[Firehol-support] Apparent bypass of firewall by ssh login probes

Tsaousis, Costa costa at tsaousis.gr
Tue Feb 9 20:02:29 GMT 2016


Are you sure these logs are not coming from another host?

You can verify that no one has connected to your machine, by running:

conntrack -L | grep dport=22

You have to be on top of it when it happens to see anything.

You can also do this in firehol.conf (for firehol v3)

server ssh accept connlog "SSH ACCEPTED"

This will log all ssh sessions accepted by your firewall.

My bet is that pam_unix(cron:session) is the key here.
You run something via cron that triggers this.


On Tue, Feb 9, 2016 at 9:44 PM, Whit Blauvelt <whit at transpect.com> wrote:

> Hi,
> I'm trying to figure out how these probes are making it to sshd and
> auth.log. I've got iptables running set up by FireHOL, using ipset
> (although
> in a non-FireHOL way), and can see multiple other DPT=22 probes stopped as
> they should be. The attacker's IP is permitted neither in the ipset in use,
> nor explicit in the firewall rules. There's no immediate danger since
> sshd_config has PermitRootLogin without-password, and this is an attempt at
> the password.
> It's also managing to log with a false date, making it even weirder. So
> auth.log looks like:
> Feb  7 11:17:01 sysname CRON[27060]: pam_unix(cron:session): session
> closed for user root
> Oct 17 16:38:44 sysname sshd[27064]: Failed password for root from
> port 57254 ssh2
> Feb  7 12:17:01 sysname CRON[27064]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> Nov 16 11:39:44 sysname sshd[27065]: Failed password for root from
> port 61089 ssh2
> Feb  7 12:17:01 sysname CRON[27064]: pam_unix(cron:session): session
> closed for user root
> Other sshd instances log with the correct date. Over the last week there
> have been several of these probes per day getting through, all with false
> dates, all from and .67. Those IPs appear to be in Hong Kong.
> How the heck are they getting around iptables, and pushing a fake timestamp
> into the log while they're at it - and it's always a wrong timestamp? There
> are, on the other hand, no instances of these IPs being blocked at the
> firewall and recorded in syslog for that.
> Thanks,
> Whit
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list