OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: toxic on October 26, 2020, 03:03:03 am
-
Hello,
I am sadly quite new to freeBSD and opnSense so I'm not 100% sure, but in my opnSense I got alerts from suricata like this :
Timestamp 2020-10-26T02:53:59.664950+0100
Alert ET SCAN Potential SSH Scan OUTBOUND
Alert sid 2003068
Protocol TCP
Source IP myWAN_IP
Destination IP 2.128.237.177
Source port 27794
Destination port 22
Interface WAN_DSL
Configured action Enabled
Payload
And indeed, in ntopng I see that I have TCP sessions from my opnSense box on it's WAN IP to a slowly increasing list of remote public IPs like the one aboce, trying 2.128.234.178 and then 179 next...
I thought maybe due to NAT Iit could be something else on my network, but unplugging everything got me nowhere, the attempts continue...
The only thing I could not unplug is the proxmox that is the host for my opnSense VM...
Now I've tried, both on proxmox (to be sure) and on opnSense, several combinations of netstat -pn on proxmox or sockstat -l -p 22 on opnsense but I'm obviously not good enough to find ou what is the process that is starting this ssh scan...
Any help would be welcome, I'd realy like to try finding what is running, and how it came here...
Thanks in advance for your kind help, and sorry if I post this in the wrong place...
-
ok, after more digging, I used
sudo sockstat -L -4 -p 22who showed me the user was ntopng opening these sockets to remote hosts on port 22...
I stopped ntopng for now and this signature has gone away.
My guess is that it was linked to the "network discovery" I had enabled... We'll see.
-
Look at that
https://www.reddit.com/r/PFSENSE/comments/bq2n1a/firewall_connecting_outbound_on_ssh_tcp22_every/
-
Thanks.
The thread doesn't give much help beyond disabling ntopng sadly.
But I can actually mark this as solved : keeping ntopng running but without network discovery solved the issue for me.