[Fwd: Re: What is a 'normal' amount of un-solicited connection attempts?]

[Alex Zbyslaw]

Adam J Richardson wrote:

> Modulok wrote:
>
>> I'm new to the admin game and this is somewhat of a subjective
>> question, so bear with me...
>>
>> I run a small network on a home/office broadband connection and I'm
>> getting more than my fair share of un-solicited traffic (maybe) on
>> what I believed to be in the "private address range," as per RFC 1918.
>> I have ipfw(8) setup to block such traffic, but with the volume of
>> traffic being blocked it makes me wonder if I mis-configured something
>> or if the RFC is depricated or what not. All of my services work and
>> all of my clients can access everything they need to both locally and
>> remotely, but when I read through the ipfw(8) log files there is a
>> plethora of traffic attempting to connect from "the Internet" on
>> various ports from various addresses. Most in the 10.0.0.0/8 block.
>> This is normal, but how much is normal?
>>
>> For example, here was an interesting one that's been hitting the log
>> files pretty hard today. Note: "em1" is my Internet-facing interface,
>> so the following is coming in from the Internet, (ipfw rule followed
>> by log entry):
>>
>>     03401  1233 30036 deny log logamount 25 ip from 10.0.0.0/8 to any 
>
> in via em1
>
>>
>>     Aug 27 13:03:16  kernel: ipfw: 3401 Deny UDP 10.20.0.2:67
>> 255.255.255.255:68 in via em1
>>     Aug 27 13:06:08  kernel: ipfw: limit 25 reached on entry 3401
>>
>> It appears to be a dhcp or bootp broadcast...to the entire world? This
>> is just one of many seemingly ridiculous entries. Did I miss something
>> here? I'm new to the admin game, so I'm not sure what the 'norm' is as
>> far as frequency of un-solicited and often humorous traffic.
>> 10.0.0.0/8 is where probably 98% of the un-solicited traffic comes
>> from. Is this just "normal"? If it's just me, I would almost feel
>> better than to think there are that many mis-configure servers out
>> there spewing out crap. What is "normal" for a small business
>> connection and what does one do when there are a lot of repeated
>> un-solicited connection attempts from a single source to your server?
>> I had one day where I got something like 25 attempts to connect to
>> port 22 (sshd) from a particular IP address somewhere in Romania (and
>> we're nowhere near there). Sorry for the somewhat vague question.
>>
>> Just looking for general reassurances and advice, I suppose.
>> -Modulok-
>
>
> Hi Modulok.
>
> Try capturing and analysing the spoofed datagrams, to see if there are
> any routable IPs hidden inside. If your service isn't being interrupted
> by the spoofed datagrams, maybe you're being used as a reflection attack
> server.

Is this the kind of thing you see?

Aug 26 23:09:31 ren kernel: ipfw: 4800 Deny UDP 10.124.0.1:67 
255.255.255.255:68 in via sk1

If so it's probably generated by your cable modem or equivalent.  I 
block them with no ill effect, but then I never ever want to run DHCP 
from my cable modem, which is what I believe they are related to.  
Nothing outside the hosts on your network is seeing it.  Something with 
that source would never have got to the outside interface of your modem, 
unless your ISP is totally rubbish, afaik.

The only thing "being hit hard" is your logs; the actual network traffic 
should be negligible.  You can pick a quiet time and monitor your 
interface with e.g. "systat -iostat 1" to verify that.  If you're 
worried about your logs, then just put in a special rule for the source 
address(es) you see and just block without logging.  Keep the rest of 
the bad network stuff and I bet you never log another packet!  
(Actually, I also see igmp from a 192.168 address, but that's it).

Connection attempts to port 22 are incredibly common.  25 attempts in a 
row is nothing.  Lock down SSH by only allowing key-based connections if 
you can and enforce a password policy for those keys (the best by far), 
limit the users with AllowUsers directives if you can, limit the IP 
addresses which are allowed to connect if you can, then you have nothing 
to worry about.  Some recommend moving SSH to a random port (e.g. 922) 
but I find that a pain and it wouldn't stop anything but an ignorant 
script kiddie who'd probably be floored anyway because their favourite 
linux exploit won't work :-)  There's been plenty of discussion of this 
topic on this list in the past so try the archives for more info.

--Alex