[opensuse-factory] Again about ssh security
Hello, I've already wrote about this in the past but then I never take any countermeasure nor direct actions. Today I was monitoring my Tumbleweed /var/log/messages and I noticed some weird messages (here below I copy latest 30 lines of system log): marco@linux-turion64:~> sudo cat /var/log/messages|grep ssh|tail -30 2015-12-04T16:32:05.622900-02:00 linux-turion64 kernel: [29046.711474] audit: type=2404 audit(1449253925.616:316): pid=15120 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=15120 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.444307-02:00 linux-turion64 kernel: [29505.239471] audit: type=2404 audit(1449254384.385:325): pid=15291 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=15291 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.444328-02:00 linux-turion64 kernel: [29505.239612] audit: type=2404 audit(1449254384.385:326): pid=15291 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=15291 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.444331-02:00 linux-turion64 kernel: [29505.239860] audit: type=2404 audit(1449254384.385:327): pid=15291 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=31:8f:10:b4:18:ea:de:ca:d7:b3:3f:1f:1d:51:92:32 [MD5] direction=? spid=15291 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.444333-02:00 linux-turion64 kernel: [29505.239942] audit: type=2404 audit(1449254384.385:328): pid=15291 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=f5:ea:4f:cc:e0:1e:8c:5a:6b:f9:3f:14:36:09:12:d7 [MD5] direction=? spid=15291 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.778846-02:00 linux-turion64 kernel: [29505.628145] audit: type=2407 audit(1449254384.773:329): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 spid=15291 suid=495 rport=33796 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.778864-02:00 linux-turion64 kernel: [29505.628238] audit: type=2407 audit(1449254384.773:330): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 spid=15291 suid=495 rport=33796 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:46.898850-02:00 linux-turion64 kernel: [29507.746109] audit: type=1112 audit(1449254386.893:331): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:39:48.470863-02:00 linux-turion64 kernel: [29509.317652] audit: type=2404 audit(1449254388.465:332): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=15291 suid=495 rport=33796 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:48.470888-02:00 linux-turion64 kernel: [29509.318201] audit: type=1109 audit(1449254388.465:333): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=178.136.234.6 addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:39:48.470892-02:00 linux-turion64 kernel: [29509.318956] audit: type=2404 audit(1449254388.465:334): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=15289 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.406074-02:00 linux-turion64 kernel: [29971.965632] audit: type=2404 audit(1449254851.354:339): pid=15409 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=15409 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.406077-02:00 linux-turion64 kernel: [29971.965755] audit: type=2404 audit(1449254851.354:340): pid=15409 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=15409 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.406078-02:00 linux-turion64 kernel: [29971.965941] audit: type=2404 audit(1449254851.354:341): pid=15409 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=31:8f:10:b4:18:ea:de:ca:d7:b3:3f:1f:1d:51:92:32 [MD5] direction=? spid=15409 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.406079-02:00 linux-turion64 kernel: [29971.966014] audit: type=2404 audit(1449254851.354:342): pid=15409 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=f5:ea:4f:cc:e0:1e:8c:5a:6b:f9:3f:14:36:09:12:d7 [MD5] direction=? spid=15409 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.750842-02:00 linux-turion64 kernel: [29972.354421] audit: type=2407 audit(1449254851.742:343): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 spid=15409 suid=495 rport=33936 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.750857-02:00 linux-turion64 kernel: [29972.354575] audit: type=2407 audit(1449254851.742:344): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 spid=15409 suid=495 rport=33936 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:33.906848-02:00 linux-turion64 kernel: [29974.511547] audit: type=1112 audit(1449254853.898:345): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:47:37.122861-02:00 linux-turion64 kernel: [29977.723799] audit: type=2404 audit(1449254857.115:346): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=15409 suid=495 rport=33936 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122890-02:00 linux-turion64 kernel: [29977.724448] audit: type=1109 audit(1449254857.115:347): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=178.136.234.6 addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:47:37.122893-02:00 linux-turion64 kernel: [29977.725374] audit: type=2404 audit(1449254857.115:348): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=15408 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122895-02:00 linux-turion64 kernel: [29977.725469] audit: type=2404 audit(1449254857.115:349): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=15408 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122896-02:00 linux-turion64 kernel: [29977.725638] audit: type=2404 audit(1449254857.115:350): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=31:8f:10:b4:18:ea:de:ca:d7:b3:3f:1f:1d:51:92:32 [MD5] direction=? spid=15408 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122900-02:00 linux-turion64 kernel: [29977.725742] audit: type=2404 audit(1449254857.115:351): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=f5:ea:4f:cc:e0:1e:8c:5a:6b:f9:3f:14:36:09:12:d7 [MD5] direction=? spid=15408 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122918-02:00 linux-turion64 kernel: [29977.725819] audit: type=1112 audit(1449254857.115:352): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:51:01.038849-02:00 linux-turion64 kernel: [30181.532983] audit: type=2404 audit(1449255061.033:363): pid=1177 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=1177 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' 2015-12-04T16:51:01.058828-02:00 linux-turion64 kernel: [30181.554578] audit: type=2404 audit(1449255061.053:364): pid=1177 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=1177 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' 2015-12-04T16:51:01.062822-02:00 linux-turion64 kernel: [30181.558494] audit: type=2404 audit(1449255061.057:365): pid=1177 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=31:8f:10:b4:18:ea:de:ca:d7:b3:3f:1f:1d:51:92:32 [MD5] direction=? spid=1177 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' 2015-12-04T16:51:01.062835-02:00 linux-turion64 kernel: [30181.558564] audit: type=2404 audit(1449255061.057:366): pid=1177 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=f5:ea:4f:cc:e0:1e:8c:5a:6b:f9:3f:14:36:09:12:d7 [MD5] direction=? spid=1177 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' 2015-12-04T16:51:06.526880-02:00 linux-turion64 kernel: [30187.019255] audit: type=1131 audit(1449255066.521:367): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sshd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success Then I checked the status of daemon sshd and I found this: sudo rcsshd status root's password: ● sshd.service - OpenSSH Daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2015-12-04 08:28:12 BRST; 8h ago Process: 1084 ExecStartPre=/usr/sbin/sshd-gen-keys-start (code=exited, status=0/SUCCESS) Main PID: 1177 (sshd) CGroup: /system.slice/sshd.service └─1177 /usr/sbin/sshd -D Dec 04 12:59:06 linux-turion64.ddns.net sshd[12791]: error: PAM: User not known to the underlying authentication module for illegal user admin from 46.172.71.249 Dec 04 12:59:06 linux-turion64.ddns.net sshd[12791]: Failed keyboard-interactive/pam for invalid user admin from 46.172.71.249 port 46183 ssh2 Dec 04 12:59:06 linux-turion64.ddns.net sshd[12791]: error: Received disconnect from 46.172.71.249: 14: Unable to connect using the available authentication methods [preauth] Dec 04 16:32:05 linux-turion64.ddns.net sshd[15120]: Connection closed by 178.136.234.6 [preauth] Dec 04 16:39:46 linux-turion64.ddns.net sshd[15289]: Invalid user admin from 178.136.234.6 Dec 04 16:39:46 linux-turion64.ddns.net sshd[15289]: input_userauth_request: invalid user admin [preauth] Dec 04 16:39:48 linux-turion64.ddns.net sshd[15289]: Connection closed by 178.136.234.6 [preauth] Dec 04 16:47:33 linux-turion64.ddns.net sshd[15408]: Invalid user ubnt from 178.136.234.6 Dec 04 16:47:33 linux-turion64.ddns.net sshd[15408]: input_userauth_request: invalid user ubnt [preauth] Dec 04 16:47:37 linux-turion64.ddns.net sshd[15408]: Connection closed by 178.136.234.6 [preauth] Hence I temporarily disabled sshd. Somebody see something familiar and dangerous on these messages? Many thanks. Cheers, -- Marco Calistri opensuse Tumbleweed 64 bit - Kernel 4.3.0-2-default Gnome 3.18 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op vrijdag 4 december 2015 18:57:28 schreef Marco Calistri:
Hello,
I've already wrote about this in the past but then I never take any countermeasure nor direct actions.
Today I was monitoring my Tumbleweed /var/log/messages and I noticed some weird messages (here below I copy latest 30 lines of system log):
[ ....]
Hence I temporarily disabled sshd.
Somebody see something familiar and dangerous on these messages?
Many thanks.
Cheers,
This is quite common. As long as you disable root login, restrict the number of times a user can login per minute, using what is explained around FW_SERVICES_ACCEPT_EXT= in /etc/sysconfig/SuSEfirewall2 and use safe passwords, not much trouble can happen via that route. -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Freitag, 4. Dezember 2015 schrieb Marco Calistri:
Dec 04 16:39:46 linux-turion64.ddns.net sshd[15289]: Invalid user admin from 178.136.234.6 Dec 04 12:59:06 linux-turion64.ddns.net sshd[12791]: Failed keyboard-interactive/pam for invalid user admin from 46.172.71.249 port 46183 ssh2
Hence I temporarily disabled sshd.
Somebody see something familiar and dangerous on these messages?
You'll get tons of those messages as soon as your SSH port is open to the public - there are some script kiddies, botnets, whatever out there that try to find accounts with common usernames [1] and weak passwords. In other words: that's normal ;-) Recommendations: - disallow password-based logins, allow only key-based logins - rate-limit SSH connections in the firewall (using ipt_recent or fail2ban) to reduce the number of attemps. For SuSEfirewall, you can use something like FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh" (If you only allow key-based logins, that's mostly log cosmetics ;-) Regards, Christian Boltz [1] You'll get lots of attemps for users like admin or root, but I also remember cases where lots of names were tried, basically more given names than I ever heard of. So if you need some inspiration to find a name for your child, have a look at your SSH logs ;-)) -- Aber doch ... Woast Bub, ich denk bei sowas immer willkürlich an den Worst-case. Nämlich das das nicht ein Gscheidle wie du macht, sondern daß das irgendeiner hier oder in irgendeinem Forum aufschnappt. [David Haller in opensuse-de] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 04 Dec 2015 18:57:28 -0200, Marco Calistri wrote:
Somebody see something familiar and dangerous on these messages?
It's a brute force attack. Install something like fail2ban to deal with it. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 04 Dec 2015 22:36:02 +0000, Jim Henderson wrote:
On Fri, 04 Dec 2015 18:57:28 -0200, Marco Calistri wrote:
Somebody see something familiar and dangerous on these messages?
It's a brute force attack.
Install something like fail2ban to deal with it.
Also, I'd recommend disabling password authentication entirely and use public key authentication. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Il 04/12/2015 20:36, Jim Henderson ha scritto:
On Fri, 04 Dec 2015 22:36:02 +0000, Jim Henderson wrote:
On Fri, 04 Dec 2015 18:57:28 -0200, Marco Calistri wrote:
Somebody see something familiar and dangerous on these messages?
It's a brute force attack.
Install something like fail2ban to deal with it.
Also, I'd recommend disabling password authentication entirely and use public key authentication.
Jim
Thanks everybody: Jim, Carlos, Christian, Freek, I've really appreciated your suggestions. I will apply the suggested mods, at least ones you've more named. Best regards, -- Marco Calistri opensuse Tumbleweed 64 bit - Kernel 4.3.0-2-default Gnome 3.18 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Marco, On Fri, Dec 04, 2015 at 06:57:28PM -0200, Marco Calistri wrote:
I've already wrote about this in the past but then I never take any countermeasure nor direct actions.
Use a non default (22) port for ssh to listen on. /etc/ssh/sshd_config Port 345 Caveats: a) ~/.ssh/config should have something like Host *.mydomain.example.org Port 345 b) you have to adjust your firewall to allow access to the new port in question. c) some WiFi hotspots only allow port 22 and 80 by default. There port 234 might cause trouble to you. Therefore feel free to prefer the other alternatives offered to you. Cheers, Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Fri, Dec 4, 2015 at 5:57 PM, Marco Calistri <marco.calistri@yahoo.com.br> wrote:
Hello,
I've already wrote about this in the past but then I never take any countermeasure nor direct actions.
Today I was monitoring my Tumbleweed /var/log/messages and I noticed some weird messages (here below I copy latest 30 lines of system log):
marco@linux-turion64:~> sudo cat /var/log/messages|grep ssh|tail -30
Somebody see something familiar and dangerous on these messages?
Pretty much all protocols that offer interactive auth are vulnerable to this sort of thing, in this case the only solution is to use public key authentication and disable password login. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Christian Boltz
-
Cristian Rodríguez
-
Freek de Kruijf
-
Jim Henderson
-
Lars Müller
-
Marco Calistri