# SYN_RECV attack?

## chas_e_erath

Hi,

So, I finally got broadband and I see that my machine is getting attacked almost daily on my ssh port (I want ssh open).  I installed fail2ban and it works as advertised.  (Curious side note here: those bots out there must talk to each other - initially there were 5 or 6 attacks a day, which has dropped down to just a couple each week.)

At any rate, the other day while browsing I saw activity on eth0 (via gkrellm) when there shouldn't have been any.  I checked the ssh logs and ran:

```

root@skunk  # netstat -t

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 192.168.2.2:ssh         124.42.120.27:59017     SYN_RECV

tcp        1      0 192.168.2.2:41655       207.68.178.134:http     CLOSE_WAIT

tcp        1      0 192.168.2.2:44814       8.14.216.9:http         CLOSE_WAIT

tcp        1      0 192.168.2.2:57151       192.168.2.1:http        CLOSE_WAIT

tcp        1      0 192.168.2.2:57156       192.168.2.1:http        CLOSE_WAIT

tcp        1      0 192.168.2.2:57157       192.168.2.1:http        CLOSE_WAIT

tcp        1      0 192.168.2.2:57158       192.168.2.1:http        CLOSE_WAIT

tcp        1      0 192.168.2.2:57159       192.168.2.1:http        CLOSE_WAIT

tcp        1      0 192.168.2.2:57152       192.168.2.1:http        CLOSE_WAIT

tcp        1      0 192.168.2.2:52517       8.14.216.65:http        CLOSE_WAIT

tcp        1      0 192.168.2.2:44914       8.14.216.83:http        CLOSE_WAIT

tcp        1      0 192.168.2.2:44913       8.14.216.83:http        CLOSE_WAIT

tcp        1      0 192.168.2.2:44905       8.14.216.83:http        CLOSE_WAIT

tcp        0      0 192.168.2.2:46170       8.14.216.73:http        ESTABLISHED

tcp        0      0 192.168.2.2:46175       8.14.216.73:http        ESTABLISHED

tcp        0      0 192.168.2.2:46179       8.14.216.73:http        ESTABLISHED

tcp        0      0 192.168.2.2:46176       8.14.216.73:http        ESTABLISHED

tcp        0     20 ::ffff:192.168.2.2%:ssh ::ffff:124.42.120:59017 ESTABLISHED

root@skunk  #

```

Now, I don't know anything, really, about networking, protocols, hacking, or what have you, but I noted the first and last lines there, looked up 124.42.120.27 at ARIN.net and unplugged my modem.  So I'm wonder what that means.   Did someone gain access?  Am I pwned?

Thanks a bunch.

Chas.

----------

## eccerr0r

likely all the ssh bots are controlled by a botmaster, so not much can be done.

it looks like someone's trying to break in from 124.42.120.27, but from that netstat, you can't really tell whether the guy was successful or not -- merely attempting to open a zillion ssh to your machine and never enterring a user or password will do that.  You can only tell he opened a ssh connection, whether or not he was able to authenticate you can't tell from that output.  The syn_recv means that the guy hasn't finished the 3-way handshake on the other end yet.

It looks like you have ipv6 setup too, but I don't know much about ipv6 though it doesn't mean anything different ... someone's still connecting to your machine.

----------

## chas_e_erath

 *eccerr0r wrote:*   

> 
> 
> it looks like someone's trying to break in from 124.42.120.27, but from that netstat, you can't really tell whether the guy was successful or not -- merely attempting to open a zillion ssh to your machine and never enterring a user or password will do that.  You can only tell he opened a ssh connection, whether or not he was able to authenticate you can't tell from that output.  The syn_recv means that the guy hasn't finished the 3-way handshake on the other end yet.
> 
> It looks like you have ipv6 setup too, but I don't know much about ipv6 though it doesn't mean anything different ... someone's still connecting to your machine.
> ...

 

See, that's the funny thing - I've seen the typical ssh attack where a thousand sessions (sockets?) are attempted - that's why I installed fail2ban.  This time I saw only a single ssh request in the logs followed by some sort of activity on eth0.  

Sorry for the lack of information on this, I'm not sure shat I'm asking.  

Also, I don't remember why I compiled ipv6 into the kernel.  I'd remove it, but everything works great right now (and I have a tendency  to break things when I muck around too much).

----------

