Re: Problem with logs
Hello Derek, I don't use hosts.allow. I use the AllowUsers directive in the sshd.conf file to limit the actual username/ip combinations. As a rule, I also close port 22 on the router. When I need external access (e.g. when I am travelling) I will open some other port and have sshd Listen on that port as well. At that time, I will add an obscure username to AllowUsers with any ip address. Of course, I use the custom port to login. Prior to implementing this setup, I used to get frequent daily login attempts. Now I don't get any. Thanks for your feedback. Abid On 12-Sep-07 9:33 AM, Derek Ragona wrote: How are you limiting this ssh access? Are you using hosts.allow? If you are not using hosts.allow, I would suggest you do so. -Derek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem with logs
Hello All, I am having trouble understanding what is going on and how to solve the problem: For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output: [hostname].ca login failures: Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0 [hostname].ca login failures: Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0 I got worried because both these instances are times when I am positive that I am not accessing the system. I am the only user of the system. I use ssh to access the system. Root access is disabled in sshd. I log in using my username (abid) and SU to root when necessary. So I went to check the auth.log, and here is the concerned section: Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2 Aug 31 17:01:40 server su: abid to root on /dev/ttyp0 Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2 Aug 31 18:43:01 server su: abid to root on /dev/ttyp0 Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2 Aug 31 22:58:32 server su: abid to root on /dev/ttyp0 Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2 Sep 9 13:41:00 server su: abid to root on /dev/ttyp0 Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2 Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2 Sep 10 09:04:47 server su: abid to root on /dev/ttyp0 Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2 Sep 11 11:37:15 server su: abid to root on /dev/ttyp0 Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2 Sep 12 08:41:53 server su: abid to root on /dev/ttyp0 As you can see, there is no matching incidence in the auth.log. How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username. Some other facts: The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP ranges. The only other opening is a VPN connection between the routers at my office (where the server is) and my home. The subnet in the office is 192.168.1 and at home is 192.168.2 I changed the password on my account after the Sep 8 occurrence. It seems to me that somebody is hacking in, but I can't figure out how and from where. ANY AND ALL HELP WILL BE APPRECIATED. Abid ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with logs
At 08:14 AM 9/12/2007, Aldisa Admin wrote: Hello All, I am having trouble understanding what is going on and how to solve the problem: For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output: [hostname].ca login failures: Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0 [hostname].ca login failures: Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0 I got worried because both these instances are times when I am positive that I am not accessing the system. I am the only user of the system. I use ssh to access the system. Root access is disabled in sshd. I log in using my username (abid) and SU to root when necessary. So I went to check the auth.log, and here is the concerned section: Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2 Aug 31 17:01:40 server su: abid to root on /dev/ttyp0 Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2 Aug 31 18:43:01 server su: abid to root on /dev/ttyp0 Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2 Aug 31 22:58:32 server su: abid to root on /dev/ttyp0 Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2 Sep 9 13:41:00 server su: abid to root on /dev/ttyp0 Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2 Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2 Sep 10 09:04:47 server su: abid to root on /dev/ttyp0 Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2 Sep 11 11:37:15 server su: abid to root on /dev/ttyp0 Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2 Sep 12 08:41:53 server su: abid to root on /dev/ttyp0 As you can see, there is no matching incidence in the auth.log. How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username. Some other facts: The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP ranges. How are you limiting this ssh access? Are you using hosts.allow? If you are not using hosts.allow, I would suggest you do so. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with logs
Hello Denis, I am using FreeBSD 6.1-RELEASE. You have correctly identified the problem. My log files are small as well, and the entries in the daily security relate to the previous year. Thank you for your help...it has put my mind to rest. Abid On 12-Sep-07 1:29 PM, Denis wrote: I had such problem with FreeBSD 4.7, and finally discovered that this records were for the last year. My auth.log was pretty small and contain records for more than one year. And daily security included records for the last year. May this could be applied to you? Best regards, Denis. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with logs
I had such problem with FreeBSD 4.7, and finally discovered that this records were for the last year. My auth.log was pretty small and contain records for more than one year. And daily security included records for the last year. May this could be applied to you? Best regards, Denis. On 9/12/07, Aldisa Admin [EMAIL PROTECTED] wrote: Hello All, I am having trouble understanding what is going on and how to solve the problem: For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output: [hostname].ca login failures: Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0 [hostname].ca login failures: Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0 I got worried because both these instances are times when I am positive that I am not accessing the system. I am the only user of the system. I use ssh to access the system. Root access is disabled in sshd. I log in using my username (abid) and SU to root when necessary. So I went to check the auth.log, and here is the concerned section: Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2 Aug 31 17:01:40 server su: abid to root on /dev/ttyp0 Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2 Aug 31 18:43:01 server su: abid to root on /dev/ttyp0 Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2 Aug 31 22:58:32 server su: abid to root on /dev/ttyp0 Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2 Sep 9 13:41:00 server su: abid to root on /dev/ttyp0 Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2 Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2 Sep 10 09:04:47 server su: abid to root on /dev/ttyp0 Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2 Sep 11 11:37:15 server su: abid to root on /dev/ttyp0 Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2 Sep 12 08:41:53 server su: abid to root on /dev/ttyp0 As you can see, there is no matching incidence in the auth.log. How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username. Some other facts: The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP ranges. The only other opening is a VPN connection between the routers at my office (where the server is) and my home. The subnet in the office is 192.168.1 and at home is 192.168.2 I changed the password on my account after the Sep 8 occurrence. It seems to me that somebody is hacking in, but I can't figure out how and from where. ANY AND ALL HELP WILL BE APPRECIATED. Abid ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Security Problem (?): strange logs
Hi, browsing my /var/log directory I found many files like these - (...) log.Ä__îÅÍ3 log._ç___Ä log.a0035934 log.aditi log.alevrius_ log.alevrius_.old log.amanda log.amd log.amul log.andreas log.ang_1730 log.angelas log.aps-02 log.armoire log.atpvpn log.austinserver log.b-64ku99an2lr25 log.baer1 log.banquet log.barb log.bd20g log.gigantti-o13mbj log.gustavo log.gustavo.old log.howell log.huntfin log.i3r1r7 log.ibm all in one -- Most of them are empty, some of them contain messages like this - (...) [2003/02/21 17:14:30, 0] smbd/service.c:make_connection(252) gustavo (80.100.23.30) couldn't find service c - Do I have any serious security problem, or are these some script kiddies ? Regards, Uli. +---+ |Peter Ulrich Kruppa| | - Wuppertal - | | Germany | +---+ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: *****SPAM***** Security Problem (?): strange logs
On Fri, 21 Feb 2003, P. U. Kruppa wrote: Do I have any serious security problem, or are these some script kiddies ? those are output logs from samba. people are connecting, and trying to see any of your smb shares. ---/ f. johan beisser /--+ http://caustic.org/~jan [EMAIL PROTECTED] Champagne for my real friends, real pain for my sham friends. -- Tom Waits To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Security Problem (?): strange logs
P. U. Kruppa wrote: Hi, browsing my /var/log directory I found many files like these - (...) log.?__???3 snip log.ibm all in one -- Most of them are empty, some of them contain messages like this - (...) [2003/02/21 17:14:30, 0] smbd/service.c:make_connection(252) gustavo (80.100.23.30) couldn't find service c - Do I have any serious security problem, or are these some script kiddies ? I would consider it a security problem if you don't know who those Windows machines belong to. Make sure SMB is firewalled off from the Internet, it will reduce the risk considerably. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Security Problem (?): strange logs
In the last episode (Feb 21), P. U. Kruppa said: browsing my /var/log directory I found many files like these - (...) log.__3 log. log.a0035934 log.aditi log.alevrius_ log.alevrius_.old log.amanda Do I have any serious security problem, or are these some script kiddies ? You porbably have a line line this in your smb.conf: log file = /var/log/log.%m which means that anyone connecting to your machine from a Windows machine through Network Neighborhood, even just browsing (i.e. not accessing any shares), gets a logfile created with the machinename as part of the name. -- Dan Nelson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
