At 08:14 AM 9/12/2007, Aldisa Admin wrote:
Hello All,
I am having trouble understanding what is going on and how to solve the
problem:
For the last few days, I am getting the following messages (some names
removed for privacy) in the daily security run output:
[hostname].ca login failures:
Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0
[hostname].ca login failures:
Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0
I got worried because both these instances are times when I am positive
that I am not accessing the system. I am the only user of the system. I
use ssh to access the system. Root access is disabled in sshd. I log in
using my username (abid) and SU to root when necessary.
So I went to check the auth.log, and here is the concerned section:
Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for
abid from 192.168.2.149 port 1203 ssh2
Aug 31 17:01:40 server su: abid to root on /dev/ttyp0
Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for
abid from 192.168.2.149 port 1688 ssh2
Aug 31 18:43:01 server su: abid to root on /dev/ttyp0
Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for
abid from 192.168.2.149 port 2032 ssh2
Aug 31 22:58:32 server su: abid to root on /dev/ttyp0
Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for
abid from 192.168.2.149 port 4146 ssh2
Sep 9 13:41:00 server su: abid to root on /dev/ttyp0
Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for
abid from 192.168.2.149 port 1116 ssh2
Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for
abid from 192.168.1.30 port 2599 ssh2
Sep 10 09:04:47 server su: abid to root on /dev/ttyp0
Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for
abid from 192.168.1.30 port 1361 ssh2
Sep 11 11:37:15 server su: abid to root on /dev/ttyp0
Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for
abid from 192.168.1.30 port 2521 ssh2
Sep 12 08:41:53 server su: abid to root on /dev/ttyp0
As you can see, there is no matching incidence in the auth.log. How can
the security run show a BAD SU when there is no matching entry in the
auth.log for somebody authenticating successfully under my username.
Some other facts:
The machine is behind a NAT router and only apache and email ports (25,
80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP
ranges.
How are you limiting this ssh access? Are you using hosts.allow? If you
are not using hosts.allow, I would suggest you do so.
-Derek
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
