Deleted User Account Is Trying to Log Into A Linux Server
So this keeps coming up and I can't seem to find an answer for it.
I have a user ron, who has left the company more then a year ago. I've upgraded the logging from syslog to rsyslog and now I'm seeing that this user ron is trying to log into two of my Linux servers. Code:
server sshd[4346]: Invalid user ron from 143.83.xxx.xxx Code:
find / -user ron I did clean up under /etc/ssh/sshd_config the following: Code:
Also where is this public key coming into this? Could this user's public key be on one of the system's? thanks |
So? Ron is trying to get back in. You (wisely) locked him out by deleting the account. What is your worry? A lot of former (fired?) employees try this...just to see if they can...on a quiet/boring moment in their life...
I'd not get too worried... I bet Ron could log in remotely, hence the SSH key...that now is..invalid...too bad for him... Good for you, however, on closing the gaps that allow him to come back in... Melissa |
My worry is that this network that my Linux servers are on is on a closed subnet, which means no one from the outside can get in.
So either 'ron' has found a way in or there is something else going on. |
Quote:
Quote:
So, the SSH, suggests a remote login... How big/open/accessible is the infrastructure? Melissa Edit - the IP address suggests a non-local origin. Or...you have a malconfigured LAN there... The IP addresses should be inside the prescribed ranges... |
So while at home, I had the idea to search for ron's public key, which is basically me searching for all public keys on the system.
Code:
Besides my public key, it turned up a number of keys Code:
Besides my public ssh key, it turned up a number of keys Also the rsa, dsa and the other .pub key are standard under /etc/ssh, correct? |
Quote:
|
Yes and no.
Yes it is coming from a server that is on that closed subnet and I've deleted ron's account (I lock the accounts for 60 to 90 days, to see if anything breaks or if there is anything I need and then I delete the account) on all Linux servers. No in that the rsyslog is showing ron's public key is trying to connect to two other Linux servers on that closed subnet. Maybe this is some sort of cronjob, that I will have to look at? Again I searched for all public keys on those servers and can't find anything. |
Quote:
I suspect that "ron" accidentally is someone else...or...someTHING else... A network HAS (per RFC1918) fall into a class...that means: use IP adresses set aside for private networks... Your network has (I suspect) connection to the internet...that is a way out...and in... Can you do a WHOIS on the complete IP address? I bet it comes up with an "owner" of that address... Melissa (intrigued by this post) |
Quote:
Some of 143.83.0.0 is assigned to the Department of Defense. http://www.tcpiputils.com/browse/ip-address/143.83.0.0 "spooky" indeed. |
Quote:
Quote:
Melissa |
Quote:
I wanna know the actual IP. ;) Time for the movie Sneakers! |
Quote:
The IPv4 classes (Class A, B, C and D of IPv4)? |
A small into...
1 Attachment(s)
Quote:
Let's say hi to google: Code:
[melissa@Avalon ~]$ ping www.google.com Now, remembering every IP address is not done...anymore, that's "old skool". That worked when the internet was as big as the handfull of colleges and universities hooked on to it...nowadays DNS does that "translation" for us... Now, let's Google! In your browser you'd enter www.google.com and underneath...the browser asks the corresponding IP address to the DNS server...and works with that from then on. You never (have to) notice... :) But...what do you think will happen when you give an internal server the SAME IP address? Yea, confusion :eek: . IANA came up with a super bril plan: reserve ranges for private use. Now, instead of saying 'my IP adresses starts at 192.168 and go to...." you'd talk about your network as being a Class C...with IP adresses that start at 192.0.0.0 and span aaaaaaalll the way to 223.255.255.255...that is a lot of PC's... In order to avoid crosstalk, confusion, floods, forrest fires and the odd crying baby...the PURPOSE of the host (the server or PC or printer...) determines what type of IP address it should have... And, by the looks of it, your servers...have an address reserved for ... public (on the Internet) use.... :tisk: I added a small example...notice the IP addresses I assigned...all Class C...and..no interference :) Neat eh? ;) Melissa |
Quote:
::EDIT:: Re-read the original post. Ron is getting rejected, but the idea of a script somewhere doing something still has weight. Again, TOTAL SPECULATION...but I'd check both the system and user-specific CRON's on that box |
Quote:
Ron didn't leave behind any documentation on servers, programs or scripts. So I'm discovering stuff everyday as I clean up behind Ron. Once I've started the position I locked Ron's account and then 60 days later deleted it. Like I said I'm upgrading from syslog to rsyslog when it showed up and I'm digging into it now. I'm going to hunt thru the cron jobs and see what I can find, however running the find command for the public key didn't find it. |
All times are GMT -5. The time now is 06:37 PM. |