I just noticed the following entries in my firewall log: Nov 23 19:44:11 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=16126 F=0x0000 T=246 SYN (#3) Nov 23 19:47:21 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=28824 F=0x0000 T=246 SYN (#3) Nov 23 19:47:58 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=9754 F=0x0000 T=246 SYN (#3) Nov 23 19:51:35 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=38173 F=0x0000 T=246 SYN (#3) eth0 is the external i/f ... does this indicate ssh connection attempts with spoofed IP source addresses? (I do have a machine on reserved IP address 192.168.1.4 but it can only establish connections to the firewall via eth1) TIA Michael
michael.ryan@storm.ie wrote:
I just noticed the following entries in my firewall log:
Nov 23 19:44:11 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=16126 F=0x0000 T=246 SYN (#3) Nov 23 19:47:21 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=28824 F=0x0000 T=246 SYN (#3) Nov 23 19:47:58 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=9754 F=0x0000 T=246 SYN (#3) Nov 23 19:51:35 kore kernel: Packet log: input DENY eth0 PROTO=6 192.168.1.4:22 a.b.c.d:22 L=40 S=0x00 I=38173 F=0x0000 T=246 SYN (#3)
eth0 is the external i/f ... does this indicate ssh connection attempts with spoofed IP source addresses? (I do have a machine on reserved IP address 192.168.1.4 but it can only establish connections to the firewall via eth1)
TIA Michael
Hi Michael, you should enable ROUTE VERIFICATION ---snap---- echo > "1" /proc/sys/net/ipv4/conf/<device>/rp_filter --end of snap-- Ciao ;-) Robert Rottscholl - DE
participants (2)
-
michael.ryan@storm.ie
-
Robert Rottscholl