My Netgate XG-7100 pfSense WAN IP and Local Gateway IP Keep “Attacking” Itself on Service SSH and Port 22

beejee

The Netgate local IP and Gateway is 10.10.30.254 and its WAN IP is 12.34.NNN.NNN.

Here is the pattern that has been going on and on since Dec 9 in the log from System Logs > Authentication > General:
Dec 15 20:30:22 pfSense01 sshguard[80022]: Attack from "10.10.30.254" on service SSH with danger 10.
Dec 15 20:30:23 pfSense01 sshd[52944]: Did not receive identification string from 10.10.30.254 port 1618
Dec 15 20:30:23 pfSense01 sshguard[80022]: Attack from "10.10.30.254" on service SSH with danger 10.

Dec 15 20:30:37 pfSense01 sshd[53901]: Did not receive identification string from 12.34.NNN.NNN port 1672
Dec 15 20:30:37 pfSense01 sshguard[80022]: Attack from "12.34.NNN.NNN" on service SSH with danger 10.
Dec 15 20:30:38 pfSense01 sshd[54213]: Did not receive identification string from 12.34.NNN.NNN port 1674
Dec 15 20:30:38 pfSense01 sshguard[80022]: Attack from "12.34.NNN.NNN " on service SSH with danger 10.
Dec 15 20:45:08 pfSense01 sshd[91757]: Did not receive identification string from 12.34.NNN.NNN port 60301

And here is the traffic pattern that I captured at port 22 on the Netgate Localhost interface:
22:00:22.224551 IP 10.10.30.254.31629 > 10.10.30.254.22: tcp 0
22:00:23.224164 IP 10.10.30.254.31629 > 10.10.30.254.22: tcp 0
22:00:24.227567 IP 10.10.30.254.31644 > 10.10.30.254.22: tcp 0
22:00:25.227174 IP 10.10.30.254.31644 > 10.10.30.254.22: tcp 0
22:00:40.494877 IP 12.34.NNN.NNN.31706 > 12.34.NNN.NNN.22: tcp 0
22:00:41.494213 IP 12.34.NNN.NNN.31706 > 12.34.NNN.NNN.22: tcp 0
22:00:42.495826 IP 12.34.NNN.NNN.31709 > 12.34.NNN.NNN.22: tcp 0
22:00:43.495180 IP 12.34.NNN.NNN.31709 > 12.34.NNN.NNN.22: tcp 0

I restarted the Netgate but the problem was still going on.
Then I disabled “Secure Shell” from Admin Access on the Netgate settings and restart it. The problem on the Authentication no longer happened. However, capturing traffics on the Localhost interface, the Netgate is still sending SYN traffics to itself at port 22 in the same pattern likely every single second:
23:00:22.249736 IP 10.30.30.254.46735 > 10.30.30.254.22: tcp 0
23:00:23.248980 IP 10.30.30.254.46735 > 10.30.30.254.22: tcp 0
23:00:24.252095 IP 10.30.30.254.46753 > 10.30.30.254.22: tcp 0
23:00:25.251930 IP 10.30.30.254.46753 > 10.30.30.254.22: tcp 0
23:00:38.594636 IP 12.34.NNN.NNN.46801 > 12.34.NNN.NNN.22: tcp 0
23:00:39.593912 IP 12.34.NNN.NNN.46801 > 12.34.NNN.NNN.22: tcp 0
23:00:40.606487 IP 12.34.NNN.NNN.46803 > 12.34.NNN.NNN.22: tcp 0
23:00:41.605977 IP 12.34.NNN.NNN.46803 > 12.34.NNN.NNN.22: tcp 0

It appeared that something triggered the Netgate to do the TCP SYN flood attacking itself forever!
What should I do to trace this problem down?

Thank you for looking into resolving this problem,
Benjamin

beejee

I just captured the traffics from the gateway 10.10.30.254 on LAN interface to all local devices at port 22 and found out that my Netgate XG-7100 at IP 10.10.30.254 has been scanning all local devices on the same subnet for port 22 and trying to handshake with any device that has port 22 active via SSH protocol.

This Netgate XG-7100 at IP 10.10.30.254 only allows Outbound at WAN for Internet traffics and doesn't allow Inbound at the WAN interface at all.

How can trace out what really on the Netgate that does all sniffing traffics at port 22 on other devices in local subnet?

johnpoz

@beejee ntop discovery maybe? That would be only thing I could think of that would do such a thing.

Do you have the ntopng package installed?

beejee

@johnpoz Thank you for pointing it out. Yes, I have ntopng installed and actively running on this Netgate for years but I have never been aware of the problem before, until I saw sshguard alerted about the attacks of the Netgate itself on SSH service in Authentication log. Then I couldn't do the SSH terminal login to the Netgate any more since sshguard blocked the login attempt.

I will stop the ntopng service and monitor the traffics today. However, I wonder why ntopng would become malfunction or any settings in ntopng accidentally set and causing the problem.

Again, thanks @johnpoz so much for pointing out the possible cause.

stephenw10

Or nmap directly I guess could do it.

beejee

@stephenw10 Possible, but what on the Netgate would utilize nmap?

stephenw10

Nothing by default, it's not installed. But you could install it and then invoke it with something endless I expect. I've always tried avoid doing that though!

Check the output of ps -auxwwd for an instances running.

Steve

johnpoz

@beejee nmap can be installed.. But unless you manually ran the scan, or setup a cron maybe.. I don't see how that would be running a scan on its own.

While I have not played with ntop on pfsense in a while, I do know it has a discovery mode that will run on its own sort of thing.. Normally it would be run on a schedule, etc. I wouldn't think it would constantly run..

But ntop would be the only thing off the top of my head that could be doing what your seeing on its own if you will. Be it a corruption in the config, or misconfiguration done on accident sort of thing.

Let us know what you see once you have turned it off..

beejee

It's the ntopng that became a troublemaker. I'm worry free now after turning off ntopng! I will figure out how to wipe this ntopng and install a fresh one.

I looked at the crontab and nothing looked suspicious.

Thanks you all for all the directions.