Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   IPTABLEs and port scanning (http://www.linux-archive.org/centos/304634-iptables-port-scanning.html)

"James B. Byrne" 01-05-2010 02:30 PM

IPTABLEs and port scanning
 
I see many entries in /var/log/secure similar to these:

. . .
/var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password
for root from 93.89.144.31 port 60100 ssh2
/var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password
for root from 93.89.144.31 port 60962 ssh2
/var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password
for root from 93.89.144.31 port 33612 ssh2
/var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received
disconnect from 93.89.144.31: 11: Bye Bye
/var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password
for root from 93.89.144.31 port 34504 ssh2
. . .

As you can see, the ports are not those associated with the service
requested. SSHD is configured to listen on the standard port (22)
and only on a single IP address that is supposed to be reachable
only from the internal network (this is a multi-homed system
configured as a gateway).

These are getting through the brute force filters because the
attempts are directed against unchecked ports. I suspect that these
represent no immediate danger to our systems because there are no
active services on any of the ports and because we have a guillotine
rule at the end of our INPUT chain. The firewall is configured to
only allow connections to specified ports and to drop any new
connection attempts to all the others.

My confusion is over why these things are making it into the logs at
all when sshd does not listen on those ports and the ports
themselves are supposed to inaccessible through the firewall. There
presence inoculates a doubt in my mind that things are properly
configured.

I would appreciate any insight as to why these attempts are
nonetheless logged by sshd.

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Robert Nichols 01-05-2010 03:46 PM

IPTABLEs and port scanning
 
James B. Byrne wrote:
> I see many entries in /var/log/secure similar to these:
>
> . . .
> /var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password
> for root from 93.89.144.31 port 60100 ssh2
> /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password
> for root from 93.89.144.31 port 60962 ssh2
> /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password
> for root from 93.89.144.31 port 33612 ssh2
> /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password
> for root from 93.89.144.31 port 34504 ssh2
> . . .
>
> As you can see, the ports are not those associated with the service
> requested. SSHD is configured to listen on the standard port (22)
> and only on a single IP address that is supposed to be reachable
> only from the internal network (this is a multi-homed system
> configured as a gateway).
[SNIP]
> My confusion is over why these things are making it into the logs at
> all when sshd does not listen on those ports and the ports
> themselves are supposed to inaccessible through the firewall. There
> presence inoculates a doubt in my mind that things are properly
> configured.

Those port numbers (60100, 60962, 33612, 34504) are source ports, not
destination ports. As for why they are getting through your firewall
and being seen by sshd, a thorough review of your firewall rules would
be needed to determine that. Indeed, it is quite doubtful that things
are properly configured.

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Benjamin Franz 01-05-2010 03:49 PM

IPTABLEs and port scanning
 
James B. Byrne wrote:
> I see many entries in /var/log/secure similar to these:
> [...]
> /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password
> for root from 93.89.144.31 port 34504 ssh2
> . . .
>
> As you can see, the ports are not those associated with the service
> requested. SSHD is configured to listen on the standard port (22)
> and only on a single IP address that is supposed to be reachable
> only from the internal network (this is a multi-homed system
> configured as a gateway).
> [...]
> My confusion is over why these things are making it into the logs at
> all when sshd does not listen on those ports and the ports
> themselves are supposed to inaccessible through the firewall. There
> presence inoculates a doubt in my mind that things are properly
> configured.
>
> I would appreciate any insight as to why these attempts are
> nonetheless logged by sshd

You are mis-interpreting the log entries. The port shown is the remote
port not your local port. When a SSH connection is set up you have
something like:

remote_address:some_high_port <-> local_address:22

What you are seeing in the log is the 'some_high_port' of the remote
address. It's a normal part of a TCP connection.

If your brute force protection is not catching the repeated login
failures, you should check its configuration.

--
Benjamin Franz

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Ned Slider 01-05-2010 03:56 PM

IPTABLEs and port scanning
 
On 01/05/2010 03:30 PM, James B. Byrne wrote:
> I see many entries in /var/log/secure similar to these:
>
> . . .
> /var/log/secure.1:Dec 31 08:00:55 gway01 sshd[7220]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7221]: Failed password
> for root from 93.89.144.31 port 60100 ssh2
> /var/log/secure.1:Dec 31 08:00:58 gway01 sshd[7222]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7223]: Failed password
> for root from 93.89.144.31 port 60962 ssh2
> /var/log/secure.1:Dec 31 08:01:02 gway01 sshd[7224]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7227]: Failed password
> for root from 93.89.144.31 port 33612 ssh2
> /var/log/secure.1:Dec 31 08:01:05 gway01 sshd[7228]: Received
> disconnect from 93.89.144.31: 11: Bye Bye
> /var/log/secure.1:Dec 31 08:01:09 gway01 sshd[7229]: Failed password
> for root from 93.89.144.31 port 34504 ssh2
> . . .
>
> As you can see, the ports are not those associated with the service
> requested. SSHD is configured to listen on the standard port (22)
> and only on a single IP address that is supposed to be reachable
> only from the internal network (this is a multi-homed system
> configured as a gateway).
>

Those are the *source ports* from the attacking host, not the
destination port on which you are running SSH. I /assume/ the number
enclosed in '[]' to be the pid of the sshd instance associated with the
connection attempt.

Hope that helps.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 01:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.