Suspicious Traffic?
-
@stephenw10 but the connection is to a external IP?
-
@deanfourie said in Suspicious Traffic?:
but the connection is to a external IP?
What are you not understanding that network is trying to be discovered by ntop - its your actual ISP network.. Doesn't matter if your behind a double nat or not.
Again turn off the auto discovery - does that traffic go away?
pfsense out of the box would not be creating random connections to IPs out on the internet. But you know what would - ntop discovery.. You are running ntop, I showed you from sniff clearly showing ntop doing discovery - see the user agent in what I posted..
So either let it do what its doing, or disable auto discovery, or configure ntop not to use your wan interface on pfsense for discovery.
-
@johnpoz ok, ive turned of network discovery (active network discovery) and it has not gone away. Still there are multiple SSH sessions to a random WAN IP
-
@deanfourie said in Suspicious Traffic?:
Still there are multiple SSH sessions to a random WAN IP
Your still seeing them being created, or they are old ones in your state table..
Here is the thing there is NOTHING in pfsense that would do that - NOTHING.. So its ntop doing it, or you have some other package installed doing it. Pfsense does not just randomly create outbound connections on 22 to IPs on your isp network. It doesn't - Period!
You looked in your state table, so its not some client behind pfsense doing it, or you would see the client ip in the state table that is trying to do it..
edit: Also I don't think turning it off instantly stops and current discovery that is running.. If you have it on there would be discovery time, defaults to every 15 minutes I believe.
Turn off ntop completely - do you still see new connections being made?
If you wan to see what is making the connections from pfsense, do a sockstat, here in a session on pfsense I created a ssh connection to one of my box on my network. Then viewing sockstat I can see that connection being made with ssh program.. If your still see them after you have stopped ntop and kill all existing states..
-
@johnpoz ok ill go through and disable all my packages one by one
-
@deanfourie see my edit in finding what is creating the connections using sockstat
But I would bet a very large sum of money its ntop.. A very large sum!
-
@johnpoz Yea, you are correct. It is ntop.
But I still dont understand why.
-
@deanfourie because that is what it does with discovery - it finds an IP, and then tries to discover what it is, what os its running, etc.. I showed you the code in the discovery part of ntop where it does a ssh probe.
Here I just turned it on for my wan.. And bam it created ssh to IPs it discoverd..
-
@johnpoz Thats so strange, why SSH?
So it only happens with network discovery?
-
@deanfourie because a lot of info can be gleaned from ssh, but it sends other discovery as well mdns, ssdp.. tries port 80 as well I believe.
Even if you can not log in - if ssh answers at all you can get info about that device normally.
Look in the code I linked to for the different discovery stuff it does.
-
-
@deanfourie so for example - here not even logging into one of my pi's and you can glean from just the ssh handshake info about it
debug1: Local version string SSH-2.0-OpenSSH_9.0 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 debug1: compat_banner: match: OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 pat OpenSSH* compat 0x04000000
This is why they normally suggest when you lock down a sshd, that you don't send banners, etc. But this isn't open to the internet and only I use it locally - so no reason to lock it down like its a DoD install ;) heheh
what ports answer, info gleaned from even the answer if anything at all can help "guess" to what the device is or os its running even without specific direct confirmation. So when doing a discovery the more info you can get about a device the more likely it is you can identify it correctly.
Normally when you are running ntop, you wouldn't have discovery going out to the ISP network, only your local internal networks.. You could piss off people with your "probes" if they complain to the ISP you could get yourself in trouble, etc.
-
@johnpoz "You could piss off people with your "probes" if they complain to the ISP you could get yourself in trouble, etc."
LIke port scanning the world.
Ted
-
@tquade to be honest port scanning the "world" could be less troublesome - than an isp customer complaining about another same isp customer
But sure yeah probing the world not normally a good thing ;)
To be honest many an isp should be filtering fellow customers from talking to fellow customers..
But forget getting in trouble or what you should be doing or not being doing to be a good netizen. I make sure no rfc1918 traffic leaks out my wan for sure.. Just doing my part to be a good netizen.. Rarely happens but now and then I typo a address or something.. I make sure that dns for my private domain never goes outbound as well - just no point in sending such traffic that isn't going to resolve..
What would be the point other then pure curiosity knowing that some fellow isp customer has ssh open, or running xyz as their router? What would you even do with that info? I would rather not waste my cpu cycles and bandwidth finding out that info in the first place - and just not send probes out my wan..
Now if he devices on pfsense wan this 192.168.8 network - and he wants to discovery his own devices on that network. Then going to have to look into making sure ntop only discovers 192.168.8/24 and not whatever his real wan is..
-
-