Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-27-2006, 02:29 AM
|
#1
|
Member
Registered: Aug 2004
Location: Canada
Distribution: Archlabs
Posts: 65
Rep:
|
ssh scare? " sshd: unknown [priv] "
Hello,
I logged into my remote server just now and I saw something I have never seen before in all the times I have logged in:
root 1599 0.2 0.2 6900 2052 ? S 02:31 0:00 sshd: admin [priv]
root 1604 0.6 0.1 5684 2000 ? S 02:31 0:00 sshd: unknown [priv]
root 1606 0.3 0.1 5684 2000 ? S 02:31 0:00 sshd: unknown [priv]
sshd 1607 0.6 0.1 5048 1736 ? S 02:31 0:00 sshd: unknown [net]
sshd 1608 0.6 0.1 5048 1736 ? S 02:31 0:00 sshd: unknown [net]
admin 1609 0.0 0.2 6916 2256 ? S 02:31 0:00 sshd: admin@pts/3
admin 1610 1.0 0.1 5128 1348 pts/3 S 02:31 0:00 -bash
root 1649 0.0 0.1 5048 1656 ? S 02:31 0:00 /usr/sbin/sshd
admin 1650 0.0 0.0 2868 868 pts/3 R 02:31 0:00 ps aux
sshd 1651 0.0 0.1 5048 1680 ? S 02:31 0:00 sshd: [net]
I have never seen the sshd: unknown [priv] syntax before. Not even when regularly logging in as any user. It scared the crap out of me I shut down ssh right away. The w command shows that only I am logged into the machine. And the weird thing is its talking about root and root shouldn't even be logged in!
Is this something completely normal? What does it mean? I tried to google it but the results that seemed relevant didn't turn out to be so. Is there a reason why it would show this now and not before?
Your insight is appreciated, thank you.
-Chi
Added:
I also just downloaded/ran rootkithunter (the one mentioned in this forum) and it didnt detect anything wrong and w wasn't tempered with or anything. So I feel alot better about this now because I've been compromised on another machine before and it wasnt pretty :P
Last edited by chibi; 02-27-2006 at 03:18 AM.
|
|
|
02-27-2006, 04:26 AM
|
#2
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
http://www.enterprisenetworkingplane...le.php/3553111
One of the current Linux magazines has an article on securing SSH. Unfortunately, I left it at work and can't tell you which one it is. It dealt with not allowing logins by system users, changing the default port and only allowing certain IP addresses. Changing the default port isn't a lot of protection, but it does eliminate the lions share of attacks from script kiddies who start out scanning different ip addresses for port 22.
From the sshd_config manpage:
Quote:
DenyGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. Login is disallowed for users whose primary
group or supplementary group list matches one of the patterns.
‘*’ and ‘?’ can be used as wildcards in the patterns. Only group
names are valid; a numerical group ID is not recognized. By
default, login is allowed for all groups.
DenyUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. Login is disallowed for user names that
match one of the patterns. ‘*’ and ‘?’ can be used as wildcards
in the patterns. Only user names are valid; a numerical user ID
is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users from
particular hosts.
|
What is the log that you are looking at?
|
|
|
02-27-2006, 04:26 PM
|
#3
|
Member
Registered: Aug 2004
Location: Canada
Distribution: Archlabs
Posts: 65
Original Poster
Rep:
|
It was just a ps aux. When I think about it I have seen the sshd: myusername[priv] but never an unknown or a [net]. What would [net] signify?
|
|
|
03-02-2006, 12:46 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
What would [net] signify?
It's set in sshd.c: "setproctitle("%s", "[net]");". Sshd sets up an unprivileged child process to deal with network data as part of the pre-auth stage, AFAIK.
|
|
|
All times are GMT -5. The time now is 02:09 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|