strange packets from 192.168.1.126 - SSH

This is a discussion on strange packets from 192.168.1.126 - SSH ; Dear all, I've recently noticed some packets coming in on port 22 (sshd) on my external interface from the 192.168.1.0/24 network. I don't have any local machines on this network and the packets are coming in on my WAN interface ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: strange packets from 192.168.1.126

  1. strange packets from 192.168.1.126

    Dear all,

    I've recently noticed some packets coming in on port 22 (sshd) on my
    external interface from the 192.168.1.0/24 network. I don't have any
    local machines on this network and the packets are coming in on my WAN
    interface (via my router). How is that possible? My understanding was
    that this network was not routeable from the internet. I'm guessing
    someone is try to get at my sshd server. Below are the packets. Is
    there any way to get more info on where they are coming from?

    Feb 20 20:02:14 tti kernel: iptables chain hostile: IN=eth1 OUT=
    MAC=00:0e:0c:dd:73:16:00:11:6e:00:f9:70:08:00 SRC=192.168.1.126
    DST=172.16.251.61 LEN=228 TOS=0x10 PREC=0x00 TTL=47 ID=19109 DF
    PROTO=TCP SPT=38196 DPT=22 WINDOW=16022 RES=0x00 ACK PSH FIN URGP=0

    I'm using iptables on a 2.6 Linux box.

    Kevin

  2. Re: strange packets from 192.168.1.126

    Kevin VW wrote:
    > Dear all,
    >
    > I've recently noticed some packets coming in on port 22 (sshd) on my
    > external interface from the 192.168.1.0/24 network. I don't have any
    > local machines on this network and the packets are coming in on my WAN
    > interface (via my router). How is that possible? My understanding was
    > that this network was not routeable from the internet. I'm guessing
    > someone is try to get at my sshd server. Below are the packets. Is
    > there any way to get more info on where they are coming from?
    >
    > Feb 20 20:02:14 tti kernel: iptables chain hostile: IN=eth1 OUT=
    > MAC=00:0e:0c:dd:73:16:00:11:6e:00:f9:70:08:00 SRC=192.168.1.126
    > DST=172.16.251.61 LEN=228 TOS=0x10 PREC=0x00 TTL=47 ID=19109 DF
    > PROTO=TCP SPT=38196 DPT=22 WINDOW=16022 RES=0x00 ACK PSH FIN URGP=0
    >
    > I'm using iptables on a 2.6 Linux box.
    >
    > Kevin


    This seems to be the result of a packet that was sent with a bad
    (intentionally or not) source IP address. It could have "escaped" from
    someone's LAN due to a misconfigured masquerading router. The network
    typically doesn't do anything with the source address except pass it
    along. Of course, the connection can't work, since you don't have the
    right address to reply to.
    --
    Steve

  3. Re: strange packets from 192.168.1.126

    Quote Originally Posted by Kevin VW View Post
    Dear all,

    I've recently noticed some packets coming in on port 22 (sshd) on my
    external interface from the 192.168.1.0/24 network. I don't have any
    local machines on this network and the packets are coming in on my WAN
    interface (via my router). How is that possible? My understanding was
    that this network was not routeable from the internet. I'm guessing
    someone is try to get at my sshd server. Below are the packets. Is
    there any way to get more info on where they are coming from?

    Feb 20 20:02:14 tti kernel: iptables chain hostile: IN=eth1 OUT=
    MAC=00:0e:0c:dd:73:16:00:11:6e:00:f9:70:08:00 SRC=192.168.1.126
    DST=172.16.251.61 LEN=228 TOS=0x10 PREC=0x00 TTL=47 ID=19109 DF
    PROTO=TCP SPT=38196 DPT=22 WINDOW=16022 RES=0x00 ACK PSH FIN URGP=0

    I'm using iptables on a 2.6 Linux box.

    Kevin
    Dear kevin
    While editing my blog http://tache.unplug.org.ve/ I just decided to inquire about my IP and get surprised finding your post comenting that you received some strange packets from 192.168.1.126 that happens to be my pc's IP. I do not understand that because I have never sent anything other than the replies to any questions posted in mi web page.

    I sincerely apologize for any inconvenient caused to you but again, i would like to make clear that I do not have anything to do with it.
    Regards,

    Octavio Rossell Daal.
    Barquisimeto, Venezuela.

  4. Re: strange packets from 192.168.1.126

    Definately leakage, or someone masquerading their ip. There is another remote possibilty, I have seen ISPs now start using private ip's inside their network due to ip constraints, could the other side of your wan port be on the 192.168.1.0/24 or 192.168.0.0/16 subnets?

    Have a look at Team-cymru's map of mailiciousness and you will see the oddness of private address attacks...
    http://www.team-cymru.org/Monitoring...ence/maps.html

+ Reply to Thread