Re: Problem with logs
Hello Derek, I don't use hosts.allow. I use the AllowUsers directive in the sshd.conf file to limit the actual username/ip combinations. As a rule, I also close port 22 on the router. When I need external access (e.g. when I am travelling) I will open some other port and have sshd Listen on that port as well. At that time, I will add an obscure username to AllowUsers with any ip address. Of course, I use the custom port to login. Prior to implementing this setup, I used to get frequent daily login attempts. Now I don't get any. Thanks for your feedback. Abid On 12-Sep-07 9:33 AM, Derek Ragona wrote: How are you limiting this ssh access? Are you using hosts.allow? If you are not using hosts.allow, I would suggest you do so. -Derek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with logs
At 08:14 AM 9/12/2007, Aldisa Admin wrote: Hello All, I am having trouble understanding what is going on and how to solve the problem: For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output: [hostname].ca login failures: Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0 [hostname].ca login failures: Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0 I got worried because both these instances are times when I am positive that I am not accessing the system. I am the only user of the system. I use ssh to access the system. Root access is disabled in sshd. I log in using my username (abid) and SU to root when necessary. So I went to check the auth.log, and here is the concerned section: Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2 Aug 31 17:01:40 server su: abid to root on /dev/ttyp0 Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2 Aug 31 18:43:01 server su: abid to root on /dev/ttyp0 Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2 Aug 31 22:58:32 server su: abid to root on /dev/ttyp0 Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2 Sep 9 13:41:00 server su: abid to root on /dev/ttyp0 Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2 Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2 Sep 10 09:04:47 server su: abid to root on /dev/ttyp0 Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2 Sep 11 11:37:15 server su: abid to root on /dev/ttyp0 Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2 Sep 12 08:41:53 server su: abid to root on /dev/ttyp0 As you can see, there is no matching incidence in the auth.log. How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username. Some other facts: The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP ranges. How are you limiting this ssh access? Are you using hosts.allow? If you are not using hosts.allow, I would suggest you do so. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with logs
Hello Denis, I am using FreeBSD 6.1-RELEASE. You have correctly identified the problem. My log files are small as well, and the entries in the daily security relate to the previous year. Thank you for your help...it has put my mind to rest. Abid On 12-Sep-07 1:29 PM, Denis wrote: I had such problem with FreeBSD 4.7, and finally discovered that this records were for the last year. My auth.log was pretty small and contain records for more than one year. And daily security included records for the last year. May this could be applied to you? Best regards, Denis. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with logs
I had such problem with FreeBSD 4.7, and finally discovered that this records were for the last year. My auth.log was pretty small and contain records for more than one year. And daily security included records for the last year. May this could be applied to you? Best regards, Denis. On 9/12/07, Aldisa Admin [EMAIL PROTECTED] wrote: Hello All, I am having trouble understanding what is going on and how to solve the problem: For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output: [hostname].ca login failures: Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0 [hostname].ca login failures: Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0 I got worried because both these instances are times when I am positive that I am not accessing the system. I am the only user of the system. I use ssh to access the system. Root access is disabled in sshd. I log in using my username (abid) and SU to root when necessary. So I went to check the auth.log, and here is the concerned section: Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2 Aug 31 17:01:40 server su: abid to root on /dev/ttyp0 Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2 Aug 31 18:43:01 server su: abid to root on /dev/ttyp0 Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2 Aug 31 22:58:32 server su: abid to root on /dev/ttyp0 Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2 Sep 9 13:41:00 server su: abid to root on /dev/ttyp0 Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2 Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2 Sep 10 09:04:47 server su: abid to root on /dev/ttyp0 Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2 Sep 11 11:37:15 server su: abid to root on /dev/ttyp0 Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2 Sep 12 08:41:53 server su: abid to root on /dev/ttyp0 As you can see, there is no matching incidence in the auth.log. How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username. Some other facts: The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP ranges. The only other opening is a VPN connection between the routers at my office (where the server is) and my home. The subnet in the office is 192.168.1 and at home is 192.168.2 I changed the password on my account after the Sep 8 occurrence. It seems to me that somebody is hacking in, but I can't figure out how and from where. ANY AND ALL HELP WILL BE APPRECIATED. Abid ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]