# SSHD connection attempts logged eventhough I blocked it using PF... please help!



## FreddyAV (Apr 19, 2013)

Hi all!

I've been reading the very useful FreeBSD forums for some time but this is my first post. I have been running FreeBSD servers (1-4) since FreeBSD 6, but to be honest I have not been the most active admin. Just this week I have brought my primary server from 7.4 to 9.1. It is after this upgrade (through freebsd-update) that I have noticed something which looks very strange to me in /var/log/auth.log and found that this is beyond my understanding of PF.

Basically I thought that I had only allowed SSH from a few hosts but my SSHD is logging connection attempts from numerous other sources.

This is my /etc/pf.conf (I have modified some IPs as to not disclose to much information):


```
ext_if="sk0"
int_if="nfe0"
internal_server="192.168.67.20/32"
internal_net="192.168.67.0/24"
kompanigatan="192.168.82.0/24"

trusted_hosts="{ 95.XXX.YYY.ZZZ/24, 2.XXX.YYY.ZZZ/24, 85.XXX.YYY.ZZZ/24, 79.XXX.YYY.ZZZ/24 }"

scrub in all no-df
scrub out on $ext_if all random-id no-df

nat on $ext_if from $internal_net to any -> $ext_if
# ftp-proxy (new-style)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $internal_net to any port 21 -> 127.0.0.1 port 8021

rdr pass on $ext_if proto tcp from any to any port 2525 -> 127.0.0.1 port 25

# Default ar att blocka allt
block in on $ext_if all
block in on $int_if all

pass in on $int_if from $internal_net keep state
pass in on $int_if from $kompanigatan keep state
pass out on $int_if from $internal_server to $internal_net keep state
pass out on $ext_if from any to any keep state
pass in on $ext_if inet proto tcp from $trusted_hosts to any port 22 keep state flags S/SA
pass in on $ext_if inet from $trusted_hosts to any keep state

# for pure-ftpd passive
pass in on $ext_if inet proto tcp from any to any port 20999 >< 21501 flags S/SA keep state
pass in on $int_if inet proto tcp from any to any port 20999 >< 21501 flags S/SA keep state

# ftp-proxy (new-style)
anchor "ftp-proxy/*"


# pass in services
pass in on $ext_if inet proto tcp from any to any port { 1721, 80, 443, 113, 993, 25, 465 } flags S/SA keep state
# 21 = ftp-ctrl, 22 = ssh (ovan), 25 = smtp, 80 = http, 110 = pop3, 113 = ident/auth
# 143 = imap, 443 = https, 993 = imaps, 995 = pop3s, 465 = smtps, 1721 = pure-ftpd

# block OS fingerprinting flags
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
# block and log nmap OS fingerprinting attempts
#block return-rst in log quick on $ext_if proto tcp all flags FP/FP
#block return-rst in log quick on $ext_if proto tcp all flags SE/SE

# allow ping
pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
```

and this is an example of what I am seeing in /var/log/auth.log:


```
Apr 17 17:12:35 CENSORED sshd[1964]: Did not receive identification string from 83.165.217.84
Apr 17 17:15:08 CENSORED sshd[1981]: User root from 84.217.165.83.static.mundo-r.com not allowed because not listed in AllowUsers
Apr 17 18:13:09 CENSORED sshd[2486]: Invalid user ____ from 111.74.134.216
Apr 17 18:13:13 CENSORED sshd[2488]: User root from 111.74.134.216 not allowed because not listed in AllowUsers
Apr 17 18:13:18 CENSORED sshd[2492]: User root from 111.74.134.216 not allowed because not listed in AllowUsers
[message repeats numerous times with roughly apparent frequency]
Apr 17 18:23:19 CENSORED sshd[2850]: User root from 111.74.134.216 not allowed because not listed in AllowUsers
Apr 17 18:23:25 CENSORED sshd[2853]: User root from 111.74.134.216 not allowed because not listed in AllowUsers
[cut]
Apr 17 23:22:09 CENSORED sshd[2386]: User root from 178.211.60.190.host.ifxnetworks.com not allowed because not listed in AllowUsers
Apr 17 23:22:12 CENSORED sshd[2388]: User root from 178.211.60.190.host.ifxnetworks.com not allowed because not listed in AllowUsers
[message repeats numerous times with roughly apparent frequency]
Apr 17 23:22:41 CENSORED sshd[2414]: Invalid user oracle from 190.60.211.178
Apr 17 23:22:44 CENSORED sshd[2416]: User root from 178.211.60.190.host.ifxnetworks.com not allowed because not listed in AllowUsers
[cut]
Apr 17 23:23:01 CENSORED sshd[2429]: Invalid user teamspeak from 190.60.211.178
Apr 17 23:23:04 CENSORED sshd[2432]: Invalid user teamspeak from 190.60.211.178
Apr 17 23:23:07 CENSORED sshd[2434]: Invalid user nagios from 190.60.211.178
Apr 17 23:23:10 CENSORED sshd[2436]: Invalid user postgres from 190.60.211.178
[cut]
Apr 18 00:02:10 CENSORED sshd[2799]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:10 CENSORED sshd[2799]: User root from 46.21.161.37 not allowed because not listed in AllowUsers
[cut]
Apr 18 00:02:16 CENSORED sshd[2824]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:16 CENSORED sshd[2824]: User root from 46.21.161.37 not allowed because not listed in AllowUsers
Apr 18 00:02:17 CENSORED sshd[2826]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:17 CENSORED sshd[2826]: Invalid user oracle from 46.21.161.37
[cut]
Apr 18 00:02:27 CENSORED sshd[2846]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:27 CENSORED sshd[2846]: Invalid user teamspeak from 46.21.161.37
Apr 18 00:02:28 CENSORED sshd[2848]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:28 CENSORED sshd[2848]: Invalid user teamspeak from 46.21.161.37
Apr 18 00:02:28 CENSORED sshd[2850]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:28 CENSORED sshd[2850]: Invalid user nagios from 46.21.161.37
Apr 18 00:02:29 CENSORED sshd[2852]: reverse mapping checking getaddrinfo for no-record-set.rijndata.nl [46.21.161.37] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 00:02:29 CENSORED sshd[2852]: Invalid user postgres from 46.21.161.37
[cut]
Apr 18 02:19:35 CENSORED sshd[3890]: User root from 211.154.163.149 not allowed because not listed in AllowUsers
Apr 18 02:19:38 CENSORED sshd[3893]: User root from 211.154.163.149 not allowed because not listed in AllowUsers
Apr 18 02:19:40 CENSORED sshd[3895]: User root from 211.154.163.149 not allowed because not listed in AllowUsers
[cut]
Apr 18 02:20:13 CENSORED sshd[3923]: User root from 211.154.163.149 not allowed because not listed in AllowUsers
Apr 18 02:20:16 CENSORED sshd[3925]: Invalid user oracle from 211.154.163.149
Apr 18 02:20:19 CENSORED sshd[3927]: Invalid user oracle from 211.154.163.149
Apr 18 02:20:21 CENSORED sshd[3930]: Invalid user oracle10 from 211.154.163.149
Apr 18 02:20:24 CENSORED sshd[3932]: Invalid user oracle from 211.154.163.149
Apr 18 02:20:27 CENSORED sshd[3934]: Invalid user oracle10g from 211.154.163.149
Apr 18 02:20:21 CENSORED sshd[3930]: Invalid user oracle10 from 211.154.163.149
Apr 18 02:20:24 CENSORED sshd[3932]: Invalid user oracle from 211.154.163.149
Apr 18 02:20:27 CENSORED sshd[3934]: Invalid user oracle10g from 211.154.163.149
Apr 18 02:20:29 CENSORED sshd[3936]: Invalid user tomcat from 211.154.163.149
Apr 18 02:20:32 CENSORED sshd[3938]: User mysql from 211.154.163.149 not allowed because not listed in AllowUsers
Apr 18 02:20:34 CENSORED sshd[3940]: Invalid user apache from 211.154.163.149
Apr 18 02:20:37 CENSORED sshd[3943]: Invalid user postgres from 211.154.163.149
Apr 18 02:20:40 CENSORED sshd[3945]: Invalid user postgres from 211.154.163.149
Apr 18 02:20:42 CENSORED sshd[3947]: Invalid user weblogic from 211.154.163.149
Apr 18 02:20:45 CENSORED sshd[3949]: Invalid user hadoop from 211.154.163.149
Apr 18 02:20:48 CENSORED sshd[3951]: Invalid user atsuser from 211.154.163.149
Apr 18 02:20:50 CENSORED sshd[3954]: Invalid user imapuser from 211.154.163.149
Apr 18 02:20:53 CENSORED sshd[3956]: Invalid user grid from 211.154.163.149
Apr 18 02:20:56 CENSORED sshd[3958]: Invalid user webdev from 211.154.163.149
Apr 18 02:20:58 CENSORED sshd[3960]: Invalid user dev from 211.154.163.149
Apr 18 02:21:01 CENSORED sshd[3962]: Invalid user falko from 211.154.163.149
[cut]
Apr 18 02:21:30 CENSORED sshd[3986]: Invalid user radiusd from 211.154.163.149
Apr 18 02:21:33 CENSORED sshd[3988]: Invalid user webmail from 211.154.163.149
Apr 18 02:21:36 CENSORED sshd[3991]: Invalid user web from 211.154.163.149
[cut]
Apr 18 03:09:22 CENSORED sshd[4511]: Did not receive identification string from 210.184.1.92
Apr 18 03:09:52 CENSORED sshd[4514]: reverse mapping checking getaddrinfo for 210-184-1-92.static.hk.net [210.184.1.92] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 18 03:09:52 CENSORED sshd[4514]: User root from 210.184.1.92 not allowed because not listed in AllowUsers
Apr 18 03:09:53 CENSORED sshd[4514]: error: PAM: authentication error for illegal user root from 210.184.1.92
Apr 18 03:09:53 CENSORED sshd[4514]: Failed keyboard-interactive/pam for invalid user root from 210.184.1.92 port 56163 ssh2
Apr 18 03:09:54 CENSORED sshd[4514]: error: PAM: authentication error for illegal user root from 210.184.1.92
Apr 18 03:09:54 CENSORED sshd[4514]: Failed keyboard-interactive/pam for invalid user root from 210.184.1.92 port 56163 ssh2
[repeats]
Apr 19 00:34:38 CENSORED sshd[8582]: User root from 58.225.75.228 not allowed because not listed in AllowUsers
Apr 19 00:34:41 CENSORED sshd[8584]: User root from 58.225.75.228 not allowed because not listed in AllowUsers
Apr 19 00:34:44 CENSORED sshd[8586]: User root from 58.225.75.228 not allowed because not listed in AllowUsers
[cut]
```

I would not expect those IPs to reach my SSH daemon, but rather be blocked by PF. What am I doing wrong?


----------



## DutchDaemon (Apr 19, 2013)

Does [cmd=]pfctl -sr[/cmd] actually show that a ruleset is active? Does [cmd=]tcpdump -s 0 -pnli pflog0[/cmd] show that anything is being blocked?


----------



## kpa (Apr 19, 2013)

You rules suggest that you're not aware of that pf(4) is last matching rule wins system. For example out of these two the first is never matched because it matches a subset of the traffic matched by the second.


```
pass in on $ext_if inet proto tcp from $trusted_hosts to any port 22 keep state flags S/SA
pass in on $ext_if inet from $trusted_hosts to any keep state
```

Look into using the quick keyword for simplifying the logic of your rules.

Install security/sshguard-pf to block the ssh(1) port knockers.


----------



## FreddyAV (Apr 19, 2013)

DutchDaemon said:
			
		

> Does [cmd=]pfctl -sr[/cmd] actually show that a ruleset is active? Does [cmd=]tcpdump -s 0 -pnli pflog0[/cmd] show that anything is being blocked?



Thanks for quick reply!

Yes, [cmd=]pfctl -sr[/cmd] does show expanded versions of what I've got in my pf.conf file, however after adding 
	
	



```
pflog_enable="YES"
```
 to /etc/rc.conf and doing `# service pflog start` I still get nothing from [cmd=]tcpdump -s 0 -pnli pflog0[/cmd] after I try to connect by SSH from computer not in the trusted_host array. It doesn't connect (as I would expect), but I should still get some output from the tcpdump command you supplied, right?

Cheers!


----------



## FreddyAV (Apr 19, 2013)

kpa said:
			
		

> You rules suggest that you're not aware of that pf(4) is last matching rule wins system. For example out of these two the first is never matched because it matches a subset of the traffic matched by the second.
> 
> 
> ```
> ...



I removed the second line, since that is not what I wanted. Thanks for spotting it!  You are sort of correct, I am what I would call passively aware about the ordering and quick, but since I edit these things once in a couple of years I am not good at reading and writing rules like this. :r I will definitely look at sshguard, but would still like to understand what is happening here first.


----------



## SirDice (Apr 23, 2013)

Besides the recommendations by @kpa this line:

```
pass in on $ext_if inet proto tcp from any to any port 20999 >< 21501 flags S/SA keep state
```
Allows access to your SSH port from any address as long as the source port is between 20999 and 21501.


----------

