Help understanding auth.log entries someone trying root access?

jimdaworm · 12-15-2008, 04:48 AM

Hi everyone,

I have recently setup ssh so I can access my computer from work. I will use keys and disable password based access but have not done so yet. I thought that I had disabled root access but I guess not:

Quote:

Dec 15 08:07:18 debby sshd[9244]: Did not receive identification string from 200
.232.53.58
Dec 15 08:10:45 debby sshd[9251]: pam_unix(sshd:auth): authentication failure; l
ogname= uid=0 euid=0 tty=ssh ruser= rhost=ns1.teleeventos.com.br user=root
Dec 15 08:10:47 debby sshd[9251]: Failed password for root from 200.232.53.58 po
rt 46974 ssh2
Dec 15 08:10:56 debby sshd[9253]: pam_unix(sshd:auth): authentication failure; l
ogname= uid=0 euid=0 tty=ssh ruser= rhost=ns1.teleeventos.com.br user=root
Dec 15 08:10:58 debby sshd[9253]: Failed password for root from 200.232.53.58 po rt 47109 ssh2

Now I have just tested it after setting turning off root access:

Quote:

Dec 15 11:42:14 debby sshd[9802]: reverse mapping checking getaddrinfo for 4.red [88.27.185.4] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 15 11:42:23 debby sshd[9802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=88.27.185.4 user=root
Dec 15 11:42:25 debby sshd[9802]: Failed password for root from 88.27.185.4 port 13941 ssh2

So it still lets you think you can log in as root (from a seperate internet connection) and just says access denied?
Also is there anything I can do about this person at 200.232.53.58 trying to access my computer or should I just ignore them?

unSpawn · 12-15-2008, 06:25 AM

Quote:

Originally Posted by jimdaworm

I will use keys and disable password based access but have not done so yet. I thought that I had disabled root access but I guess not

That's a bad thing to do. Luckily you've corrected things. Even if there is no sign of breach, verifying installed package contents and checking logs wouldn't hurt.

Quote:

Originally Posted by jimdaworm

So it still lets you think you can log in as root (from a seperate internet connection) and just says access denied?

Great isn't it?

Quote:

Originally Posted by jimdaworm

Also is there anything I can do about this person at 200.232.53.58 trying to access my computer or should I just ignore them?

If you fancy it you could contact teleeventos.com.br and tell 'em their nameserver might be worth a look at but as usual you shouldn't expect a reply or even thanks. For blocking methods you might want to see http://www.linuxquestions.org/questi...tempts-340366/.

jimdaworm · 12-15-2008, 11:10 AM

Hi unSpawn

Thanks for your comments/info I will check out that link you have sent me.

sundialsvcs · 12-15-2008, 06:35 PM

You should configure your ssh so that it requires digital certificates for authentication and does not allow the use of passwords.

(Be aware that ssh will, by default, "fall back" to less-and-less secure options, allowing access using the least secure strategy available! So you must enable the certificate authentication and disable passwords.)

A digital certificate is like an individually-revocable, un-forgeable identification badge. (You can further encrypt the certificate so that a password must be entered to use it.) "Either you have a badge, or you don't." Users who attempt to penetrate your system are turned away without even being offered a password-prompt. You do not need to pay money to get a certificate.

jimdaworm · 12-16-2008, 03:27 AM

@sundialsvcs

I am going to try and set this up today I was already planning on doing it but first had to get all the rest going.

I also found this:
http://centoshacker.com/kabir/securi...denyhosts.html

Its quite interesting as there is a script/program that can automatically blacklist repeated access attempts and even if you choose to enable it share your blacklist and uses a global one, also it lets you use a white-list so for example your work IP doesn't accidentally get blacklisted.