SSH logins faillures with no logs ! [FEATURE REQUEST]

Hello,

When I check the daily report, I was very surprise because I, found a numerous tentative to log on the ssh console...

but there is no log of this connections...

 Summary 



Network Usage:                                WebAdmin Logins:   

Traffic processed: 3.8 GB                     Successful: 6 

Connections Handled: 23035                    Failed: 5 

          

Network Security:                             Console Logins:   

Packets blocked by Firewall: 7802             Successful: 5 

Attacks blocked by IPS: 0                     Failed:>>>> 3295 <>

you can see the whole local logins :

2008:04:04-09:49:32 (none) su: (to root) loginuser on /dev/pts/0

2008:04:04-09:49:32 (none) su: pam_unix(su:session): session started for user root, service su

2008:04:04-11:18:43 (none) su: (to root) loginuser on /dev/pts/1

2008:04:04-11:18:43 (none) su: pam_unix(su:session): session started for user root, service su

2008:04:04-11:38:01 (none) su: pam_unix(su:session): session finished for user root, service su

2008:04:04-12:47:42 (none) su: pam_unix(su:session): session finished for user root, service su

2008:04:04-15:02:03 (none) su: (to root) loginuser on /dev/pts/0

2008:04:04-15:02:03 (none) su: pam_unix(su:session): session started for user root, service su

2008:04:04-15:45:29 (none) su: pam_unix(su:session): session finished for user root, service su

2008:04:04-21:43:25 (none) su: (to root) loginuser on /dev/pts/0

2008:04:04-21:43:25 (none) su: pam_unix(su:session): session started for user root, service su

2008:04:04-21:44:39 (none) su: (to root) loginuser on /dev/pts/1

2008:04:04-21:44:39 (none) su: pam_unix(su:session): session started for user root, service su

2008:04:04-21:47:06 (none) su: pam_unix(su:session): session finished for user root, service su

2008:04:04-21:47:20 (none) su: pam_unix(su:session): session finished for user root, service su

Very short...

whereas the authentification logs with is useful and complete ( and if we configure it we receive mail on logins failure on webadmin... )
(I just remove IP & logins... [;)] )


2008:04:04-09:46:53 (none) aua[16585]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="xx" user="xx" caller="webadmin" engine="local"

2008:04:04-11:22:29 (none) aua[24110]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="xx" user="xx" caller="webadmin" engine="local"

2008:04:04-12:32:57 (none) aua[26341]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="xx" user="xx" caller="webadmin" reason="DENIED"

2008:04:04-12:33:02 (none) aua[26354]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="xx" user="xx" caller="webadmin" engine="local"

2008:04:04-14:17:59 (none) aua[29730]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="xx" user="xx" caller="webadmin" engine="local"

2008:04:04-15:03:10 (none) aua[30573]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="xx" user="xx" caller="webadmin" reason="DENIED"

2008:04:04-15:03:16 (none) aua[30589]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="xx" user="xx" caller="webadmin" reason="DENIED"

2008:04:04-15:03:21 (none) aua[30606]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="xx" user="xx" caller="webadmin" reason="DENIED"

2008:04:04-15:03:36 (none) aua[2901]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="xx" user="xx" caller="webadmin" reason="Too many failures from client IP, still blocked for 585 seconds"

2008:04:04-15:39:20 (none) aua[31918]: id="3001" severity="info" sys="System" sub="auth" name="Daemon started successfully"

2008:04:04-18:37:45 (none) aua[10912]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="xx" user="xx" caller="webadmin" engine="local"

2008:04:04-20:33:01 (none) aua[12623]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="xx" user="xx" caller="webadmin" engine="local"

Even in the packet filter, there is no line with dstport="22"...
So we see that we have many failure on the ssh login, but there I can't find any useful information, and i have no warning during the day...

My system was set to accept ANY for the SSH & webadmin connection : it is just a temporary test box and I monitor the connection... ( after this mail I restrict it more... )

But even in a standard configuration ( just authorize from the protected lan), if somebody tries to compromise the firewall, we have no logs/warns about his tries...

Ulong

Parents

0 ulong over 17 years ago
I just received the weekly report and it's now a bug because it can't be possible :

fisrt the daily (04/04/08)
Console Logins:
Successful: 5
Failed: 3295

and now the weekly report : monday 31' to sunday 06'
Console Logins:
Successful: 0
Failed: 0

Did you see an error ???

Ulong
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marcel_01 over 17 years ago in reply to ulong

can you chech sshd.log from the respective day?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ulong over 17 years ago in reply to Marcel_01

Many thanks,

I didn't notice about this specific log ( when I found "local logins" logs, I think that there are no other log...)
I see the faillure ( brute force in trying to gain root access... )...

But :
a/ It didn't explain the weekly report that show no error ... whereas the daily show the 3200 tries...

B/ The ssh as no restriction : he can try to overpass the password, at a rate of 2 tries by seconds : a lock of some time after several tries can be susefull ??? ( Maybe a mail ??)

Ulong
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marcel_01 over 17 years ago in reply to ulong

a) you are right. but this is hard to debug without access to the system. I assume time/date did not change on your system during that week..

b) would be a nice feature request. even if that does not solve your problem directly:
  - usually ssh scanners trying to access via bruteforce try root as username (you should see that in your logfile). a potential attacker needs to know that this is an ASG and the use 'loginuser' (basically that is one of the reasons why we have that user)
  - SSH access on production systems should never ever be opened to a large number of IPs
  - using ACC (Astaro Command Center) may help - there you'll get also information about failed logins (though, no email notification yet)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ulong over 17 years ago in reply to Marcel_01

Hello,

A) I can give you an access if you want... (give me an email using a private message, and I will send you the necessary informations...)

B) You are right...
He mostly try root but it try also some other logins...
So Just an email can be suffisent, but it's not hurry [FEATURE REQUEST]!...

Ulong...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Marcel_01 over 17 years ago in reply to ulong

moving to feature requests - find my mail address in your pm
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ulong over 16 years ago in reply to Marcel_01

Hi Marcel,

Just for information :
I received the monthly report, and as we see in the weekly report, it doesn't show the correct stats...

Ulong
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 ulong over 16 years ago in reply to Marcel_01

Hi Marcel,

Just for information :
I received the monthly report, and as we see in the weekly report, it doesn't show the correct stats...

Ulong
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data