LinuxQuestions.org - strange stunnel connections

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - strange stunnel connections (https://www.linuxquestions.org/questions/linux-security-4/strange-stunnel-connections-819466/)

lucmove

07-12-2010 04:09 PM

strange stunnel connections

I just checked my /var/log/messages file and found 3 entries reporting IP numbers that I don't know, actually from countries with which I have absolutely no connection:

/var/log/messages.1:Jul 7 16:13:12 myhost stunnel: LOG5[1518:3061617960]: stunnel connected
from 91.92.93.94:25564

(Actual numbers changed for this post.)

There doesn't seem to be any record of successful logins from any IP except mine. Just these stunnel entries, besides many stunnel entries attributed to my IP. What do those entries mean?

anomie

07-12-2010 04:52 PM

Presumably it means someone completed an SSL handshake with your stunnel-ed service.

What's the service? Do you want it to be allowing connections from anywhere in the world?

unSpawn

07-12-2010 05:10 PM

Quote:

Originally Posted by lucmove (Post 4031225)

What do those entries mean?

Code:

]$ nl stunnel-4.04/src/client.c | grep -B 10 -A 4 'connected from'

  156          /* It's a socket: lets setup options */

  157          if(set_socket_options(c->local_rfd.fd, 1)<0)

  158              return -1;

  159          if(auth_libwrap(c)<0)

  160              return -1;

  161          if(auth_user(c)<0) {

  162              log(LOG_WARNING, "Connection from %s:%d REFUSED by IDENT",

  163                  c->accepting_address, ntohs(c->addr.sin_port));

  164              return -1;

  165          }

  166          log(LOG_NOTICE, "%s connected from %s:%d", c->opt->servname,

  167              c->accepting_address, ntohs(c->addr.sin_port));

  168      }

  169      return 0; /* OK */

  170  }

After checking socket options (SO_KEEPALIVE, TCP_NODELAY right?) Stunnel checks if tcp_wrappers or Identd have objections. If all is OK then the "connected from" message is logged. So IIRCC this remote connection was not rejected. If there's any successful connection it should be correlated with log entries of the service Stunnel brokers for.

lucmove

07-12-2010 07:32 PM

You two are losing me. I don't quite understand what you mean. I have an SSL tunnel from my notebook to my server for SMTP and POP3. But is that the same stunnel that someone else used? Or did they create another? How? I have a good password, and I use unusual ports for SSH and the SSL tunnel.

Maybe it is just a failed attempt...

Code:

Jul  7 14:26:44 myhost stunnel: LOG5[1512:3083724480]: stunnel 4.17 on i686-pc-linux-gnu with OpenSSL 0.9.8d 28 Sep 2006

Jul  7 14:26:44 myhost stunnel: LOG5[1512:3083724480]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4

Jul  7 14:26:44 myhost stunnel: LOG5[1512:3083724480]: stunnel connected from 91.92.93.94:25564

Jul  7 14:26:57 myhost stunnel: LOG5[1512:3083724480]: Connection closed: 38 bytes sent to SSL, 0 bytes sent to socket

All the strange entries have these very low data traffic numbers, ending in "0 bytes sent to socket". The ones from my legitimate IP have much, much larger numbers.

unSpawn

07-13-2010 04:41 PM

Quote:

Originally Posted by lucmove (Post 4031340)

All the strange entries have these very low data traffic numbers, ending in "0 bytes sent to socket". The ones from my legitimate IP have much, much larger numbers.

That would support what anomie said about handshaking: the service didn't send anything back, hence "0 bytes sent to socket". Like I said before, correlating timestamps logs should show.

All times are GMT -5. The time now is 02:04 PM.