From nobody Thu Jan 05 22:16:49 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Np16N0Lf6z2pNbM for ; Thu, 5 Jan 2023 22:17:00 +0000 (UTC) (envelope-from rwp@proulx.com) Received: from havoc.proulx.com (havoc.proulx.com [96.88.95.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Np16M0Vn6z3ldB for ; Thu, 5 Jan 2023 22:16:58 +0000 (UTC) (envelope-from rwp@proulx.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=proulx.com header.s=dkim2048 header.b=aDo6B4Od; spf=pass (mx1.freebsd.org: domain of rwp@proulx.com designates 96.88.95.61 as permitted sender) smtp.mailfrom=rwp@proulx.com; dmarc=pass (policy=none) header.from=proulx.com Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id DA7B4AF for ; Thu, 5 Jan 2023 15:16:49 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proulx.com; s=dkim2048; t=1672957009; bh=nxDtUs5iD63f6wAO7XI7v1lOF7GlnjPI4iO2ZHsZv30=; h=Date:From:To:Subject:References:In-Reply-To:From; b=aDo6B4OdseXPjL5wA9Za0DWOTF6piNwccoK4B7YWJjn9UihPxP4/GyuWLvZotiOc5 getMUDJNOX/gLEFM4uLza9II7SywD+yBiiv6JYQbkqzctrs7oM8gfrcHQk0PX9RZj2 jkcdGggcHfleW5LZsaf8/mef6tsiivoZnR95cp6HLMjq6LDcDxZ6ecBFINVmTKKXpb 1C4M9be/VXi+EYWMblNZBeG2orq2qHBcuN4PmVSzF/ngLurdJcSBevhbbZQMPirrJ5 FazPxmNYd2YHL18IWaylDeEC+1VBVYnkZkgVslcY1EkxNaKUoak5fh6lfESnM0aw/2 8hsFsn+1LF4cg== Received: from madness.proulx.com (madness.proulx.com [192.168.230.122]) by joseki.proulx.com (Postfix) with ESMTP id B4FFC7A00E for ; Thu, 5 Jan 2023 15:16:49 -0700 (MST) Received: by madness.proulx.com (Postfix, from userid 1000) id A6BDB79D84; Thu, 5 Jan 2023 15:16:49 -0700 (MST) Date: Thu, 5 Jan 2023 15:16:49 -0700 From: Bob Proulx To: questions@freebsd.org Subject: Re: why do I see failed login attempts to vm on non-forwarded ports? Message-ID: <20230105144825N@bob.proulx.com> References: <327799993.65810026.1672932433732.JavaMail.zimbra@shaw.ca> <355e6690-5188-149d-4f9d-855b35f46a1a@rail.eu.org> <1526169121.66664274.1672945036737.JavaMail.zimbra@shaw.ca> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1526169121.66664274.1672945036737.JavaMail.zimbra@shaw.ca> X-Spamd-Result: default: False [-2.70 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_SHORT(-1.00)[-0.997]; DMARC_POLICY_ALLOW(-0.50)[proulx.com,none]; FORGED_SENDER(0.30)[bob@proulx.com,rwp@proulx.com]; R_SPF_ALLOW(-0.20)[+a]; R_DKIM_ALLOW(-0.20)[proulx.com:s=dkim2048]; MIME_GOOD(-0.10)[text/plain]; DKIM_TRACE(0.00)[proulx.com:+]; MLMMJ_DEST(0.00)[questions@freebsd.org]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:7922, ipnet:96.64.0.0/11, country:US]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_NEQ_ENVFROM(0.00)[bob@proulx.com,rwp@proulx.com] X-Rspamd-Queue-Id: 4Np16M0Vn6z3ldB X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N Dale Scott wrote: > IIUC, the attacker attempts an ssh login on port 3022 on the host > system, which is handled by the virtualbox NAT and sent to vm client > port 22 from host port e.g. 51252. Do I understand this correctly? That sounds to be correct given the information you provided so far. Port 22 on your host is going to your host. Port 3022 is going to your guest through the routing table. > Why does the host use so many different ports? Every TCP/IP connection has four important parts that allows data packets to be routed from place to place. This is like a postal envelope with a destination address and a return address. source address source port destination address destination port A connection from your local system to a remote system will of course use the remote system's destination address and destination port. The reason there is obvious. It has to get to there. But data packets need to return too! Just like we say in mountain climbing, It does not count unless it is a round trip. If the data packet does not have a way back then it does not make a connection. In order to come back it the remote end needs to know the local system's address and port for the return trip. The source address will be the address for the return from the remote system. For most people that means a NAT network address translation at the router. So from your example a local 10.0.2.2 address outbound might get translated to a 93.184.216.34 public IPv4 address at the NAT router and that will be the source address seen at the remote server. On the return trip the NAT router will translate the address back to 10.0.2.2 on your LAN system. And then there is the source port... The destionation port will be some well known port. Either port 22 for ssh or port 80 for http or port 443 for https or whatever. But what will be used for the local source port? The network kernel will assign a dynamically assigned port number to the connection for the local machine. It will be in the dynamic port range. Think of this like you would think of any process ID PID number. It gets assigned dynamically. It's attached to the file descriptor. When the file descriptor is closed the number is unassigned and available for eventual reuse. While the connection is active the source port is maintained. One of your examples showed this. Invalid user admin from 10.0.2.2 port 36002 That's probably the address of the NAT router. Unfortunately in this case the actual IP address was lost in translation (sorry but I could not resist the humor) and would be seen only in the router table. This is actually not typical of NAT. I don't want to say your system is misconfigured but it feels to be an odd configuration to me that it would NAT the source address. More typically the global address would be preserved. But this is from one of your example lines so I am using it. Here is from one of my systems. Someone at a cloud provider is probing my system. Invalid user mysql from 104.131.40.97 port 34532 So using this case the four parts of the data packet would be this. source address -- 104.131.40.97 source port -- 34532 randomly assigned on remote system destination address -- 93.184.216.34 destination port -- 22 ssh And then my system when it responds will turn those around and send the return packets back using the reverse. source address -- 93.184.216.34 source port -- 22 destination address -- 104.131.40.97 destination port -- 34532 That's for ONE connection using TCP/IP for one process. A system will have many processes. Each process might have many connections. Packets out. Packets in. The dynamically assigned port (the pseudo-pid number of the connection) will be different for every connection. That is the free variable since the other three parts are fixed. Hope this helps! Bob