LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 05-17-2009, 10:49 PM   #1
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,271

Rep: Reputation: 49
Getting strange user names in /var/log/messages.


Hi there:

In /var/log/messages i've got many lines like these, with a different user name for each pair.

May 17 12:18:04 host21 sshd[mmmmm]: Invalid user magnos from nnn.nnn.nn.n
May 17 12:18:04 host21 sshd[mmmmm]: Failed password for invalid user magnos from nnn.nnn.nn.n port ppppp ssh2

And there are hundreds of these names. These users are not in /etc/passwd. What would the meaning of this be? Bear in mind my machine is connected to the outside world by two and only two channels: the console and my ISP, and that i'm the only only one who sits at the console. Thanks for reading.

------------------------------------------ Enrique.
 
Old 05-18-2009, 02:29 AM   #2
hw-tph
Senior Member
 
Registered: Sep 2003
Location: Sweden
Distribution: Debian
Posts: 3,032

Rep: Reputation: 57
People are trying to log in to your ssh server, guessing passwords. This procedure is most likely entirely automated on the attacker's part but it's often quite wise to move the ssh listening port from port 22 to something non-standard if your machine is connected to the outside world.

Also, ssh blacklisting/whitelisting allows you to automatically deny all connections from, say, countries other than your own.
 
Old 05-18-2009, 02:39 AM   #3
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
A slightly more targeted variant would be to use tools like
blockhosts, fail2ban, et al. to deny repeated login-attempts
to IPs with e.g. 3 failed attempts for an hour, which makes
brute force attacks far less likely to succeed w/o having to
permanently block half the world...

Have a look at the sticky about ssh attacks in security


Cheers,
Tink
 
Old 05-18-2009, 03:39 AM   #4
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,271

Original Poster
Rep: Reputation: 49
Thanks a lot. I run 'top|grep ssh' and don't see ssh. Possible cause (besides my own ignorance)?

Tinkster, I'll make a full revision of my distro and see if
those programs are there. Thanks very much.

P.S.: by the way: is the practice of addressing members individually wise?
 
Old 05-18-2009, 03:50 AM   #5
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Quote:
Originally Posted by ENRIQUESTEFANINI View Post
Thanks a lot. I run 'top|grep ssh' and don't see ssh. Possible cause (besides my own ignorance)?
That's odd, considering that messages quite clearly states
that sshd is running?

Quote:
Originally Posted by ENRIQUESTEFANINI View Post
Tinkster, I'll make a full revision of my distro and see if
those programs are there. Thanks very much.
Most welcome.

Quote:
Originally Posted by ENRIQUESTEFANINI View Post
P.S.: by the way: is the practice of addressing members individually wise?
I'm not sure I follow? If you mean contacting individuals
via e-Mail, off the board, I can only speak for myself and
say that I ignore these requests (not entirely, I will only
respond that I don't have the time to take care of those
requests on top of my time spent with work, day to day chores
and the copious amounts of time I spend on LQ anyway) - others
may feel the same (or completely differently).

If you mean something else, please elaborate, or rephrase
your question to clarify.


Cheers,
Tink
 
Old 05-18-2009, 06:57 AM   #6
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,271

Original Poster
Rep: Reputation: 49
Tinkster: Roger. About the addressing thing, I mean using the member's LQ name (not his real name) in the thread's post.
Take the message you are reading now as an example. If I were to put 'i92guboj' into it and i92guboj were a LQ member, would this be well seen. Namely, does it violate any regulation or increases the probabilities of the post being rejected by a moderator? I at first said to myself: If the thread is too long, then the style of addressing individualy, in the sense above indicated, would end making
me mad, and introducing confusion into the other members.
But then, I reconsidered, and saw linuxquestions as a chatting site very much like a room where people chats. In the last case, it makes sense to address individually somebody, just as people in a room do. That's all and I hope not having been too long. Thanks.
 
Old 05-18-2009, 02:54 PM   #7
Quigi
Member
 
Registered: Mar 2003
Location: Cambridge, MA, USA
Distribution: Ubuntu (Dapper and Heron)
Posts: 377

Rep: Reputation: 31
Quote:
Originally Posted by ENRIQUESTEFANINI View Post
I run 'top|grep ssh' and don't see ssh. Possible cause (besides my own ignorance)?
I think "top" isn't the perfect tool for the task. It can show the [em]top[/em] CPU or memory consumers. When I try your command, top runs indefinitely, until I kill it, and gives no output.

Use, instead,
Code:
ps -C sshd
or, if you like it fancier,
Code:
ps f -fC sshd
(The "f"s are for "forest" and "full", respectively).

Quote:
P.S.: by the way: is the practice of addressing members individually wise?
You're welcome to address me as "Quigi" any time. No, it's not my "given" name, but my pals have been calling me that since gave me the name in elementary school. Unauthoritatively, I think it's appropriate to call people on LQ by whatever moniker they chose for themselves.

/Quigi
 
Old 05-18-2009, 04:18 PM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
How many of the users are authorized to use ssh? If only a few, then you can use "AllowUsers" in /etc/ssh/sshd_config to restrict access to only these users. This is much easier than adding system users to UsersDeny. System users are known and often targets of brute force attacks.

Changing the port that ssh uses will remove many of the script kiddie attacks. Only allowing protocol 2 and using Public Key authentication, and not allowing root logins as well as AllowUsers may discourage more skilled attackers as well.
 
Old 05-20-2009, 12:32 AM   #9
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,271

Original Poster
Rep: Reputation: 49
Sorry for the delay. I inserted the line 'allowusers root' in file sshd_config. Rest of file is entirely commented. But
sshd doesn't seem to be reading sshd_config because i rebooted as a regular user and the system didn't object.
Any hint will be gladly received.
 
Old 05-20-2009, 04:15 PM   #10
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Hi,

Sorry, there's two problems:
#1: permitting root logins via ssh is one of the most basic mistakes one can make,
and considered a MAJOR security flaw. Permit one or two known good user accounts
with very secure passwords.
#2: The key-/value-pair is case sensitive. allowusers != AllowUsers



Cheers,
Tink

Last edited by Tinkster; 05-20-2009 at 04:16 PM.
 
Old 05-20-2009, 05:41 PM   #11
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,271

Original Poster
Rep: Reputation: 49
Hi and thanks.

Two things:
#1: I only did it as a test, to see what happened. Later I proved with a regular user's username and again it did not work.
#2: only the value member of the pair is case sensitive, at least in my manual. Anyways, in /etc/ssh/sshd_config I entered, verbatim,

AllowUsers xxxxxx.

Errata: I said every entry in this file is commented out.
Correction: There's an entry with keyword 'Subsystem'
which is uncommented (as it was in the distro).
 
Old 05-21-2009, 03:48 PM   #12
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,271

Original Poster
Rep: Reputation: 49
I admit a lot of man pages yet to read. As you have been so kind as to answer my post, I must say I only would like to know this:
Having three users in the system, root, regular_user_1, regular_user_2, and entry

AllowUsers regular_user_1

in /etc/ssh/sshd_config, why am I able to log in as regular_user_2? I'll also give a look to LQ-Security forum, a sticky thread with references to that matter. Regards.
 
Old 05-21-2009, 04:28 PM   #13
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Hmmm ... after that change to the sshd_config file, did you
restart the daemon?
 
Old 05-21-2009, 04:52 PM   #14
cam34
Member
 
Registered: Aug 2003
Distribution: OpenSuse 11.1, SLES10, Fedora 11 & XP 4 Gaming *sniffs
Posts: 101

Rep: Reputation: 16
Are you going to be using SSH?
If your not why not disable it. Tell us your distro and someone will be able to help
 
Old 05-22-2009, 12:17 AM   #15
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,271

Original Poster
Rep: Reputation: 49
After modifying sshd_config I rebooted. So, sshd restarted.

I intend to stick to the policy of my distribution, Slackware 12.0 which, out of the box, makes sshd run. But I could temporarily disable it, if someone helps me. Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
User session opened and closed msg in /var/log/messages andiramesh Linux - Newbie 9 09-05-2008 06:47 AM
/var/log/messages and /var/log/cron not working sigkill Linux - Software 6 08-09-2008 02:08 PM
Very Urgent! Strange msg in /var/log/messages sathyguy Linux - Newbie 3 07-27-2006 05:07 AM
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 07:39 PM
strange logs in /var/log/messages dominant Linux - Security 1 04-21-2004 01:12 PM


All times are GMT -5. The time now is 07:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration