LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2010, 04:09 PM   #1
lucmove
Senior Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,432

Rep: Reputation: 110Reputation: 110
strange stunnel connections


I just checked my /var/log/messages file and found 3 entries reporting IP numbers that I don't know, actually from countries with which I have absolutely no connection:

/var/log/messages.1:Jul 7 16:13:12 myhost stunnel: LOG5[1518:3061617960]: stunnel connected
from 91.92.93.94:25564

(Actual numbers changed for this post.)

There doesn't seem to be any record of successful logins from any IP except mine. Just these stunnel entries, besides many stunnel entries attributed to my IP. What do those entries mean?
 
Old 07-12-2010, 04:52 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Presumably it means someone completed an SSL handshake with your stunnel-ed service.

What's the service? Do you want it to be allowing connections from anywhere in the world?
 
Old 07-12-2010, 05:10 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by lucmove View Post
What do those entries mean?
Code:
]$ nl stunnel-4.04/src/client.c | grep -B 10 -A 4 'connected from'
   156          /* It's a socket: lets setup options */
   157          if(set_socket_options(c->local_rfd.fd, 1)<0)
   158              return -1;
   159          if(auth_libwrap(c)<0)
   160              return -1;
   161          if(auth_user(c)<0) {
   162              log(LOG_WARNING, "Connection from %s:%d REFUSED by IDENT",
   163                  c->accepting_address, ntohs(c->addr.sin_port));
   164              return -1;
   165          }
   166          log(LOG_NOTICE, "%s connected from %s:%d", c->opt->servname,
   167              c->accepting_address, ntohs(c->addr.sin_port));
   168      }
   169      return 0; /* OK */
   170  }
After checking socket options (SO_KEEPALIVE, TCP_NODELAY right?) Stunnel checks if tcp_wrappers or Identd have objections. If all is OK then the "connected from" message is logged. So IIRCC this remote connection was not rejected. If there's any successful connection it should be correlated with log entries of the service Stunnel brokers for.
 
1 members found this post helpful.
Old 07-12-2010, 07:32 PM   #4
lucmove
Senior Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,432

Original Poster
Rep: Reputation: 110Reputation: 110
You two are losing me. I don't quite understand what you mean. I have an SSL tunnel from my notebook to my server for SMTP and POP3. But is that the same stunnel that someone else used? Or did they create another? How? I have a good password, and I use unusual ports for SSH and the SSL tunnel.

Maybe it is just a failed attempt...

Code:
Jul  7 14:26:44 myhost stunnel: LOG5[1512:3083724480]: stunnel 4.17 on i686-pc-linux-gnu with OpenSSL 0.9.8d 28 Sep 2006
Jul  7 14:26:44 myhost stunnel: LOG5[1512:3083724480]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
Jul  7 14:26:44 myhost stunnel: LOG5[1512:3083724480]: stunnel connected from 91.92.93.94:25564
Jul  7 14:26:57 myhost stunnel: LOG5[1512:3083724480]: Connection closed: 38 bytes sent to SSL, 0 bytes sent to socket
All the strange entries have these very low data traffic numbers, ending in "0 bytes sent to socket". The ones from my legitimate IP have much, much larger numbers.
 
Old 07-13-2010, 04:41 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by lucmove View Post
All the strange entries have these very low data traffic numbers, ending in "0 bytes sent to socket". The ones from my legitimate IP have much, much larger numbers.
That would support what anomie said about handshaking: the service didn't send anything back, hence "0 bytes sent to socket". Like I said before, correlating timestamps logs should show.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange HTTPS connections to localhost6.localdomain in netstat roarrr Linux - Networking 6 11-09-2009 05:03 AM
Stunnel meetme_nitin Linux - Software 1 06-16-2008 03:43 AM
a bug about stunnel array lin Programming 2 11-14-2007 10:02 PM
stunnel leaves strange timestamps in my logs Vanyel Linux - Software 6 08-20-2007 02:33 PM
Need Help: new to stunnel Traveler_Q Linux - Security 1 04-21-2004 08:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration