LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-13-2013, 01:25 AM   #1
l0pht
Member
 
Registered: Sep 2008
Posts: 76

Rep: Reputation: 1
Secure log & user in ssh


Hi Experts
last night, i received an alert from OSSEC with this description:
Quote:
Jul 12 14:46:22 uitn sshd[8212]: Accepted password for USER from 85.9.93.88 port 4044 ssh2
Jul 12 14:47:18 uitn sshd[8314]: Accepted password for USER from 85.9.93.88 port 4049 ssh2
Jul 12 14:49:14 uitn sshd[8385]: Accepted password for USER from 85.9.93.88 port 4052 ssh2
Jul 12 14:49:48 uitn sshd[8395]: Bad protocol version identification 'user' from 85.9.93.88
but user in passwd have not any permission to login shell:
user:x:10082:505::/var/www/vhosts/user.com:/bin/false

any idea?
thanks
 
Old 07-13-2013, 02:01 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,114

Rep: Reputation: Disabled
Any idea about what?

A user without a valid login shell can still be authenticated by sshd. The session will of course be terminated immediately afterwards, since /bin/false just returns an error and exits, but the log will still show that the user was successfully authenticated.
 
1 members found this post helpful.
Old 07-13-2013, 02:24 AM   #3
l0pht
Member
 
Registered: Sep 2008
Posts: 76

Original Poster
Rep: Reputation: 1
thanks ser olmy
your explain means, this user wants to login via ssh and it blocked? but the log show he successfully autheticated?
 
Old 07-13-2013, 02:42 AM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,114

Rep: Reputation: Disabled
Yes, the log shows the user was successfully authenticated, so he or she (or it if it was a bot) must have entered the correct password.

sshd does not "block" a user from authenticating based on the shell setting, simply because it does not care in the slightest what the user's shell is. Neither does /bin/login, for that matter. The shell is invoked after you've successfully authenticated, and if your shell happens to be /bin/false, your session will end rather abruptly.
 
2 members found this post helpful.
Old 07-13-2013, 03:12 AM   #5
l0pht
Member
 
Registered: Sep 2008
Posts: 76

Original Poster
Rep: Reputation: 1
Thanks Sir.
 
Old 07-13-2013, 05:19 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Quote:
Originally Posted by Ser Olmy View Post
(..) if your shell happens to be /bin/false, your session will end rather abruptly.
How about SCP / SFTP?..
 
Old 07-13-2013, 07:47 AM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
unSpawn, the zen of your response is admirable, but it is likely too subtle for the OP.

l0pht, you obviously have a vulnerable SSH server and a would be intruder has managed to password authenticate against a user in your database. They should not have been allowed to get this far. Please see the sticky post on failed ssh authentication and switch to a more secure method, such as keys.
 
1 members found this post helpful.
Old 07-15-2013, 02:07 AM   #8
l0pht
Member
 
Registered: Sep 2008
Posts: 76

Original Poster
Rep: Reputation: 1
Quote:
you obviously have a vulnerable SSH server and a would be intruder has managed to password authenticate against a user in your database. They should not have been allowed to get this far.
Noway2, can you explain more? thanks

Quote:
Originally Posted by Ser Olmy View Post
Yes, the log shows the user was successfully authenticated, so he or she (or it if it was a bot) must have entered the correct password.

sshd does not "block" a user from authenticating based on the shell setting, simply because it does not care in the slightest what the user's shell is. Neither does /bin/login, for that matter. The shell is invoked after you've successfully authenticated, and if your shell happens to be /bin/false, your session will end rather abruptly.
sorry, I checked this, login with user in ssh, it accept user but For i do not know password, /var/log/secure printed:
Code:
Jul 15 10:25:05 uitn sshd[23542]: Failed password for user from 85.9.79.249 port 30913 ssh2
Jul 15 10:25:08 uitn sshd[23542]: Failed password for user from 85.9.79.249 port 30913 ssh2
Jul 15 10:25:12 uitn sshd[23542]: Failed password for user from 85.9.79.249 port 30913 ssh2
not accepted!! but i Have this lines in my logs:
Code:
Jul 12 14:46:22 uitn sshd[8212]: Accepted password for USER from 85.9.93.88 port 4044 ssh2
Jul 12 14:47:18 uitn sshd[8314]: Accepted password for USER from 85.9.93.88 port 4049 ssh2
Jul 12 14:49:14 uitn sshd[8385]: Accepted password for USER from 85.9.93.88 port 4052 ssh2
how can i get sure?

Last edited by l0pht; 07-15-2013 at 02:13 AM.
 
Old 07-15-2013, 09:26 AM   #9
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
As Ser Olmy pointed out above, USER apparently has a password associated with the account and attempts have been made to gain an SSH shell using the (guessed ?) password for this account. The authentication takes place prior to the granting of a shell, and while the user was able to authenticate, having a /bin/false or similar shell declaration should have terminated the connection. The combination of Failed and Accepted password for "USER" from similar IP addresses suggests that someone is trying to run a dictionary script against your SSH system.

Quote:
can you explain more?
You appear to be allowing password authentication against your SSH server. This is not a good idea. A much better approach would be key based authentication with passwords turned off. This is an an easy thing to achieve. Here are a couple of tutorials on this subject: https://help.ubuntu.com/community/SSH/OpenSSH/Keys and http://www.cyberciti.biz/tips/ssh-pu...on-how-to.html

In essence, you need to create the key pair, which consists of a public and private key that are mathematically related. The public key gets put on the server and the private key stays with the client. With a good password on the key pair, you now have two factor authentication, which is much more secure. The term, two factor, comes from the point that it now requires both something you have (the key) and something you know (the password) in order to authenticate against your system.
 
1 members found this post helpful.
Old 07-15-2013, 09:33 AM   #10
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Debian, OS X (bsd)
Posts: 156

Rep: Reputation: 30
Did you have your user change their password between July 12th and 15th? And are neither address yours?

If it is practical to do so, you might consider turning off password authentication in sshd and allowing only key-based authentication to occur. If you do that, you'll also have to remind your users to work with strong passphrases.
 
1 members found this post helpful.
Old 07-15-2013, 11:58 PM   #11
l0pht
Member
 
Registered: Sep 2008
Posts: 76

Original Poster
Rep: Reputation: 1
thanks all for really perfect answers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] User unable to log in via SSH, but only that user theillien Linux - Server 15 10-19-2011 11:48 AM
[SOLVED] Some application installation questions: log in as root or log in as 'user' & do 'su' Robert.Thompson Slackware 9 02-25-2011 09:19 AM
SSH user/passwd or PPK secure key foampile Linux - Security 3 05-05-2010 02:20 AM
no ssh logging in /var/log/secure mberd Linux - Security 4 05-27-2009 08:55 AM
How do I prevent a user from being able to log into ssh? scooper Solaris / OpenSolaris 3 04-08-2009 11:50 AM


All times are GMT -5. The time now is 04:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration