Page 1 of 1

sshd attempting to connect out

PostPosted: Mon Mar 01, 2004 3:54 pm
by Blue Lightning
I'm using grsecurity 1.9.14 with the 2.4.25 kernel, and I'm having a problem with my ACL settings for sshd. sshd is attempting to open a socket every night at about 4:00 AM, which it seems is about the same time cron executes /etc/cron.daily, although I can't see anything in there that would be causing it. I have the following in the ACL for sshd:

Code: Select all
connect { dgram ip udp stream ip tcp dgram ip udp

bind { stream ip tcp

The log messages are as follows:
Code: Select all
Mar  2 04:02:18 sr71 kernel: grsec: attempted socket(2,2,0) by (sshd:7077) UID(0) EUID(0), parent (sh:13518) UID(0) EUID(0)
Mar  2 04:02:18 sr71 last message repeated 2 times

Has anyone seen this before? If not, is there any way I can track this down?

PostPosted: Mon Mar 01, 2004 6:20 pm
by cmouse
hopopt 0 HOPOPT # IPv6 Hop-by-Hop Option [RFC1883]

that is the last parameter of socket...

the socket call unraveled:

You haven't enabled any IPv6-like supports?

PostPosted: Tue Mar 02, 2004 6:39 pm
by Blue Lightning
I don't think I have. I checked sshd_config and the man page for it and there's nothing in there that explicitly enables IPv6.

According to /etc/protocols, protocol 0 is also the number for IP(v4).

I have two concerns here really:
1. Why is sshd attempting to open a socket?
2. Why is grsecurity blocking it when the rules suggest it should be allowed?