Bob Vickers wrote:
Hello All,
We recently suffered a rather puzzling intrusion on an OpenSUSE 11.3 workstation and I wondered whether anyone else had seen anything similar.
This computer allowed (it doesn't any more) ssh access from anywhere in the world, and anyone with this set-up expects to see lots of failed login attempts in the log.
On 24th Sept one of these attacks was taking place and generated the worrying message sshd[26712]: Accepted password for ftp from 221.6.15.150 port 60041 ssh2
A couple of days later there were a whole bunch of them. It seems that all the system accounts had become open. sshd[12088]: Accepted password for tomcat from 69.143.190.100 port 62729 ssh2 sshd[12130]: Accepted password for ftp from 69.143.190.100 port 63316 ssh2 sshd[12166]: Accepted password for postfix from 69.143.190.100 port 63739 ssh2 sshd[12192]: Accepted password for mysql from 69.143.190.100 port 60222 ssh2 sshd[12292]: Accepted password for nobody from 69.143.190.100 port 62565 ssh2 sshd[12336]: Accepted password for wwwrun from 69.143.190.100 port 63245 ssh2 sshd[12350]: Accepted password for news from 69.143.190.100 port 63501 ssh2 sshd[12382]: Accepted password for games from 69.143.190.100 port 63864 ssh2 sshd[12414]: Accepted password for mail from 69.143.190.100 port 60051 ssh2 sshd[12450]: Accepted password for sshd from 69.143.190.100 port 60814 ssh2 sshd[12460]: Accepted password for bin from 69.143.190.100 port 61108 ssh2 sshd[12490]: Accepted password for daemon from 69.143.190.100 port 61467 ssh2 sshd[12520]: Accepted password for lp from 69.143.190.100 port 61779 ssh2 sshd[12556]: Accepted password for uucp from 69.143.190.100 port 62212 ssh2 sshd[12981]: Accepted password for mysql from 69.143.190.100 port 60149 ssh2 sshd[12999]: Accepted password for ftp from 69.143.190.100 port 60514 ssh2 sshd[13073]: Accepted password for mysql from 69.143.190.100 port 61914 ssh2 sshd[13093]: Accepted password for sshd from 69.143.190.100 port 62346 ssh2 sshd[13220]: Accepted password for wwwrun from 69.143.190.100 port 60966 ssh2 sshd[13228]: Accepted password for news from 69.143.190.100 port 61196 ssh2 sshd[13258]: Accepted password for lp from 69.143.190.100 port 61497 ssh2 sshd[13288]: Accepted password for mail from 69.143.190.100 port 61830 ssh2 sshd[13294]: Accepted password for bin from 69.143.190.100 port 61916 ssh2 sshd[13324]: Accepted password for postfix from 69.143.190.100 port 62245 ssh2 sshd[13332]: Accepted password for at from 69.143.190.100 port 62362 ssh2
None of these accounts have passwords in /etc/shadow and none of them have null strings either. So it seems to me the most likely culprit was a misconfiguration in sshd or PAM or LDAP (in nsswitch.conf we have
passwd: compat group: compat shadow: compat passwd_compat: ldap group_compat: ldap shadow_compat: ldap
and also we have /etc/shadow:+::0:0:0:::: /etc/shadow:+::0:0:0:::: /etc/passwd:+:::::/nonexistent:/usr/local/etc/restricted-machine )
The machine has been rebooted with a new kernel since then and I cannot ssh to those accounts, so I am hoping the vulnerability is no longer present. But has anyone else ever seen anything similar?
Regards, Bob
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691 I can not find the reference right off, but one of the first things I do when bringing up a new SuSE machine is make a couple of changes to ssh. There was an article at Novell that basically said the same thing when you want to expose ssh.
Change Permit root login to no Change protocol version to 2 only Change the port the server listens to. I recommend something > 1024. If you are running a public server, you may not be able to do that, but few web designers know what to do with a command line and it cuts down on the chaff from the script kiddies. Add the following to the /etc/sshd_config: AllowGroups sshallow Now go into YAST and add group sshallow and only put in the user ids you want to be able to login via ssh. And that does not include root or ftp. Lyle Giese LCR Computer Services, Inc. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org