Solved net/ntopng opens short-lived ssh connections to various 0.x.y.z hosts

Mjölnir

Mjölnir

Is this normal? Is it documented somewhere? Should I be concerned?
These connections are all very short-lived ( <= 1 sec). lsof -i tcp:22 shows it's ntopng(8) that's doing it.
 
Update: many, but not all, of the hosts to which an ssh(8) connection is made, have the IPv4 adress 0.54.11.x. whois 0.54.114.30
Code: 
[...]
inetnum:      0.0.0.0 - 0.255.255.255
organisation: IANA - Local Identification
status:       RESERVED

remarks:      0.0.0.0/8 reserved for self-identification [RFC1122],
remarks:      section 3.2.1.3. Reserved by protocol. For authoritative
remarks:      registration, seeiana-ipv4-special-registry.

changed:      1981-09
source:       IANA
Now do I have to read that RFC1122 (TLDR?), or can I get a short answer here from the wizzards?
 
I can’t comment on ntopng (sorry for that) because I’ve never used it, but you might want to have a look at net/trafshow. I use trafshow for more than 20 years, and it’s one of the standard ports that I install on almost every FreeBSD machine.
 
wolffnx said:
sounds like a reverse dns query not? you have something run in the 30.114.54.0/x ?
Click to expand...
That address belongs to the US DoD. I’m pretty sure that Mjölnir does not run something in that network. :cool:

Apart from that, DNS address queries use UDP port 53, not TCP port 22 (SSH).
 
Mjölnir said:
Is this normal? Is it documented somewhere? Should I be concerned?
These connections are all very short-lived ( <= 1 sec). lsof -i tcp:22 shows it's ntopng(8) that's doing it.
Click to expand...
I just had a quick look at the source package of ntopng. As far as I can see, it neither calls /usr/bin/ssh, nor does it use libssh, nor does it include its own ssh client code. Therefore I think it is unlikely that it performs actual SSH connections. (However, I only had a quick look. If the authors tried to hide such things intentionally, it would certainly require a closer look.)

My recommendation is to use tcpdump to capture such a connection, including payload data, and check if this is really the SSH protocol. Maybe it is something else. I mean, if I were to hide a “call home” function in a piece of software, I might consider using port 22, too. Chances are that it will pass through firewalls and won’t be harmed by transparent proxies and things like that.

Anyhow, it smells fishy.
 
olli@ said:
That address belongs to the US DoD. I’m pretty sure that Mjölnir does not run something in that network. :cool:

Apart from that, DNS address queries use UDP port 53, not TCP port 22 (SSH).
Click to expand...
:oops: I have to wait that becomes to knock my door?
 
No, I do not run run anything @ DoD, at least not knowingly...
root@t450s:~ # lsof -i tcp:22
Code: 
lsof: WARNING: compiled for FreeBSD release 12.2-RELEASE-p3; this is 12.2-RELEASE-p4.
COMMAND   PID   USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
ntopng  80555 ntopng   17u  IPv4 0xfffff8022625c000      0t0  TCP 10.142.134.76:29581->0.54.11.134:ssh (SYN_SENT)
sshd    93238   root    3u  IPv4 0xfffff80226ac8000      0t0  TCP localhost:ssh (LISTEN)
that target address 0.54.11.134:ssh is not in reverse notation, else I'll dump this OS & install Windows 10...
I observed s/th else some time ago, but took it aside as "this might a bug in the monitor" (net/vnstat):
Code: 
root@t450s:~ # vnstat -d -b 2021-01-28 -e 2021-02-26 

 tun0  /  daily

          day        rx      |     tx      |    total    |   avg. rate
     ------------------------+-------------+-------------+---------------
     2021-01-29      6,26 MB |   344,69 kB |     6,60 MB |      611 bit/s
     2021-01-31    166,66 MB |    18,13 MB |   184,79 MB |   17,11 kbit/s
     2021-02-01      2,25 GB |    72,36 MB |     2,32 GB |  214,95 kbit/s
     2021-02-02     94,07 MB |     6,75 MB |   100,82 MB |    9,33 kbit/s
     2021-02-03     23,37 MB |     4,78 MB |    28,14 MB |    2,60 kbit/s
>>>  2021-02-04    194,10 MB |     8,60 GB |     8,79 GB |  814,34 kbit/s  <<< Look @TX
     2021-02-05    262,44 MB |    16,20 MB |   278,64 MB |   25,80 kbit/s
     [...]
Hmm. I don't know what I'm supposed to know/think/believe... I've been in the US embassy ~25 years ago, to install internet access for a guy working for the DoD (to observe the military market; he was not allowed to use the embassy's internet, strict separation was required). Didn't have any contact with "them" since. Been there for an hour or so. I keep on smiling :) , because eventually there must be a reasonable explanation. Nihil fit sine causa. I'm confident it a trivial one.
 
Apparently it tries to open a TCP connection on port 22, but gets no reply to the TCP handshake (SYN_SENT). This is not surprising, because the 0/8 network is reserved for local applications. Internet providers don’t route it. I think the relevant RFCs are 1912, 5735 and 6303 (I don’t know why the whois data refers to 1122; it’s a red herring).

But still, the question remains what exactly ntopng is trying to do – and why.

PS: You could try to configure an IP alias in that network on lo0, and then run netcat a.k.a. nc(1) in listening mode on an IP address in that range on port 22. Then see what’s coming along. :) You have to guess in advance what address in that range ntopng will use, though. Or just run 254 instances of netcat on the whole /24. Or maybe it’s possible to create IPFW FWD / NAT rules to forward all traffic of that network to a single address.
 
Ah ok, that 30.114.54.0 is a DoD network. But I'm not connecting to that, this was wrongly read reverse by wolffnx... wolffnx, go away, hush hush, you're confusing an innocent guy! Go scare your own friends ;)
EDIT: maybe I can use ntopng to monitor itself? It's web interface is really nice.
 
Mjölnir said:
EDIT: maybe I can use ntopng to monitor itself? It's web interface is really nice.
Click to expand...
If that “SSH feature” was hidden intentionally, then ntopng will not display it when monitoring itself, of course.

This reminds me of Reflections on Trusting Trust. It’s a short lecture (just 3 pages) held by Ken Thompson when he received the ACM Turing Award. Highly recommended reading, even if you’re not a C programmer; it’s fascinating and scary at the same time. Note that this is from 1984, almost 40 years ago.
 
olli@ said:
If that “SSH feature” was hidden intentionally, then ntopng will not display it when monitoring itself, of course.
Click to expand...
No no, not at all. It was ntopng that showed me these connection attempts.
olli@ said:
This reminds me of Reflections on Trusting Trust. It’s a short lecture (just 3 pages) held by Ken Thompson when he received the ACM Turing Award. Highly recommended reading, even if you’re not a C programmer; it’s fascinating and scary at the same time. Note that this is from 1984, almost 40 years ago.
Click to expand...
Food for thought
is what thou brought
Although we did not ask for it
Thou shall take back your shi ny wonderful reading, thx a lot! :)
 
In fact, it is, indeed. Well, this seems to be, very much like the beginning of that wonderful paper that Olli@ kindly presented, kind of yoga lesson for the most greenhorn'ish novice.

The greenhorn installed a network monitoring tool and occasionally watched it magically painting colourful graphics about any aspect of his network traffic onto his screen. Some time, GH enabled "network discovery" out of curiousity, to see if it could detect the printer, the WLAN router, his sister's laptop, etc.pp. Yes it could. Then GH forgot about this setting. The other day, GH started wondering about these SSH connection attempts... which made him to dig deeper into that monitoring tool, to discover that when you have a microphone to detect noise, and this microphone offers a switch to turn on that it shouts out "Hello?", this microphone will naturally record "Hello?"...

Eventually, it's about introspection. And that you should know your tools, otherwise you'll get fooled easily. A truly UNIX'ish story, just like so many other stories in real life.

PS: network discovery is off now.
 
You must log in or register to reply here.
Back
Top