I noticed that on my public ssh server at port 22, I see a large number of ssh ESTABLISHED connections, that do not authenticate and stay in the ETABLISHED state sending keep alives.
Specifically, in the nestat I see many entries of the form:
tcp4 12 0 myIP:.22 156.0.96.22.52574 ESTABLISHED
(many similar lines with different foreign IP ports)
there are near 200 as wc -l showed.
while in the /var/log/auth.log only the following:
Sep 14 10:59:18 zafora sshd[35994]: Connection from 156.0.96.22 port 56876 on myIP port 22
Sep 14 10:59:19 zafora sshd[35994]: Connection closed by authenticating user root 156.0.96.22 port 56876 [preauth]
in tcpdump I see many keep alive packets to keep the connection open from that IP
11:11:54.904130 IP 156.0.96.22.49533 > myIP.22: Flags [.], seq 2648994253:2648994254, ack 3798949150, win 258, length 1
11:11:54.904279 IP myIP.22 > 156.0.96.22.49533: Flags [.], ack 1, win 1027, options [nop,nop,sack 1 {0:1}], length 0
There are no strange processes, nothing else for that IP in nestat. No user login.
The large number of established connections made the connection to port 22 hang from another host and normal users were not able to connect.
The connection hand while waiting for the remote protocol version. Even from the same host if I did 'ssh localhost' I was not able to connect.
I have added the following rules to mitigate the problem on my firewall:
$fwcmd add allow tcp from any to me 22 in via $oif setup limit src-addr 10
$fwcmd add deny tcp from any to me 22 in via $oif setup
(oif is the external interface and fwcmd is a function for processing and executing the firewall commands using ipfw).
Unless the purpose is to cause resource exhaustion on my server, I cannot understand the meaning of this.
This foreign IP is not on my local LAN, it is from a differnet condinent.
What you do in such cases? Just ipfw deny ?
Specifically, in the nestat I see many entries of the form:
tcp4 12 0 myIP:.22 156.0.96.22.52574 ESTABLISHED
(many similar lines with different foreign IP ports)
there are near 200 as wc -l showed.
while in the /var/log/auth.log only the following:
Sep 14 10:59:18 zafora sshd[35994]: Connection from 156.0.96.22 port 56876 on myIP port 22
Sep 14 10:59:19 zafora sshd[35994]: Connection closed by authenticating user root 156.0.96.22 port 56876 [preauth]
in tcpdump I see many keep alive packets to keep the connection open from that IP
11:11:54.904130 IP 156.0.96.22.49533 > myIP.22: Flags [.], seq 2648994253:2648994254, ack 3798949150, win 258, length 1
11:11:54.904279 IP myIP.22 > 156.0.96.22.49533: Flags [.], ack 1, win 1027, options [nop,nop,sack 1 {0:1}], length 0
There are no strange processes, nothing else for that IP in nestat. No user login.
The large number of established connections made the connection to port 22 hang from another host and normal users were not able to connect.
The connection hand while waiting for the remote protocol version. Even from the same host if I did 'ssh localhost' I was not able to connect.
I have added the following rules to mitigate the problem on my firewall:
$fwcmd add allow tcp from any to me 22 in via $oif setup limit src-addr 10
$fwcmd add deny tcp from any to me 22 in via $oif setup
(oif is the external interface and fwcmd is a function for processing and executing the firewall commands using ipfw).
Unless the purpose is to cause resource exhaustion on my server, I cannot understand the meaning of this.
This foreign IP is not on my local LAN, it is from a differnet condinent.
What you do in such cases? Just ipfw deny ?
