Deleted User Account Is Trying to Log Into A Linux Server
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Deleted User Account Is Trying to Log Into A Linux Server
So this keeps coming up and I can't seem to find an answer for it.
I have a user ron, who has left the company more then a year ago. I've upgraded the logging from syslog to rsyslog and now I'm seeing that this user ron is trying to log into two of my Linux servers.
Code:
server sshd[4346]: Invalid user ron from 143.83.xxx.xxx
server sshd[4346]: input_userauth_request: invalid user ron
server sshd[4346]: Failed none for invalid user ron from 143.83.xxx.xxx port 55808 ssh2
server sshd[4346]: Failed publickey for invalid user ron from 143.83.xxx.xxx port 55808 ssh2
server sshd[4346]: Failed password for invalid user ron from 143.83.xxx.xxx port 55808 ssh2
server sshd[4346]: Connection closed by 143.83.xxx.xxx
Again ron doesn't have an account on either server and I've used
Code:
find / -user ron
grep 'ron' /etc/passwd
grep 'ron' /etc/group
To confirm this
I did clean up under /etc/ssh/sshd_config the following:
Code:
AllowGroup ron
I've removed ron and restarted sshd and still getting this.
Also where is this public key coming into this? Could this user's public key be on one of the system's?
thanks
Last edited by JockVSJock; 01-06-2016 at 02:34 PM.
So? Ron is trying to get back in. You (wisely) locked him out by deleting the account. What is your worry? A lot of former (fired?) employees try this...just to see if they can...on a quiet/boring moment in their life...
I'd not get too worried...
I bet Ron could log in remotely, hence the SSH key...that now is..invalid...too bad for him...
Good for you, however, on closing the gaps that allow him to come back in...
Melissa
My worry is that this network that my Linux servers are on is on a closed subnet, which means no one from the outside can get in.
No internet?
Quote:
So either 'ron' has found a way in or there is something else going on.
Okay, granted, that'd be super spooky...
So, the SSH, suggests a remote login...
How big/open/accessible is the infrastructure?
Melissa
Edit - the IP address suggests a non-local origin. Or...you have a malconfigured LAN there...
The IP addresses should be inside the prescribed ranges...
Last edited by ButterflyMelissa; 01-06-2016 at 02:48 PM.
So while at home, I had the idea to search for ron's public key, which is basically me searching for all public keys on the system.
Code:
find / -type f -name "*.pub"
Besides my public key, it turned up a number of keys
Code:
Besides my public ssh key, it turned up a number of keys
/var/run/pcscd.pub
/usr/lib/perl5/5.8.8/CPAN/PAUSE2003.pub
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/root/.ssh/id_rsa.pub
/root/.ssh/d50.id_rsa.pub
/root/.ssh/d238.id_rsa.pub
/root/.ssh/junk/id_rsa.pub
Using cat, all of the keys under /root are tied to root. However should these be there? If I try to login with ssh keys as root it doesn't work, so can I delete these?
Also the rsa, dsa and the other .pub key are standard under /etc/ssh, correct?
Yes it is coming from a server that is on that closed subnet and I've deleted ron's account (I lock the accounts for 60 to 90 days, to see if anything breaks or if there is anything I need and then I delete the account) on all Linux servers.
No in that the rsyslog is showing ron's public key is trying to connect to two other Linux servers on that closed subnet. Maybe this is some sort of cronjob, that I will have to look at?
Again I searched for all public keys on those servers and can't find anything.
Yes it is coming from a server that is on that closed subnet
I think I have half of your solution righ there...the IP address...
I suspect that "ron" accidentally is someone else...or...someTHING else...
A network HAS (per RFC1918) fall into a class...that means: use IP adresses set aside for private networks...
Your network has (I suspect) connection to the internet...that is a way out...and in...
Can you do a WHOIS on the complete IP address? I bet it comes up with an "owner" of that address...
Melissa
(intrigued by this post)
I don't understand what this means?
The IPv4 classes (Class A, B, C and D of IPv4)?
Okay, a bit of networking essentials...
Let's say hi to google:
Code:
[melissa@Avalon ~]$ ping www.google.com
PING www.google.com (74.125.136.103) 56(84) bytes of data.
64 bytes from ea-in-f103.1e100.net (74.125.136.103): icmp_seq=1 ttl=46 time=38.0 ms
64 bytes from ea-in-f103.1e100.net (74.125.136.103): icmp_seq=2 ttl=46 time=37.7 ms
64 bytes from ea-in-f103.1e100.net (74.125.136.103): icmp_seq=3 ttl=46 time=37.9 ms
64 bytes from ea-in-f103.1e100.net (74.125.136.103): icmp_seq=4 ttl=46 time=37.9 ms
See the IP address? It is 74.125.136.103. If you were to enter THAT in your browser, you'd end up on ... google .
Now, remembering every IP address is not done...anymore, that's "old skool". That worked when the internet was as big as the handfull of colleges and universities hooked on to it...nowadays DNS does that "translation" for us...
Now, let's Google! In your browser you'd enter www.google.com and underneath...the browser asks the corresponding IP address to the DNS server...and works with that from then on. You never (have to) notice...
But...what do you think will happen when you give an internal server the SAME IP address? Yea, confusion .
IANA came up with a super bril plan: reserve ranges for private use. Now, instead of saying 'my IP adresses starts at 192.168 and go to...." you'd talk about your network as being a Class C...with IP adresses that start at 192.0.0.0 and span aaaaaaalll the way to 223.255.255.255...that is a lot of PC's...
In order to avoid crosstalk, confusion, floods, forrest fires and the odd crying baby...the PURPOSE of the host (the server or PC or printer...) determines what type of IP address it should have...
And, by the looks of it, your servers...have an address reserved for ... public (on the Internet) use....
I added a small example...notice the IP addresses I assigned...all Class C...and..no interference
Neat eh?
Melissa
Yes it is coming from a server that is on that closed subnet and I've deleted ron's account (I lock the accounts for 60 to 90 days, to see if anything breaks or if there is anything I need and then I delete the account) on all Linux servers.
No in that the rsyslog is showing ron's public key is trying to connect to two other Linux servers on that closed subnet. Maybe this is some sort of cronjob, that I will have to look at?
Again I searched for all public keys on those servers and can't find anything.
Just speculation here, since I don't know what Ron's job was when he was with your company...but was he a programmer/admin? Could be something as innocuous as a file-transfer for some system that's been dutifully chugging along, and only using Ron's SSH key to SCP a file automatically. Granted, Ron won't be able to actually log in and get a shell...but the KEY is still present, and for SFTP/SCP, it may allow access.
::EDIT:: Re-read the original post. Ron is getting rejected, but the idea of a script somewhere doing something still has weight.
Again, TOTAL SPECULATION...but I'd check both the system and user-specific CRON's on that box
Just speculation here, since I don't know what Ron's job was when he was with your company...but was he a programmer/admin? Could be something as innocuous as a file-transfer for some system that's been dutifully chugging along, and only using Ron's SSH key to SCP a file automatically. Granted, Ron won't be able to actually log in and get a shell...but the KEY is still present, and for SFTP/SCP, it may allow access.
::EDIT:: Re-read the original post. Ron is getting rejected, but the idea of a script somewhere doing something still has weight.
Again, TOTAL SPECULATION...but I'd check both the system and user-specific CRON's on that box
Right, I took over Ron's job as a Linux Sys Admin.
Ron didn't leave behind any documentation on servers, programs or scripts. So I'm discovering stuff everyday as I clean up behind Ron. Once I've started the position I locked Ron's account and then 60 days later deleted it. Like I said I'm upgrading from syslog to rsyslog when it showed up and I'm digging into it now.
I'm going to hunt thru the cron jobs and see what I can find, however running the find command for the public key didn't find it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
A small into...
.
.
