NethServer Version: 7.9.2009 (final) Module: Findout.
My production box is behind a fortigate firewall and NAT is enabled public IP to pvt IP to allow traffic.
Recently got a message from my firewall as follows…
Am unable to find which service is using SSH service to send traffic to unknown servers and due this my IP is getting blacklisted regularly.
Please help me to identify and fix.
Attaching the blocklist information as image
Hi bainwave, that’s an nasty and serious issue you have at hand here.
The description ‘My production box is behind a fortigate firewall’ does not say much about your network setup: ie is your fortigate firewall also the gateway for all the clients in the LAN or is the nethserver the gateway?
then should we assume 10.44.XX.XXX is the ip of the nethsever?
If ihe netserver is is the gateway this does not say that much as any client on the lan would pass its traffic though nethserver.
In the end of the day, what i’m trying to say: are you sure the nethserver is the initiator of the “bad ssh” behavior or can it be an other client in the network
EDIT:
AFAIK no nethsever module initiates an ssh connection.
The IP in question is a hosted IP at Nice-IT in the Netherlands (Holland).
There is a ssh server running there, a webserver is also running, but completly unconfigured. Looks suspiscious! The type of: “I smell a rotten fish”…
I do know Fortinet, they make quite expensive, restrictive but also quite capable firewalls.
I think we can safely assume that the Fortinet is the default gateway for the LAN in question…
As VERY restrictive, Fortinet does occasionally produce false positives, especially in the area of OpenSource. MESH-Central is a good example it will block, even if it’s your own server.
I also quite agree that no known service on NethServer initiates a SSH connection. There is, if you’ve agreed to NethServer Stats - a “call home” function (Helping devs and for stats), but that uses http/https…
You CAN eg setup a honeypot… eg a VM or real server with a matching routing and the IP 45.9.148.117 and have a SSH server running there. That would enable you to find out if it’s using a ssh-cert, or a hardcoded user to connect…
Thanks @Andy & @mark_nl for immediate reply.
Double checked the firewall configuration and the logs of firewall also confirmed, the SSH traffic being generated from the production mail box.
I just wanted to start digging into the box, but failed.
Guide me which application / script / any other initiating the traffic.
Thanks in advance
Does Zabbix has SSH management module for retrieving data?
Zabbix anyway is not an official module and does not initiate any connection unless configured to…
@mark_nl
Only nethserver modules installed. No other application is running. @Andy_Wismer,
Will post my observations once I follow your idea. @pike
Zabbix is not installed on my box.
Thanks once again for the time you spent and support.
It looks like netstat could do what you need–run netstat -nptw and look for connections on port 22. It should show what program is causing the traffic.
Hello experts!!
I know am sounding weird, but to my surprise, there is no traffic block on firewall since yesterday, through LAN to WAN, where port 22 blocked, which means the traffic is not being generated.
Although, my issue is resolved, but still need to know what happened.
Any thoughts?
