grsecurity forums

I've found a bunch of these messages in my log:
"grsec: From 219.87.17.209: (root:U:/usr/sbin/sshd) denied connect() to 219.87.17.3 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:19031] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4997] uid/euid:0/0 gid/egid:0/0"
Along with these:
"Address 219.87.17.209 maps to cameo.com.tw, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!"

Apart from the fact, that there are usually a couple of tries every day for regular user names, it seems that this time sshd was forced to make a strange connection attempt. DNS lookups are enabled by the RBAC for the sshd process.
Is it a normal behavior of the sshd to make udp connections to remote host (excluding DNS queries)? Especially on port 0? I have a feeling somebody could make my sshd do bad things without grsec's RBAC system.

It annoys me. Are there anybody on the list with the same experience or who knows more about this?

RESPECTIVE RBAC rule snipplet:
subject /usr/sbin/sshd {
/etc/ssh r
/etc/shadow r
/dev/log rw
/root r
/root/.ssh rw
/var/empty rw
/var/log r
/var/log/lastlog rw
/var/log/wtmp rw
/var/run/utmp rw
/var/run/sshd.pid rwcd
/dev/ptmx rw
-CAP_ALL
+CAP_CHOWN
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_NET_ADMIN
+CAP_SYS_CHROOT
+CAP_SYS_RESOURCE
+CAP_SYS_TTY_CONFIG
+CAP_KILL
bind 0.0.0.0/32:22 stream dgram ip tcp
bind 0.0.0.0/32:0 stream dgram ip tcp
connect 0.0.0.0/0:53 stream dgram tcp udp
connect 0.0.0.0/32:22 dgram udp
}

Regards,
Dw.

From time to time I see some of these.
There were a bunch of tries today also. Here is a portion of the log:

Code: Select all

Nov 20 04:27:53 hostname grsec: From 64.149.146.242: (root:U:/usr/sbin/sshd) denied connect() to 74.125.39.19 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:9131] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4772] uid/euid:0/0 gid/egid:0/0
Nov 20 04:27:53 hostname grsec: From 64.149.146.242: (root:U:/usr/sbin/sshd) denied connect() to 74.125.39.17 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:9131] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4772] uid/euid:0/0 gid/egid:0/0
Nov 20 04:27:53 hostname grsec: From 64.149.146.242: (root:U:/usr/sbin/sshd) denied connect() to 74.125.39.83 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:9131] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4772] uid/euid:0/0 gid/egid:0/0
Nov 20 08:33:17 hostname grsec: From 64.149.146.242: (root:U:/usr/sbin/sshd) denied connect() to 209.85.137.19 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:13206] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4772] uid/euid:0/0 gid/egid:0/0
Nov 20 08:33:17 hostname grsec: From 64.149.146.242: (root:U:/usr/sbin/sshd) denied connect() to 209.85.137.83 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:13206] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4772] uid/euid:0/0 gid/egid:0/0
Nov 20 08:33:17 hostname grsec: From 64.149.146.242: (root:U:/usr/sbin/sshd) denied connect() to 209.85.137.18 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:13206] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4772] uid/euid:0/0 gid/egid:0/0
Nov 20 08:33:17 hostname grsec: From 64.149.146.242: (root:U:/usr/sbin/sshd) denied connect() to 0.0.0.0 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:13206] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4772] uid/euid:0/0 gid/egid:0/0


Here are the host for which the IPs resolv:

Code: Select all

hostname ~ $ host 74.125.39.19
19.39.125.74.in-addr.arpa domain name pointer fx-in-f19.google.com.
hostname ~ $ host 74.125.39.17
17.39.125.74.in-addr.arpa domain name pointer fx-in-f17.google.com.
hostname ~ $ host 74.125.39.83
83.39.125.74.in-addr.arpa domain name pointer fx-in-f83.google.com.
hostname ~ $ host 209.85.137.19
19.137.85.209.in-addr.arpa domain name pointer mg-in-f19.google.com.
hostname ~ $ host 209.85.137.18
18.137.85.209.in-addr.arpa domain name pointer mg-in-f18.google.com.
hostname ~ $ host 209.85.137.83
83.137.85.209.in-addr.arpa domain name pointer mg-in-f83.google.com.
hostname ~ $ host 64.149.146.242
242.146.149.64.in-addr.arpa is an alias for 242.240/28.146.149.64.in-addr.arpa.
242.240/28.146.149.64.in-addr.arpa domain name pointer mail.tmafarmnet.com.


I don't know anything about the last host. It's interesting however, that the site was scanned by google crawlers.

I still don't think it's normal.

Regards,
Dw.

I saw this too after upgrading from Debian Sarge to Debian Etch. From what I was able to glean from the net at the time, it was either the OS or sshd (I forget which, though other programs will do this too, like syslog-ng logging remotely) doing this to discover which interface it would use. I can't find any references to it now, but you can see this in a completely brand new Etch installation. The system doesn't appear to try to actually send the packet though, or at least iptables never saw it. If anyone has any better info, please correct me if I'm way off.

After some months of silence I see this symptom daily again in the logs. When the destination address is 0.0.0.0, it's not so serious, however when it is a real IP, it bothers me.

Regards,
Dw.