SSHD connection attempts logged eventhough I blocked it using PF... please help!

[FreddyAV]

Hi all!

I've been reading the very useful FreeBSD forums for some time but this is my first post. I have been running FreeBSD servers (1-4) since FreeBSD 6, but to be honest I have not been the most active admin. Just this week I have brought my primary server from 7.4 to 9.1. It is after this upgrade (through freebsd-update) that I have noticed something which looks very strange to me in /var/log/auth.log and found that this is beyond my understanding of PF.

Basically I thought that I had only allowed SSH from a few hosts but my SSHD is logging connection attempts from numerous other sources.

This is my /etc/pf.conf (I have modified some IPs as to not disclose to much information):

ext_if="sk0"
int_if="nfe0"
internal_server="192.168.67.20/32"
internal_net="192.168.67.0/24"
kompanigatan="192.168.82.0/24"

trusted_hosts="{ 95.XXX.YYY.ZZZ/24, 2.XXX.YYY.ZZZ/24, 85.XXX.YYY.ZZZ/24, 79.XXX.YYY.ZZZ/24 }"

scrub in all no-df
scrub out on $ext_if all random-id no-df

nat on $ext_if from $internal_net to any -> $ext_if
# ftp-proxy (new-style)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $internal_net to any port 21 -> 127.0.0.1 port 8021

rdr pass on $ext_if proto tcp from any to any port 2525 -> 127.0.0.1 port 25

# Default ar att blocka allt
block in on $ext_if all
block in on $int_if all

pass in on $int_if from $internal_net keep state
pass in on $int_if from $kompanigatan keep state
pass out on $int_if from $internal_server to $internal_net keep state
pass out on $ext_if from any to any keep state
pass in on $ext_if inet proto tcp from $trusted_hosts to any port 22 keep state flags S/SA
pass in on $ext_if inet from $trusted_hosts to any keep state

# for pure-ftpd passive
pass in on $ext_if inet proto tcp from any to any port 20999 >< 21501 flags S/SA keep state
pass in on $int_if inet proto tcp from any to any port 20999 >< 21501 flags S/SA keep state

# ftp-proxy (new-style)
anchor "ftp-proxy/*"


# pass in services
pass in on $ext_if inet proto tcp from any to any port { 1721, 80, 443, 113, 993, 25, 465 } flags S/SA keep state
# 21 = ftp-ctrl, 22 = ssh (ovan), 25 = smtp, 80 = http, 110 = pop3, 113 = ident/auth
# 143 = imap, 443 = https, 993 = imaps, 995 = pop3s, 465 = smtps, 1721 = pure-ftpd

# block OS fingerprinting flags
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
# block and log nmap OS fingerprinting attempts
#block return-rst in log quick on $ext_if proto tcp all flags FP/FP
#block return-rst in log quick on $ext_if proto tcp all flags SE/SE

# allow ping
pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

and this is an example of what I am seeing in /var/log/auth.log:

Apr 17 17:12:35 CENSORED sshd[1964]: Did not receive identification string from 83.165.217.84
Apr 17 17:15:08 CENSORED sshd[1981]: User root from 84.217.165.83.static.mundo-r.com not allowed because not listed in AllowUsers
Apr 17 18:13:09 CENSORED sshd[2486]: Invalid user ____ from 111.74.134.216
Apr 17 18:13:13 CENSORED sshd[2488]: User root from 111.74.134.216 not allowed because not listed in AllowUsers
Apr 17 18:13:18 CENSORED sshd[2492]: User root from 111.74.134.216 not allowed because not listed in AllowUsers
[message repeats numerous times with roughly apparent frequency]
Apr 17 18:23:19 CENSORED sshd[2850]: User root from 111.74.134.216 not allowed because not listed in AllowUsers
Apr 17 18:23:25 CENSORED sshd[2853]: User root from 111.74.134.216 not allowed because not listed in AllowUsers
[cut]
Apr 17 23:22:09 CENSORED sshd[2386]: User root from 178.211.60.190.host.ifxnetworks.com not allowed because not listed in AllowUsers
Apr 17 23:22:12 CENSORED sshd[2388]: User root from 178.211.60.190.host.ifxnetworks.com not allowed because not listed in AllowUsers
[message repeats numerous times with roughly apparent frequency]
Apr 17 23:22:41 CENSORED sshd[2414]: Invalid user oracle from 190.60.211.178
Apr 17 23:22:44 CENSORED sshd[2416]: User root from 178.211.60.190.host.ifxnetworks.com not allowed because not listed in AllowUsers
[cut]
Apr 17 23:23:01 CENSORED sshd[2429]: Invalid user teamspeak from 190.60.211.178
Apr 17 23:23:04 CENSORED sshd[2432]: Invalid user teamspeak from 190.60.211.178
Apr 17 23:23:07 CENSORED sshd[2434]: Invalid user nagios from 190.60.211.178
Apr 17 23:23:10 CENSORED sshd[2436]: Invalid user postgres from 190.60.211.178
[cut]
Apr 18 00:02:10 CENSORED sshd[2799]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:10 CENSORED sshd[2799]: User root from 46.21.161.37 not allowed because not listed in AllowUsers
[cut]
Apr 18 00:02:16 CENSORED sshd[2824]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:16 CENSORED sshd[2824]: User root from 46.21.161.37 not allowed because not listed in AllowUsers
Apr 18 00:02:17 CENSORED sshd[2826]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:17 CENSORED sshd[2826]: Invalid user oracle from 46.21.161.37
[cut]
Apr 18 00:02:27 CENSORED sshd[2846]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:27 CENSORED sshd[2846]: Invalid user teamspeak from 46.21.161.37
Apr 18 00:02:28 CENSORED sshd[2848]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:28 CENSORED sshd[2848]: Invalid user teamspeak from 46.21.161.37
Apr 18 00:02:28 CENSORED sshd[2850]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:28 CENSORED sshd[2850]: Invalid user nagios from 46.21.161.37
Apr 18 00:02:29 CENSORED sshd[2852]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:29 CENSORED sshd[2852]: Invalid user postgres from 46.21.161.37
[cut]
Apr 18 02:19:35 CENSORED sshd[3890]: User root from 211.154.163.149 not allowed because not listed in AllowUsers
Apr 18 02:19:38 CENSORED sshd[3893]: User root from 211.154.163.149 not allowed because not listed in AllowUsers
Apr 18 02:19:40 CENSORED sshd[3895]: User root from 211.154.163.149 not allowed because not listed in AllowUsers
[cut]
Apr 18 02:20:13 CENSORED sshd[3923]: User root from 211.154.163.149 not allowed because not listed in AllowUsers
Apr 18 02:20:16 CENSORED sshd[3925]: Invalid user oracle from 211.154.163.149
Apr 18 02:20:19 CENSORED sshd[3927]: Invalid user oracle from 211.154.163.149
Apr 18 02:20:21 CENSORED sshd[3930]: Invalid user oracle10 from 211.154.163.149
Apr 18 02:20:24 CENSORED sshd[3932]: Invalid user oracle from 211.154.163.149
Apr 18 02:20:27 CENSORED sshd[3934]: Invalid user oracle10g from 211.154.163.149
Apr 18 02:20:21 CENSORED sshd[3930]: Invalid user oracle10 from 211.154.163.149
Apr 18 02:20:24 CENSORED sshd[3932]: Invalid user oracle from 211.154.163.149
Apr 18 02:20:27 CENSORED sshd[3934]: Invalid user oracle10g from 211.154.163.149
Apr 18 02:20:29 CENSORED sshd[3936]: Invalid user tomcat from 211.154.163.149
Apr 18 02:20:32 CENSORED sshd[3938]: User mysql from 211.154.163.149 not allowed because not listed in AllowUsers
Apr 18 02:20:34 CENSORED sshd[3940]: Invalid user apache from 211.154.163.149
Apr 18 02:20:37 CENSORED sshd[3943]: Invalid user postgres from 211.154.163.149
Apr 18 02:20:40 CENSORED sshd[3945]: Invalid user postgres from 211.154.163.149
Apr 18 02:20:42 CENSORED sshd[3947]: Invalid user weblogic from 211.154.163.149
Apr 18 02:20:45 CENSORED sshd[3949]: Invalid user hadoop from 211.154.163.149
Apr 18 02:20:48 CENSORED sshd[3951]: Invalid user atsuser from 211.154.163.149
Apr 18 02:20:50 CENSORED sshd[3954]: Invalid user imapuser from 211.154.163.149
Apr 18 02:20:53 CENSORED sshd[3956]: Invalid user grid from 211.154.163.149
Apr 18 02:20:56 CENSORED sshd[3958]: Invalid user webdev from 211.154.163.149
Apr 18 02:20:58 CENSORED sshd[3960]: Invalid user dev from 211.154.163.149
Apr 18 02:21:01 CENSORED sshd[3962]: Invalid user falko from 211.154.163.149
[cut]
Apr 18 02:21:30 CENSORED sshd[3986]: Invalid user radiusd from 211.154.163.149
Apr 18 02:21:33 CENSORED sshd[3988]: Invalid user webmail from 211.154.163.149
Apr 18 02:21:36 CENSORED sshd[3991]: Invalid user web from 211.154.163.149
[cut]
Apr 18 03:09:22 CENSORED sshd[4511]: Did not receive identification string from 210.184.1.92
Apr 18 03:09:52 CENSORED sshd[4514]: reverse mapping checking getaddrinfo for 210-184-1-92.static.hk.net [210.184.1.92] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 03:09:52 CENSORED sshd[4514]: User root from 210.184.1.92 not allowed because not listed in AllowUsers
Apr 18 03:09:53 CENSORED sshd[4514]: error: PAM: authentication error for illegal user root from 210.184.1.92
Apr 18 03:09:53 CENSORED sshd[4514]: Failed keyboard-interactive/pam for invalid user root from 210.184.1.92 port 56163 ssh2
Apr 18 03:09:54 CENSORED sshd[4514]: error: PAM: authentication error for illegal user root from 210.184.1.92
Apr 18 03:09:54 CENSORED sshd[4514]: Failed keyboard-interactive/pam for invalid user root from 210.184.1.92 port 56163 ssh2
[repeats]
Apr 19 00:34:38 CENSORED sshd[8582]: User root from 58.225.75.228 not allowed because not listed in AllowUsers
Apr 19 00:34:41 CENSORED sshd[8584]: User root from 58.225.75.228 not allowed because not listed in AllowUsers
Apr 19 00:34:44 CENSORED sshd[8586]: User root from 58.225.75.228 not allowed because not listed in AllowUsers
[cut]

I would not expect those IPs to reach my SSH daemon, but rather be blocked by PF. What am I doing wrong?

 

[DutchDaemon]

Does [cmd=]pfctl -sr[/cmd] actually show that a ruleset is active? Does [cmd=]tcpdump -s 0 -pnli pflog0[/cmd] show that anything is being blocked?

 

[kpa]

You rules suggest that you're not aware of that pf(4) is last matching rule wins system. For example out of these two the first is never matched because it matches a subset of the traffic matched by the second.

pass in on $ext_if inet proto tcp from $trusted_hosts to any port 22 keep state flags S/SA
pass in on $ext_if inet from $trusted_hosts to any keep state

Look into using the quick keyword for simplifying the logic of your rules.

Install security/sshguard-pf to block the ssh(1) port knockers.

 

[FreddyAV]

Does [cmd=]pfctl -sr[/cmd] actually show that a ruleset is active? Does [cmd=]tcpdump -s 0 -pnli pflog0[/cmd] show that anything is being blocked?

Thanks for quick reply!

Yes, [cmd=]pfctl -sr[/cmd] does show expanded versions of what I've got in my pf.conf file, however after adding

pflog_enable="YES"

to /etc/rc.conf and doing # service pflog start I still get nothing from [cmd=]tcpdump -s 0 -pnli pflog0[/cmd] after I try to connect by SSH from computer not in the trusted_host array. It doesn't connect (as I would expect), but I should still get some output from the tcpdump command you supplied, right?

Cheers!

 

[FreddyAV]

You rules suggest that you're not aware of that pf(4) is last matching rule wins system. For example out of these two the first is never matched because it matches a subset of the traffic matched by the second.

pass in on $ext_if inet proto tcp from $trusted_hosts to any port 22 keep state flags S/SA
pass in on $ext_if inet from $trusted_hosts to any keep state

Look into using the quick keyword for simplifying the logic of your rules.

Install security/sshguard-pf to block the ssh(1) port knockers.

I removed the second line, since that is not what I wanted. Thanks for spotting it! You are sort of correct, I am what I would call passively aware about the ordering and quick, but since I edit these things once in a couple of years I am not good at reading and writing rules like this. :r I will definitely look at sshguard, but would still like to understand what is happening here first.

 

[SirDice]

Besides the recommendations by @kpa this line:

pass in on $ext_if inet proto tcp from any to any port 20999 >< 21501 flags S/SA keep state

Allows access to your SSH port from any address as long as the source port is between 20999 and 21501.