15 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from smarthost2.sentex.ca (smarthost2.sentex.ca
[IPv6:2607:f3e0:80:80::2])
(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
(Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id DB6EC67587
for <freebsd-questions@freebsd.org>; Sun, 1 Oct 2017 17:11:14 +0000 (UTC)
(envelope-from mike@sentex.net)
Received: from lava.sentex.ca (lava.sentex.ca [IPv6:2607:f3e0:0:5::11])
by smarthost2.sentex.ca (8.15.2/8.15.2) with ESMTPS id v91HBDwS062617
(version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
for <freebsd-questions@freebsd.org>; Sun, 1 Oct 2017 13:11:13 -0400 (EDT)
(envelope-from mike@sentex.net)
Received: from [192.168.43.26] (saphire3.sentex.ca [192.168.43.26])
by lava.sentex.ca (8.15.2/8.15.2) with ESMTP id v91HBB6M063788;
Sun, 1 Oct 2017 13:11:11 -0400 (EDT) (envelope-from mike@sentex.net)
Subject: Re: help - under attack
To: Ernie Luzar <luzar722@gmail.com>,
"freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
References: <59D10736.2070504@gmail.com>
From: Mike Tancsa <mike@sentex.net>
Organization: Sentex Communications
Message-ID: <fa8af015-493f-0a1e-a4a4-2f7dfe6f906e@sentex.net>
Date: Sun, 1 Oct 2017 13:11:11 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <59D10736.2070504@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.78
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>,
<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>;
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Oct 2017 17:11:15 -0000
On 10/1/2017 11:18 AM, Ernie Luzar wrote:
> Hello list;
>
> Installed 11.1 from scratch and after about 2-3 weeks I finally got
> around to inspecting the /var/logs. I have never seen the auth.log file
> roll over before, so this peaked my interest. It was full of failed
> login attempts. My firewall blocks all inbound traffic, so I am very
> baffled be what I see in the log. Any suggestions on how this can be
> happening?
Is your firewall your default gateway on the FreeBSD box ?
Run tcpdump with the -e option as well to see what MAC address is
forwarding the traffic. So if you have igb0 as the nic with the default
gateway
tcpdump -nei igb0 -c 20 port 22
then use arp -na to match the IP address to the MAC address to confirm
it is the host forwarding traffic you think it is. Also double check
your firewall to make sure the rules are working as you expect.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8a20fe48-bfc3-433f-9ea9-81332f670daa>