Suspicious Traffic?
-
@johnpoz so you're telling me that ntop is creating these outbound ssh connections?
-
@deanfourie Yes - its discovery mode.. Is looking for stuff.. ssh (port 22) being one of the things it looks for.
Here is a recent thread - same sort of thing
https://forum.netgate.com/topic/172680/ntopng-sshguard
Here is the code from the ntop
https://github.com/ntop/ntopng/blob/dev/scripts/lua/modules/discover_utils.lua#L495
-
@johnpoz but would it not see this traffic only if this traffic existed? Hence why it's seeing it
I don't know what am I missing?
-
@deanfourie its creating it!! Turn off discovery!
Ntop is creating the traffic - so yes you see it
Or uncheck ntop from using your wan.. There is little reason for ntop on your wan. You wan to see where your clients are going - not all the noise hitting your wan.
-
@deanfourie dude, my WAN is a upstream gateway, is is simply another private network as far as ntop is concerned.
The fact is I'm seeing SSH traffic from my pfSense WAN interface, and seeing the connections in the pfSense states table.
How's that normal?
-
Because ntop is sending them to try to detect hosts on that subnet. That's what the active discovery does.
-
@deanfourie I have no idea what else to tell you - ntop is creating that traffic, its not suspicious.
If you don't want it doing it, then turn it off from doing it, if you want your ntop discovery your isp network - have at it, they might not be happy about that, or your isp other users, etc..
Why don't you turn off the auto discovery I showed you - do you continue to see this traffic?
-
@stephenw10 but the connection is to a external IP?
-
@deanfourie said in Suspicious Traffic?:
but the connection is to a external IP?
What are you not understanding that network is trying to be discovered by ntop - its your actual ISP network.. Doesn't matter if your behind a double nat or not.
Again turn off the auto discovery - does that traffic go away?
pfsense out of the box would not be creating random connections to IPs out on the internet. But you know what would - ntop discovery.. You are running ntop, I showed you from sniff clearly showing ntop doing discovery - see the user agent in what I posted..
So either let it do what its doing, or disable auto discovery, or configure ntop not to use your wan interface on pfsense for discovery.
-
@johnpoz ok, ive turned of network discovery (active network discovery) and it has not gone away. Still there are multiple SSH sessions to a random WAN IP
-
@deanfourie said in Suspicious Traffic?:
Still there are multiple SSH sessions to a random WAN IP
Your still seeing them being created, or they are old ones in your state table..
Here is the thing there is NOTHING in pfsense that would do that - NOTHING.. So its ntop doing it, or you have some other package installed doing it. Pfsense does not just randomly create outbound connections on 22 to IPs on your isp network. It doesn't - Period!
You looked in your state table, so its not some client behind pfsense doing it, or you would see the client ip in the state table that is trying to do it..
edit: Also I don't think turning it off instantly stops and current discovery that is running.. If you have it on there would be discovery time, defaults to every 15 minutes I believe.
Turn off ntop completely - do you still see new connections being made?
If you wan to see what is making the connections from pfsense, do a sockstat, here in a session on pfsense I created a ssh connection to one of my box on my network. Then viewing sockstat I can see that connection being made with ssh program.. If your still see them after you have stopped ntop and kill all existing states..
-
@johnpoz ok ill go through and disable all my packages one by one
-
@deanfourie see my edit in finding what is creating the connections using sockstat
But I would bet a very large sum of money its ntop.. A very large sum!
-
@johnpoz Yea, you are correct. It is ntop.
But I still dont understand why.
-
@deanfourie because that is what it does with discovery - it finds an IP, and then tries to discover what it is, what os its running, etc.. I showed you the code in the discovery part of ntop where it does a ssh probe.
Here I just turned it on for my wan.. And bam it created ssh to IPs it discoverd..
-
@johnpoz Thats so strange, why SSH?
So it only happens with network discovery?
-
@deanfourie because a lot of info can be gleaned from ssh, but it sends other discovery as well mdns, ssdp.. tries port 80 as well I believe.
Even if you can not log in - if ssh answers at all you can get info about that device normally.
Look in the code I linked to for the different discovery stuff it does.
-
-
@deanfourie so for example - here not even logging into one of my pi's and you can glean from just the ssh handshake info about it
debug1: Local version string SSH-2.0-OpenSSH_9.0 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 debug1: compat_banner: match: OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 pat OpenSSH* compat 0x04000000
This is why they normally suggest when you lock down a sshd, that you don't send banners, etc. But this isn't open to the internet and only I use it locally - so no reason to lock it down like its a DoD install ;) heheh
what ports answer, info gleaned from even the answer if anything at all can help "guess" to what the device is or os its running even without specific direct confirmation. So when doing a discovery the more info you can get about a device the more likely it is you can identify it correctly.
Normally when you are running ntop, you wouldn't have discovery going out to the ISP network, only your local internal networks.. You could piss off people with your "probes" if they complain to the ISP you could get yourself in trouble, etc.
-
@johnpoz "You could piss off people with your "probes" if they complain to the ISP you could get yourself in trouble, etc."
LIke port scanning the world.
Ted