[Firehol-support] Apparent bypass of firewall by ssh login probes

Whit Blauvelt whit at transpect.com
Tue Feb 9 21:06:36 GMT 2016


Hi Phil,

Wow. Good find there. Turning that odd feature off, and assuming these
really were messages from months ago, before the firewall was in place for
port 22. 

Thanks!

Whit

On Tue, Feb 09, 2016 at 08:09:26PM +0000, Phil Whineray wrote:
> Hi
> 
> On Tue, Feb 09, 2016 at 10:02:29PM +0200, Tsaousis, Costa wrote:
> > Hi,
> > 
> > Are you sure these logs are not coming from another host?
> > 
> > On Tue, Feb 9, 2016 at 9:44 PM, Whit Blauvelt <whit at transpect.com> wrote:
> > 
> > > It's also managing to log with a false date, making it even weirder. So
> > > auth.log looks like:
> 
> I think you need to solve this first so you can see what is really
> happening. Costa has made one suggestion, another is this:
> 
>   http://serverfault.com/questions/636901/random-ssh-entries-in-auth-log-out-of-date-order
> 
> which points to a bug in rsyslog:
> 
>   http://bugzilla.adiscon.com/show_bug.cgi?id=527
> 
> Either way, the date is not being added at iptables or even sshd level
> so it is unlikely to be related to your main concern directly.
> 
> Cheer



More information about the Firehol-support mailing list