Reality check: IPFW sees SSH traffic that sshd does not? - Dan Lukes - org.freebsd.freebsd-security

13 messages in org.freebsd.freebsd-securityReality check: IPFW sees SSH traffic ...

From	Sent On	Attachments
David Wolfskill	Mar 21, 2007 12:45 pm
Tadas Miniotas	Mar 21, 2007 1:18 pm
David Wolfskill	Mar 21, 2007 1:32 pm
Bill Moran	Mar 21, 2007 1:37 pm
Richard Jones	Mar 21, 2007 2:12 pm
Dan Lukes	Mar 21, 2007 2:27 pm
Bill Moran	Mar 21, 2007 2:29 pm
W. D.	Mar 21, 2007 2:44 pm
Eygene Ryabinkin	Mar 21, 2007 2:50 pm
Julian Elischer	Mar 21, 2007 11:21 pm
Carl Makin	Mar 21, 2007 11:22 pm
Volker	Mar 22, 2007 1:32 pm
Eygene Ryabinkin	Mar 23, 2007 11:36 am

Subject:	Reality check: IPFW sees SSH traffic that sshd does not?
From:	Dan Lukes (da...@obluda.cz)
Date:	Mar 21, 2007 2:27:43 pm
List:	org.freebsd.freebsd-security

David Wolfskill wrote:

Might be a SYN scan. I believe SSH will not log anything if a three-way handshake has not been completed.

The application layer can accept only "completed" connections, so handshaking must be successfully completed first before the application can accept the incoming connection. It's not SSH specific behavior.

Of course, it would help if you provided ipfw logs to determine exactly what kind of packets it was.

Mar 20 09:12:29 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:26102
172.16.8.11:22 out via vr0 Mar 20 19:30:07 janus kernel: ipfw: 10000 Accept TCP 204.11.235.148:33000
172.16.8.11:22 out via vr0

It may not help. We can see packet in one direction but not in opposite. Unfortunately, we can't decide it's because there are no reply packets or the response packets are not logged by your configuration.

Dan

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets