Re: Question about entry in auth.log
Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for michael from 89.123.165.3 po rt 55185 ssh2 There is a user michael on the system, but whoever was doing this was not him. I am assuming someone tried to break in using a valid username (michael) but with an incorrect password. it was VALID password. he successfully logged change password now, look what the intruder messed and tell michael to be care more about his password next time. if intruder wasn't very smart, he may not deleted .history, look what he/she did. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about entry in auth.log
Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been there. I got rid of the michael account (it wasn't used anyway), and downloaded a new copy of chkrootkit, installed it and ran it along with chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough prank? Anything else I ought to look at? Fortunately the michael account did not have te ability to su to root. it doesn't matter if he/she had, if he/she don't know root password. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about entry in auth.log
Hello, I personally use key authentication along with DenyUsers and AllowUsers directives from sshd. One more thing i do regarding ssh brute force is to make use of the max-src-conn and max-src-conn-rate from pf firewall. My auth logs look like: Nov 14 11:15:36 xxx sshd[3570]: User root from 211.55.48.179 not allowed because not listed in AllowUsers Nov 14 11:15:38 xxx sshd[3572]: Invalid user admin from 211.55.48.179 Nov 14 11:15:41 xxx sshd[3574]: Invalid user test from 211.55.48.179 Nov 14 11:15:44 xxx sshd[3576]: User root from 211.55.48.179 not allowed because not listed in AllowUsers Nov 14 11:15:46 xxx sshd[3578]: Invalid user ghost from 211.55.48.179 Five tries from the above ip and if unsuccessful it gets overloaded in a table and all the states originating from that ip are killed. All the servers i have are web/mail ones, none of them is used for users, so i don't know if this is a good approach but i wrote it to help make an idea about it. a great day, v On Sat, Nov 15, 2008 at 5:00 AM, Lisa Casey [EMAIL PROTECTED] wrote: On Fri, 14 Nov 2008, Tom Marchand wrote: Or michael is vacationing in Romania. Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been there. I got rid of the michael account (it wasn't used anyway), and downloaded a new copy of chkrootkit, installed it and ran it along with chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough prank? Anything else I ought to look at? Fortunately the michael account did not have te ability to su to root. Lisa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about entry in auth.log
On Fri, Nov 14, 2008 at 11:37:15PM -0800, Jeremy Chadwick wrote: On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote: Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been there. I got rid of the michael account (it wasn't used anyway), and downloaded a new copy of chkrootkit, installed it and ran it along with chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough prank? Anything else I ought to look at? Fortunately the michael account did not have te ability to su to root. The individual in Romania *was not* able to log in as michael. The Correction: the individual **WAS** able to log in as michael. I missed the part of the message that said Accepted at the front. Sorry for confusing you, I've had a very rough week and my brain is not functioning. What Wojciech said is correct -- change the password on the account. Also keep in mind that the user may not have actually logged in and gotten a shell; the message you see can also happen if the individual simply scp'd something (e.g. no shell spawned). -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about entry in auth.log
Also keep in mind that the user may not have actually logged in and gotten a shell; the message you see can also happen if the individual simply scp'd something (e.g. no shell spawned). but this case there are other messages about scp, not sure if in auth.log or others. i use single file for logs /var/log/messages. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about entry in auth.log
--- On Sat, 11/15/08, Jeremy Chadwick [EMAIL PROTECTED] wrote: From: Jeremy Chadwick [EMAIL PROTECTED] Subject: Re: Question about entry in auth.log To: Lisa Casey [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org Date: Saturday, November 15, 2008, 2:37 AM On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote: The individual in Romania *was not* able to log in as michael. The message you saw was sshd saying Someone's trying to SSH in as user michael; SSH key negotiation failed, and now I'm asking them to type in their password manually. It's not a prank. Shady online individuals have written scripts/tools that repetitively beat on sshd, trying to find an account they can log in as. They're simply scanning for valid accounts, and they also often try many passwords over and over (common things, such as the username as a password). Welcome to the Internet circa 2008. :( So how do I solve this problem? The easiest way: change sshd to listen on a port *other* than 22. Many people pick . This relieves 99% of the pain, but requires you to tell your users/co-workers/peers My box listens on port for ssh, not 22. A secondary way: programs which monitor logs and add firewall block rules when they see too many brute force attempts coming from an IP address: ports/security/blocksshd ports/security/sshblock ports/security/sshguard (I think I forgot one more, but those are the main three) I've considered writing an sshd patch for OpenSSH to add bad-authentication throttling to it, such that where X number of invalid attempts featuring at least Y different usernames in Z seconds from the same IP causes sshd to ignore that IP outright for a given time. This would prevent syslog spam and not require any third-party applications. I've written a socket abstraction library that supports throttling of this sort internally, and it's actually very easy to implement on its own. Implementing it in OpenSSH may be more or less difficult depending on whether there's any central function that is called *every* time an authentication attempt fails. If a few folks respond saying I'd sure like that patch!, I would likely become more motivated to do so sooner. - mdh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about entry in auth.log
Lisa Casey wrote: Hi, I run several FreeBSD servers. Today I noticed an entry in the auth.log on one of them that concerns me. The entry is this: Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for michael from 89.123.165.3 po rt 55185 ssh2 There is a user michael on the system, but whoever was doing this was not him. I am assuming someone tried to break in using a valid username (michael) but with an incorrect password. So I just conducted an experiment to see if I could replicate that log entry using another valid username: mandy. I ssh'ed into the server, gave mandy as the username with an incorrect password. The auth.log entry for that attempt is this: Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from 72.155.127.223 port 51919 ssh2 and when I used something called keyboard interactive as the primary authentication method in my ssh client, I get this: sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223 Nothing about Accepted keyboard-interactive/pam. What does Accepted keyboard-interactive/pam mean? Also, in my ssh client, for authentication methods I have a choice of password, publickey or keyboard interactive. I've always used password, and never even noticed that keyboard interactive before. What is that? Thanks, Lisa Casey Keyboard-interactive includes when the server sends requests such as Password: to which the connector responds by typing their password. This is different from entering the password in your client before connecting. Example: $ ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Try doing similar with the correct password and I bet you will see the Accepted/keyboard-interactive, it may be possible that michael's password is no longer secure. signature.asc Description: OpenPGP digital signature
Re: Question about entry in auth.log
On Nov 14, 2008, at 8:00 PM, Steven Susbauer wrote: Lisa Casey wrote: Hi, I run several FreeBSD servers. Today I noticed an entry in the auth.log on one of them that concerns me. The entry is this: Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for michael from 89.123.165.3 po rt 55185 ssh2 There is a user michael on the system, but whoever was doing this was not him. I am assuming someone tried to break in using a valid username (michael) but with an incorrect password. So I just conducted an experiment to see if I could replicate that log entry using another valid username: mandy. I ssh'ed into the server, gave mandy as the username with an incorrect password. The auth.log entry for that attempt is this: Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from 72.155.127.223 port 51919 ssh2 and when I used something called keyboard interactive as the primary authentication method in my ssh client, I get this: sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223 Nothing about Accepted keyboard-interactive/pam. What does Accepted keyboard-interactive/pam mean? Also, in my ssh client, for authentication methods I have a choice of password, publickey or keyboard interactive. I've always used password, and never even noticed that keyboard interactive before. What is that? Thanks, Lisa Casey Keyboard-interactive includes when the server sends requests such as Password: to which the connector responds by typing their password. This is different from entering the password in your client before connecting. Example: $ ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Try doing similar with the correct password and I bet you will see the Accepted/keyboard-interactive, it may be possible that michael's password is no longer secure. Or michael is vacationing in Romania. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about entry in auth.log
On Fri, 14 Nov 2008, Tom Marchand wrote: Or michael is vacationing in Romania. Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been there. I got rid of the michael account (it wasn't used anyway), and downloaded a new copy of chkrootkit, installed it and ran it along with chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough prank? Anything else I ought to look at? Fortunately the michael account did not have te ability to su to root. Lisa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about entry in auth.log
On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote: Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been there. I got rid of the michael account (it wasn't used anyway), and downloaded a new copy of chkrootkit, installed it and ran it along with chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough prank? Anything else I ought to look at? Fortunately the michael account did not have te ability to su to root. The individual in Romania *was not* able to log in as michael. The message you saw was sshd saying Someone's trying to SSH in as user michael; SSH key negotiation failed, and now I'm asking them to type in their password manually. It's not a prank. Shady online individuals have written scripts/tools that repetitively beat on sshd, trying to find an account they can log in as. They're simply scanning for valid accounts, and they also often try many passwords over and over (common things, such as the username as a password). Welcome to the Internet circa 2008. :( So how do I solve this problem? The easiest way: change sshd to listen on a port *other* than 22. Many people pick . This relieves 99% of the pain, but requires you to tell your users/co-workers/peers My box listens on port for ssh, not 22. A secondary way: programs which monitor logs and add firewall block rules when they see too many brute force attempts coming from an IP address: ports/security/blocksshd ports/security/sshblock ports/security/sshguard (I think I forgot one more, but those are the main three) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]