I have an internet-facing server with a 2.6 kernel patched with PaX/grsecurity. Occassionally, there is a PaX hit from SSH. Here are two of the latest (from dmesg):
PAX: execution attempt in: /lib/libgcc_s.so.1, 28c4f000-28c57000 00000000
PAX: terminating task: /usr/sbin/sshd(sshd):4071, uid/euid: 0/0, PC: 28c52e6e, SP: 28c4925c
PAX: bytes at PC: 66 81 38 58 b8 0f 84 2e 01 00 00 80 38 b8 75 09 81 78 01 ad
PAX: bytes at SP: 28c4939c 28c49374 281670cd 28c57914 28c492ac 28c4939c 00000000 28c492ac 28c4939c 0000000a 28c49bb0 28c57914 00000000 28c4939c 28c49374 28c53830 28c492ac 28c49b04 281670a0 28c49dd0
PAX: execution attempt in: /lib/libgcc_s.so.1, 28c4f000-28c57000 00000000
PAX: terminating task: /usr/sbin/sshd(sshd):16912, uid/euid: 0/0, PC: 28c52e6e, SP: 28c4925c
PAX: bytes at PC: 66 81 38 58 b8 0f 84 2e 01 00 00 80 38 b8 75 09 81 78 01 ad
PAX: bytes at SP: 28c4939c 28c49374 281670cd 28c57914 28c492ac 28c4939c 00000000 28c492ac 28c4939c 0000000a 28c49bb0 28c57914 00000000 28c4939c 28c49374 28c53830 28c492ac 28c49b04 281670a0 28c49dd0
The installed OpenSSH version is 3.8.1p1-8. I am interested in seeing what specific bytes are coming across that blow up the sshd. Of course if I tcpdump with dst port 22, all of the traffic is encrypted, and I cannot see the actual data. Is there some other method, or approach that can be used to detect the actual bytes coming across?
As an aside, I do get a fair amount of SSH brute force attempts (like the ones mentioned in
Capt Caveman's ssh login attempts thread). However, SSH blows up on PaX maybe once a month. I'm fairly certain based on a comparison of the attack frequencies that the two are unrelated. This may not be the case, and that's why I added this aside.