[opensuse] SSH warning / Leap 42.2: Permissions 0640 for '/etc/ssh/ssh_host_xxx_key' are too open
Hi ! Unexpectedly I've got this warning on one of the servers: SSH warning: Permissions 0640 for '/etc/ssh/ssh_host_xxx_key' are too open Because of this, ssh daemon have not written any logs. I have fail2ban installed from the beginning and checking log showed that it continuously banned many IPs. Have no idea when this happens. Quite strange since I never changed permissions of these files, only installed syslog-ng instead of default logger, and limited log file size to 100MB. Does it mean server was somehow compromised ? PS. Usually SSH root login shows message "last successful login from ***" or "last failed login from ***". Now there are no such message. Thanks in advance for any suggestion(s). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-07-03 20:52, andreil1@starlett.lv wrote:
Hi !
Unexpectedly I've got this warning on one of the servers: SSH warning: Permissions 0640 for '/etc/ssh/ssh_host_xxx_key' are too open
So change them. Example: cer@Telcontar:~> l /etc/ssh/ssh_host* -rw------- 1 root root 668 Dec 26 2016 /etc/ssh/ssh_host_dsa_key -rw-r--r-- 1 root root 600 Dec 26 2016 /etc/ssh/ssh_host_dsa_key.pub
Because of this, ssh daemon have not written any logs. I have fail2ban installed from the beginning and checking log showed that it continuously banned many IPs.
Probably because the daemon does not start. No logs, no further errors. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 07/03/2017 11:41 PM, Carlos E. R. wrote:
On 2017-07-03 20:52, andreil1@starlett.lv wrote:
Hi !
Unexpectedly I've got this warning on one of the servers: SSH warning: Permissions 0640 for '/etc/ssh/ssh_host_xxx_key' are too open So change them.
Example:
cer@Telcontar:~> l /etc/ssh/ssh_host* -rw------- 1 root root 668 Dec 26 2016 /etc/ssh/ssh_host_dsa_key -rw-r--r-- 1 root root 600 Dec 26 2016 /etc/ssh/ssh_host_dsa_key.pub
I did. Question is how this problem appear? Is this a security update which does more strict checking of SSH keys ? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/03/2017 04:59 PM, andreil1@starlett.lv wrote:
I did. Question is how this problem appear? Is this a security update which does more strict checking of SSH keys ?
The problem most likely appeared because you moved the keys from some other machine without preserving the file permissions. Or you had a chmod command go awry... I've seen no similar behavior on 42.2 -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/05/2017 10:26 PM, David C. Rankin wrote:
On 07/03/2017 04:59 PM, andreil1@starlett.lv wrote:
I did. Question is how this problem appear? Is this a security update which does more strict checking of SSH keys ?
The problem most likely appeared because you moved the keys from some other machine without preserving the file permissions. Or you had a chmod command go awry... I've seen no similar behavior on 42.2
Nope, machine is not copied. It had a problem with full disk, however. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/03/2017 11:52 AM, andreil1@starlett.lv wrote:
Unexpectedly I've got this warning on one of the servers: SSH warning: Permissions 0640 for '/etc/ssh/ssh_host_xxx_key' are too open
Would have been nice to know the dates on those files before you changed them. I've had this happen in the past when restoring/moving files from a backup source that did not restore proper permissions, such as when cloning system or upgrading a hard drive or something. If this suddenly appeared, and you KNOW or have backups showing it was not always that way, then yes, it is definitely a sign of tampering. It can never properly work this way. Its refused to run with loose permissions since forever AFAIR. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/04/2017 07:38 PM, John Andersen wrote:
On 07/03/2017 11:52 AM, andreil1@starlett.lv wrote:
Unexpectedly I've got this warning on one of the servers: SSH warning: Permissions 0640 for '/etc/ssh/ssh_host_xxx_key' are too open Would have been nice to know the dates on those files before you changed them.
I've had this happen in the past when restoring/moving files from a backup source that did not restore proper permissions, such as when cloning system or upgrading a hard drive or something.
If this suddenly appeared, and you KNOW or have backups showing it was not always that way, then yes, it is definitely a sign of tampering.
It can never properly work this way. Its refused to run with loose permissions since forever AFAIR.
This system not cloned or copied. Its a small internet appliance with SSD disk. 3 weeks ago I noticed it becomes very slow, disk had 0 free space because of logs, so I switched from rsyslog to syslog-ng, limited size of logs, and wiped out /var/log.. However, I never changed permissions of SSH keys. Few days ago I noticed fail2ban does nothing, and discovered problem with ssh keys permissions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/04/2017 10:58 AM, andreil1@starlett.lv wrote:
Few days ago I noticed fail2ban does nothing, and discovered problem with ssh keys permissions.
Then I'd assume you've been hacked, and take it off line (right away), nuke and re-install. I look for foreign additions to authorized_keys files (all of them). Somebody, local or remote, probably already has root, or at least a user account from which they could attack root. When you do put it back up, disable password authentication, regenerate your ssh keys, and only allow ssh public key authentication. I don't think a normal opensuse install allows login over ssh by root. So I'd look into all other accounts on that machine. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-07-04 21:47, John Andersen wrote:
On 07/04/2017 10:58 AM, andreil1@starlett.lv wrote:
Few days ago I noticed fail2ban does nothing, and discovered problem with ssh keys permissions.
Then I'd assume you've been hacked, and take it off line (right away), nuke and re-install.
Not necessarily. fail2ban may do nothing if the daemon doesn't run, which may be the case if there are errors in the config files. Or if the logs are not being produced correctly (he changed the syslog daemon).
I don't think a normal opensuse install allows login over ssh by root.
Yes, it does. By default. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 07/04/2017 03:04 PM, Carlos E. R. wrote:
On 2017-07-04 21:47, John Andersen wrote:
On 07/04/2017 10:58 AM, andreil1@starlett.lv wrote:
Few days ago I noticed fail2ban does nothing, and discovered problem with ssh keys permissions.
Then I'd assume you've been hacked, and take it off line (right away), nuke and re-install.
Not necessarily. fail2ban may do nothing if the daemon doesn't run, which may be the case if there are errors in the config files. Or if the logs are not being produced correctly (he changed the syslog daemon).
Fail2ban isn't the main issue here. Its just a symptom of the fact that one or more of his main ssh private keys were set with insecure permissions, and he had no recollection of doing that himself. You would need root to do that. So I don't see how you blame that on fail2ban. -- After all is said and done, more is said than done.
On 2017-07-05 00:47, John Andersen wrote:
On 07/04/2017 03:04 PM, Carlos E. R. wrote:
On 2017-07-04 21:47, John Andersen wrote:
On 07/04/2017 10:58 AM, andreil1@starlett.lv wrote:
Few days ago I noticed fail2ban does nothing, and discovered problem with ssh keys permissions.
Then I'd assume you've been hacked, and take it off line (right away), nuke and re-install.
Not necessarily. fail2ban may do nothing if the daemon doesn't run, which may be the case if there are errors in the config files. Or if the logs are not being produced correctly (he changed the syslog daemon).
Fail2ban isn't the main issue here. Its just a symptom of the fact that one or more of his main ssh private keys were set with insecure permissions, and he had no recollection of doing that himself. You would need root to do that.
So I don't see how you blame that on fail2ban.
I'm not blaming fail2ban at all. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
participants (4)
-
andreil1@starlett.lv -
Carlos E. R. -
David C. Rankin -
John Andersen