ssh authentication log

Xerop · 06-09-2009, 10:52 AM

Hello,

I recently logged in to my server machine and found a login record I cannot account for. I have the logs of the login, but they seem strange to me.
I see an authentication failure that says failed password and then it comes up with a accepted password and session opened.
Does this essentially mean that someone connected, typed in the wrong password and then on the second attempt got it right - without reconnecting?

I did a quick look up of the remote host. Seattle seems to have been the origin and not being in Seattle makes me think that I wasn't the one to log in - I don't remember loging in on that day at all.

I have already changed my passwords for my system and moved my ssh port. Any other suggestions?

(I have been planning to do an upgrade to my system recently - so potentially I will be reinstalling the whole system.)

Log:

Code:

Jun  4 23:48:10 Server sshd[9659]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxx6d0.tmxxxx.net  user=xxxxxxxx
Jun  4 23:48:12 Server sshd[9659]: Failed password for xxxxxxxx from 208.54.14.91 port 41459 ssh2
Jun  4 23:48:16 Server sshd[9659]: Accepted password for xxxxxxxx from 208.54.14.91 port 41459 ssh2
Jun  4 23:48:16 Server sshd[9663]: pam_unix(sshd:session): session opened for user xxxxxxxx by (uid=0)
Jun  4 23:49:44 Server sshd[9663]: pam_unix(sshd:session): session closed for user xxxxxxxx

Thank you for any responses,
Yevgeniy

Xerop · 06-09-2009, 12:18 PM

I did understand the Log fine correctly - the first password attempt was a failure and the second attempt worked.
As far as additional measures - I found I should disable passwords for SSH and just use key files.

Checked processes, crontabs and ports on the machine - nothing outside of what was expected.

links - used to obtain info:
http://www.hackinglinuxexposed.com/a.../20030515.html
http://web.archive.org/web/200801092...checklist.html

Google search to get port info:
"port #### auditmypc"

Awesome idea for security:

Quote:

Originally Posted by rweaver

If you have iptables available you can do something like this...

Code:

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 360 --hitcount 3 --name SSHATTEMPTS --rsource -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSHATTEMPTS --rsource

Basically that means if someone attempts to connect more than 3 times in six minutes to ssh, drop their ip until there is 6 minutes of quiet time.

It'll get rid of most of your attempts on ssh. A strong password if your ssh is using passwords is more important... not using passwords, port knocking, etc is even better yet.

Maybe someone will find this useful.

Moderator: Sorry, this might fit with "Failed SSH login attempts"