sshd attempting to connect out

Submit your RBAC policies or suggest policy improvements

sshd attempting to connect out

Postby Blue Lightning » Mon Mar 01, 2004 3:54 pm

I'm using grsecurity 1.9.14 with the 2.4.25 kernel, and I'm having a problem with my ACL settings for sshd. sshd is attempting to open a socket every night at about 4:00 AM, which it seems is about the same time cron executes /etc/cron.daily, although I can't see anything in there that would be causing it. I have the following in the ACL for sshd:

Code: Select all
connect {
    0.0.0.0/0:53 dgram ip udp
    0.0.0.0/0:53 stream ip tcp
    0.0.0.0/0:113 dgram ip udp
}

bind {
    0.0.0.0/0:22 stream ip tcp
}

The log messages are as follows:
Code: Select all
Mar  2 04:02:18 sr71 kernel: grsec: attempted socket(2,2,0) by (sshd:7077) UID(0) EUID(0), parent (sh:13518) UID(0) EUID(0)
Mar  2 04:02:18 sr71 last message repeated 2 times

Has anyone seen this before? If not, is there any way I can track this down?
Blue Lightning
 
Posts: 5
Joined: Mon Mar 01, 2004 3:44 pm

Postby cmouse » Mon Mar 01, 2004 6:20 pm

hopopt 0 HOPOPT # IPv6 Hop-by-Hop Option [RFC1883]

that is the last parameter of socket...

the socket call unraveled:
socket(PF_INET,SOCK_DGRAM,[HOPOPT])

You haven't enabled any IPv6-like supports?
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Postby Blue Lightning » Tue Mar 02, 2004 6:39 pm

I don't think I have. I checked sshd_config and the man page for it and there's nothing in there that explicitly enables IPv6.

According to /etc/protocols, protocol 0 is also the number for IP(v4).

I have two concerns here really:
1. Why is sshd attempting to open a socket?
2. Why is grsecurity blocking it when the rules suggest it should be allowed?
Blue Lightning
 
Posts: 5
Joined: Mon Mar 01, 2004 3:44 pm


Return to RBAC policy development