Skip to content

AT&T is intercepting SSH traffic

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
27 posts Page 1 of 3
Post a reply

AT&T is intercepting SSH traffic

by ckuethe » Thu Jul 13, 2017 5:50 pm
Hey all,

Today my modem started intercepting all inbound ssh traffic. I noticed this when I tried sshing back home from work and got an ssh host key change warning. I won't bore you with the details of the debugging process save for a few facts:
  • rebooting doesn't fix it
  • tcpdump on my router's external interface shows no more inbound SSH traffic (http/https are still working)
  • the externally visible ssh version string is dropbear instead of openssh. The same dropbear version string as I get when trying to SSH to the modem from my router.
AT&T seems to be incompetent at managing a network.
by sonic guest » Thu Jul 13, 2017 9:44 pm
How do you think this is happening?

I just tried it on my connection and I don't have this problem.
by dane » Fri Jul 14, 2017 9:50 am
If you ssh to your router's public IP, you'd reach the router's ssh..? Or have you set up DMZ Plus or port address translation or something?
Dane Jasper
Sonic
by ckuethe » Fri Jul 14, 2017 10:19 am
Very simple.
1) Tcpdump on the external interface of my router shows no inbound SSH connections. Usually I see 1-2 probes per second from random internet scanners. Now there are none.
2) the initial ssh handshake now identifies the server as Dropbear, whereas I'm running OpenSSH.
by ckuethe » Fri Jul 14, 2017 10:57 am
dane wrote:If you ssh to your router's public IP, you'd reach the router's ssh..? Or have you set up DMZ Plus or port address translation or something?
The modem is configured in IP Pass-through mode, so that all traffic to my public IP should arrive at my router/firewall which will handle it. HTTP, HTTPS, and all other other services arrive at my firewall's external interface; it is only SSH that does not arrive.

The modem's SSH version is "SSH-2.0-dropbear_2013.62". My firewall and inside box's version strings are "SSH-2.0-OpenSSH_7.4p1 Ubuntu-10". When I connect from an outside machine to my external address, I'd expect to see my OpenSSH ident string, instead I get dropbear. And of course I get the ssh key change warning.

This was working on Wednesday. AT&T changed something on Thursday.
by dane » Fri Jul 14, 2017 10:58 am
ckuethe wrote:Very simple.
1) Tcpdump on the external interface of my router shows no inbound SSH connections. Usually I see 1-2 probes per second from random internet scanners. Now there are none.
2) the initial ssh handshake now identifies the server as Dropbear, whereas I'm running OpenSSH.
That makes sense, the router/firewall with NAT is the device on your public IP.

Did you have port address translation or a DMZ or something set up that would work differently than this? If so, maybe router got an update or reset it's config and lost your setup?
Dane Jasper
Sonic
by ckuethe » Fri Jul 14, 2017 11:19 am
dane wrote:
ckuethe wrote:Very simple.
1) Tcpdump on the external interface of my router shows no inbound SSH connections. Usually I see 1-2 probes per second from random internet scanners. Now there are none.
2) the initial ssh handshake now identifies the server as Dropbear, whereas I'm running OpenSSH.
That makes sense, the router/firewall with NAT is the device on your public IP.

Did you have port address translation or a DMZ or something set up that would work differently than this? If so, maybe router got an update or reset it's config and lost your setup?
The router/firewall is a regular PC running linux, not a little embedded linksys/netgear/whatever device. It did not get mysteriously upgraded or factory reset.

I am using translation to redirect certain ports to other internal machines, and these rules have not been altered.
by dane » Fri Jul 14, 2017 11:36 am
So now I'm a bit confused. Isn't there a modem? Are we talking about Sonic Fusion FTTN, with an AT&T modem/router?
Dane Jasper
Sonic
by ckuethe » Fri Jul 14, 2017 11:51 am
dane wrote:So now I'm a bit confused. Isn't there a modem? Are we talking about Sonic Fusion FTTN, with an AT&T modem/router?
Fusion FTTN, AT&T provided modem in IP passthrough mode, connected to a linux machine operating as the firewall/router for mmy home network.
by dane » Fri Jul 14, 2017 11:53 am
ckuethe wrote:
dane wrote:So now I'm a bit confused. Isn't there a modem? Are we talking about Sonic Fusion FTTN, with an AT&T modem/router?
Fusion FTTN, AT&T provided modem in IP passthrough mode, connected to a linux machine operating as the firewall/router for mmy home network.
Got it. So you've got the modem in DMZ Plus mode? Sounds like that broke during an update perhaps..?

Does other, non-ssh IP traffic make it to your internal network from outside?
Dane Jasper
Sonic
27 posts Page 1 of 3

Return to “Access”

Who is online

In total there are 139 users online :: 0 registered, 0 hidden and 139 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am
Users browsing this forum: No registered users and 139 guests