Getting strange user names in /var/log/messages.
Hi there:
In /var/log/messages i've got many lines like these, with a different user name for each pair. May 17 12:18:04 host21 sshd[mmmmm]: Invalid user magnos from nnn.nnn.nn.n May 17 12:18:04 host21 sshd[mmmmm]: Failed password for invalid user magnos from nnn.nnn.nn.n port ppppp ssh2 And there are hundreds of these names. These users are not in /etc/passwd. What would the meaning of this be? Bear in mind my machine is connected to the outside world by two and only two channels: the console and my ISP, and that i'm the only only one who sits at the console. Thanks for reading. ------------------------------------------ Enrique. |
People are trying to log in to your ssh server, guessing passwords. This procedure is most likely entirely automated on the attacker's part but it's often quite wise to move the ssh listening port from port 22 to something non-standard if your machine is connected to the outside world.
Also, ssh blacklisting/whitelisting allows you to automatically deny all connections from, say, countries other than your own. |
A slightly more targeted variant would be to use tools like
blockhosts, fail2ban, et al. to deny repeated login-attempts to IPs with e.g. 3 failed attempts for an hour, which makes brute force attacks far less likely to succeed w/o having to permanently block half the world... Have a look at the sticky about ssh attacks in security Cheers, Tink |
Thanks a lot. I run 'top|grep ssh' and don't see ssh. Possible cause (besides my own ignorance)?
Tinkster, I'll make a full revision of my distro and see if those programs are there. Thanks very much. P.S.: by the way: is the practice of addressing members individually wise? |
Quote:
that sshd is running? Quote:
Quote:
via e-Mail, off the board, I can only speak for myself and say that I ignore these requests (not entirely, I will only respond that I don't have the time to take care of those requests on top of my time spent with work, day to day chores and the copious amounts of time I spend on LQ anyway) - others may feel the same (or completely differently). If you mean something else, please elaborate, or rephrase your question to clarify. Cheers, Tink |
Tinkster: Roger. About the addressing thing, I mean using the member's LQ name (not his real name) in the thread's post.
Take the message you are reading now as an example. If I were to put 'i92guboj' into it and i92guboj were a LQ member, would this be well seen. Namely, does it violate any regulation or increases the probabilities of the post being rejected by a moderator? I at first said to myself: If the thread is too long, then the style of addressing individualy, in the sense above indicated, would end making me mad, and introducing confusion into the other members. But then, I reconsidered, and saw linuxquestions as a chatting site very much like a room where people chats. In the last case, it makes sense to address individually somebody, just as people in a room do. That's all and I hope not having been too long. Thanks. |
Quote:
Use, instead, Code:
ps -C sshd Code:
ps f -fC sshd Quote:
/Quigi |
How many of the users are authorized to use ssh? If only a few, then you can use "AllowUsers" in /etc/ssh/sshd_config to restrict access to only these users. This is much easier than adding system users to UsersDeny. System users are known and often targets of brute force attacks.
Changing the port that ssh uses will remove many of the script kiddie attacks. Only allowing protocol 2 and using Public Key authentication, and not allowing root logins as well as AllowUsers may discourage more skilled attackers as well. |
Sorry for the delay. I inserted the line 'allowusers root' in file sshd_config. Rest of file is entirely commented. But
sshd doesn't seem to be reading sshd_config because i rebooted as a regular user and the system didn't object. Any hint will be gladly received. |
Hi,
Sorry, there's two problems: #1: permitting root logins via ssh is one of the most basic mistakes one can make, and considered a MAJOR security flaw. Permit one or two known good user accounts with very secure passwords. #2: The key-/value-pair is case sensitive. allowusers != AllowUsers Cheers, Tink |
Hi and thanks.
Two things: #1: I only did it as a test, to see what happened. Later I proved with a regular user's username and again it did not work. #2: only the value member of the pair is case sensitive, at least in my manual. Anyways, in /etc/ssh/sshd_config I entered, verbatim, AllowUsers xxxxxx. Errata: I said every entry in this file is commented out. Correction: There's an entry with keyword 'Subsystem' which is uncommented (as it was in the distro). |
I admit a lot of man pages yet to read. As you have been so kind as to answer my post, I must say I only would like to know this:
Having three users in the system, root, regular_user_1, regular_user_2, and entry AllowUsers regular_user_1 in /etc/ssh/sshd_config, why am I able to log in as regular_user_2? I'll also give a look to LQ-Security forum, a sticky thread with references to that matter. Regards. |
Hmmm ... after that change to the sshd_config file, did you
restart the daemon? |
Are you going to be using SSH?
If your not why not disable it. Tell us your distro and someone will be able to help |
After modifying sshd_config I rebooted. So, sshd restarted.
I intend to stick to the policy of my distribution, Slackware 12.0 which, out of the box, makes sshd run. But I could temporarily disable it, if someone helps me. Thanks. |
All times are GMT -5. The time now is 10:25 AM. |