[Firehol-support] Apparent bypass of firewall by ssh login probes

Whit Blauvelt whit at transpect.com
Tue Feb 9 20:44:57 CET 2016


Hi,

I'm trying to figure out how these probes are making it to sshd and
auth.log. I've got iptables running set up by FireHOL, using ipset (although
in a non-FireHOL way), and can see multiple other DPT=22 probes stopped as
they should be. The attacker's IP is permitted neither in the ipset in use,
nor explicit in the firewall rules. There's no immediate danger since
sshd_config has PermitRootLogin without-password, and this is an attempt at
the password.

It's also managing to log with a false date, making it even weirder. So
auth.log looks like:

Feb  7 11:17:01 sysname CRON[27060]: pam_unix(cron:session): session closed for user root
Oct 17 16:38:44 sysname sshd[27064]: Failed password for root from 43.229.53.66 port 57254 ssh2
Feb  7 12:17:01 sysname CRON[27064]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 16 11:39:44 sysname sshd[27065]: Failed password for root from 43.229.53.66 port 61089 ssh2
Feb  7 12:17:01 sysname CRON[27064]: pam_unix(cron:session): session closed for user root

Other sshd instances log with the correct date. Over the last week there
have been several of these probes per day getting through, all with false
dates, all from 43.229.53.66 and .67. Those IPs appear to be in Hong Kong.
How the heck are they getting around iptables, and pushing a fake timestamp
into the log while they're at it - and it's always a wrong timestamp? There
are, on the other hand, no instances of these IPs being blocked at the
firewall and recorded in syslog for that.

Thanks,
Whit




More information about the Firehol-support mailing list