FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 02-12-2009, 04:57 AM
Norman Bird
 
Default POSSIBLE BREAK-IN in auth.log via ssh

I decided to check the auth.log and started freaking out because I saw alot of POSSIBLE BREAK-IN lines. then I saw roon loging in so I was panicking. But as I really reviewed them it seems that the actual root logins were by CRON and the nobody logins were system related. Please look this over and give any advice and particularily what should I do.


Somewhere online said I should "boot with a root kit checker", feel free to advise on this.

I do need to log in via putty via ssh alot so I cant totally disable it. I will beef up my password now and maybe change the port, but I need input on that please, or a good site.


Thanks

Norm

Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user root by (uid=0)
Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user root
Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user root

Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string from 66.212.18.86
Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo for alpha57.wqpax.net failed - POSSIBLE BREAK-IN

ATTEMPT!
Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=66.212.18.86* user=root
Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from 66.212.18.86 port 41396 ssh2

Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
ATTEMPT! rhost=66.212.18.86


then there is this, but it looks system related i think:



Feb 11 07:09:01 localhost CRON[3127]: (pam_unix) session closed for user root
Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session opened for user root by (uid=0)
Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session closed for user root

Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session opened for user root by (uid=0)
Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session closed for user root
Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session opened for user nobody by (uid=0)

Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session closed for user nobody
Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root
Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody
Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user nobody by (uid=0)

Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user nobody
Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root
Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody
Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user nobody by (uid=0)

Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user nobody
Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root
Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody
Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user nobody by (uid=0)

Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user nobody
Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session opened for user root by (uid=0)
Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session opened for user root by (uid=0)

Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session closed for user root
Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session closed for user root
Feb 11 08:09:01 localhost CRON[4883]: (pam_unix) session opened for user root by (uid=0)

Feb 11 08:09:01 localhost CRON[4885]: (pam_unix) session opened for user root by (uid=0)

Is there another log that would show a definate successful breakin?

thanks

Norm
 
Old 02-12-2009, 07:40 AM
Alex Samad
 
Default POSSIBLE BREAK-IN in auth.log via ssh

On Thu, Feb 12, 2009 at 12:57:21AM -0500, Norman Bird wrote:
> I decided to check the auth.log and started freaking out because I saw alot
> of POSSIBLE BREAK-IN lines. then I saw roon loging in so I was panicking.
> But as I really reviewed them it seems that the actual root logins were by
> CRON and the nobody logins were system related. Please look this over and
> give any advice and particularily what should I do.
>
> Somewhere online said I should "boot with a root kit checker", feel free to
> advise on this.
>
> I do need to log in via putty via ssh alot so I cant totally disable it. I
> will beef up my password now and maybe change the port, but I need input on
> that please, or a good site.
>
> Thanks
>
> Norm
>
> Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user
> root
> Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user
> root

These above are syslog messages from cron, telling you root logged in ,
we more like cron changed userid to root to run something

> Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string
> from 66.212.18.86
> Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT!
> Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=66.212.18.86 user=root
> Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from
> 66.212.18.86 port 41396 ssh2
> Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT! rhost=66.212.18.86

this is ssh complaining about incorrect password being supplied, I
presume you do not allow password authentication for root !

This is some script kiddie or mutant pc try brute attack against your
sshd server, try fail2ban


>
>
> then there is this, but it looks system related i think:
>
>

[snip]

> Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root
> Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody
> Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user
> nobody

looks to me like a processes running as root su'ed from root to nobody

[snip]

> Is there another log that would show a definate successful breakin?
>
> thanks
>
> Norm


apart from the brute force attack nothing really to worry about

--
I never vote for anyone. I always vote against.
-- W. C. Fields
 
Old 02-12-2009, 07:55 AM
Jochen Schulz
 
Default POSSIBLE BREAK-IN in auth.log via ssh

Norman Bird:

> I decided to check the auth.log and started freaking out because I saw alot
> of POSSIBLE BREAK-IN lines.

It says "possible break-in *attempt*". But either way, it is harmless.

And, by the way: do you think a smart attacker who gained root on your
machine would leave traces in the logs? I doubt it.

> then I saw roon loging in so I was panicking.

Don't panic.

> But as I really reviewed them it seems that the actual root logins were by
> CRON and the nobody logins were system related. Please look this over and
> give any advice and particularily what should I do.

You don't need to do anything.

> Somewhere online said I should "boot with a root kit checker", feel free to
> advise on this.

Root kit checkers, just as anti-virus programs, cannot reliably detect
anything. They report false positives as well as false negatives. But
the idea to boot from a known good medium is a good one. *If* your
system has been attacked successfully, you should never trust it to
report it to you. You always have to use another one.

> I do need to log in via putty via ssh alot so I cant totally disable it. I
> will beef up my password now and maybe change the port, but I need input on
> that please, or a good site.

Search for a howto on public key authentication. It's well documented
and protects your SSH server from all those password brute force
attacks.

> Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user
> root
> Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user
> root
> Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string
> from 66.212.18.86
> Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT!
> Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=66.212.18.86 user=root
> Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from
> 66.212.18.86 port 41396 ssh2
> Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT! rhost=66.212.18.86
>
>
> then there is this, but it looks system related i think:
>
>
> Feb 11 07:09:01 localhost CRON[3127]: (pam_unix) session closed for user
> root
> Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session closed for user
> root
> Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session closed for user
> root
> Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root
> Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody
> Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user
> nobody
> Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session closed for user
> root
> Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session closed for user
> root
> Feb 11 08:09:01 localhost CRON[4883]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 08:09:01 localhost CRON[4885]: (pam_unix) session opened for user
> root by (uid=0)
>
> Is there another log that would show a definate successful breakin?
>
> thanks
>
> Norm

--
We are lining up to see you fall flat on your face.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
 
Old 02-12-2009, 10:23 AM
Kevin Philp
 
Default POSSIBLE BREAK-IN in auth.log via ssh

SSH brute force attacks are very common - we get several a week. There
are various methods for stopping them - a summary is in:



http://www.security-hacks.com/2007/05/23/protecting-against-ssh-brute-force-attacks



I suggest the following:



1. configure ssh to block all users apart from those you define -
either define the users or have an sshusers group. Don't put any
default accounts in here such as admin, sales, games - these regularly
occur on in the brute force attacks.



2. users should not have easy usernames like fred, mary - these are
usually on the guessing lists. firstnamesurname increases the options
they have to try. From reading the logs of brute force attacks the user
names are normally easy guesses based on default accounts or firstnames.



3. User passwords should meet minimum standards of letters, numbers,
minsize, other characters.



4. Don't allow root to log in via SSH - root is the most commonly used
name for SSH brute force attacks. If you must have root access set up
access via an RSA key. If possible get everyone using RSA keys and
switch off password logins altogether.



5. Use one of the blocking methods such as iptables rate limiting.*
They invariably don't come back after being blocked once. You could use
the iptables method coupled with one of the log scanning methods for an
extra layer of defence.



One example is at:



http://blog.andrew.net.au/2005/02/16



6. If its convenient switch to a different port - the brute force
attackers just scan blocks of IP addresses at port 22 - if you are
using port 22 you are much less likely to be scanned.



Finally - don't panic - they are looking for easy targets, if you make
their life hard they go away. I rarely see the same IP address come
back after they have been blocked for a few minutes - they just move on.



Kevin.







Jochen Schulz wrote:

Norman Bird:



I decided to check the auth.log and started freaking out because I saw alot
of POSSIBLE BREAK-IN lines.



It says "possible break-in *attempt*". But either way, it is harmless.

And, by the way: do you think a smart attacker who gained root on your
machine would leave traces in the logs? I doubt it.



then I saw roon loging in so I was panicking.



Don't panic.



But as I really reviewed them it seems that the actual root logins were by
CRON and the nobody logins were system related. Please look this over and
give any advice and particularily what should I do.



You don't need to do anything.



Somewhere online said I should "boot with a root kit checker", feel free to
advise on this.



Root kit checkers, just as anti-virus programs, cannot reliably detect
anything. They report false positives as well as false negatives. But
the idea to boot from a known good medium is a good one. *If* your
system has been attacked successfully, you should never trust it to
report it to you. You always have to use another one.



I do need to log in via putty via ssh alot so I cant totally disable it. I
will beef up my password now and maybe change the port, but I need input on
that please, or a good site.



Search for a howto on public key authentication. It's well documented
and protects your SSH server from all those password brute force
attacks.



Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user
root
Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user
root
Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string
from 66.212.18.86
Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo
for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
ATTEMPT!
Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=66.212.18.86 user=root
Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from
66.212.18.86 port 41396 ssh2
Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo
for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
ATTEMPT! rhost=66.212.18.86


then there is this, but it looks system related i think:


Feb 11 07:09:01 localhost CRON[3127]: (pam_unix) session closed for user
root
Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session closed for user
root
Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session closed for user
root
Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session closed for user
nobody
Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root
Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody
Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user
nobody
Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root
Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody
Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user
nobody
Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root
Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody
Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user
nobody
Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session closed for user
root
Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session closed for user
root
Feb 11 08:09:01 localhost CRON[4883]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 08:09:01 localhost CRON[4885]: (pam_unix) session opened for user
root by (uid=0)

Is there another log that would show a definate successful breakin?

thanks

Norm
 
Old 02-12-2009, 11:15 AM
Nate Bargmann
 
Default POSSIBLE BREAK-IN in auth.log via ssh

* Kevin Philp <lists@cybercolloids.net> [2009 Feb 12 05:25 -0600]:

> 6. If its convenient switch to a different port - the brute force
> attackers just scan blocks of IP addresses at port 22 - if you are using
> port 22 you are much less likely to be scanned.

Perhaps you meant, "if you are _not_ using port 22 you are much less
likely to be scanned." Also, not using port 22 may help to get around
your ISP blocking port 22.

- Nate >>

--

"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://n0nb.us/index.html


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-12-2009, 01:22 PM
Raquel
 
Default POSSIBLE BREAK-IN in auth.log via ssh

On Thu, 12 Feb 2009 19:40:16 +1100
Alex Samad <alex@samad.com.au> wrote:

> this is ssh complaining about incorrect password being supplied, I
> presume you do not allow password authentication for root !
>
> This is some script kiddie or mutant pc try brute attack against
> your sshd server, try fail2ban

I used to blacklist all those in my firewall. Then I installed
fail2ban. I don't have to spend the time with the firewall and the
breakin attempts have dropped dramatically, to the point where I
seldom see one any more.

My advice is to install fail2ban.

--
Raquel
http://www.byraquel.com
================================================== ==========
Free speech without responsibility is not liberty; it is licence.
The freedom to swing one's arm ends where it makes contact with one's
neighbour's nose.

--Canadian Broadcast Standards Council


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-18-2009, 01:00 PM
Paul Tader
 
Default POSSIBLE BREAK-IN in auth.log via ssh

Raquel wrote:

On Thu, 12 Feb 2009 19:40:16 +1100
Alex Samad <alex@samad.com.au> wrote:


this is ssh complaining about incorrect password being supplied, I
presume you do not allow password authentication for root !

This is some script kiddie or mutant pc try brute attack against
your sshd server, try fail2ban


I used to blacklist all those in my firewall. Then I installed
fail2ban. I don't have to spend the time with the firewall and the
breakin attempts have dropped dramatically, to the point where I
seldom see one any more.

My advice is to install fail2ban.



For ssh dictionary attacks, another package you might consider is
DenyHost. (http://denyhosts.sourceforge.net/)


--
ptader (at)
www.linuxscope.com


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:38 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org