SSH Server Connection Question
 

Hi there --

We have an SSH server that is periodically used for remote connections to our network. The following incident occurred earlier today, and I wanted to get feedback.

A visiting scholar is on-site and has a connection to the server. A routine check of the server indicated the user account had connected to the server from a remote location.

I am concerned this could be a case of either a compromised or shared user account and password. Am I being overly paranoid about this? What steps should I take to get to the bottom of the mystery? Thanks.

There are various options depending on the specifics:

• Can sshd access be limited to only certain subnets (thereby denying all others)? That's an effective way to lock things down.
• Is "visiting scholar" finished with his work? Make use of the AllowUsers and/or DenyUsers directives (see the manpages for sshd_config(5)), and lock out his account.
• Will "visiting scholar need to make ongoing visits and access the account on-site again in the future? Again, the AllowUsers directive can contain an entry that only allows him to log in via ssh from certain subnets using the form user@host.

No, you're not being overly paranoid about this. Take shell access to your servers very seriously.

there is a '.bash_history' file in every users home directory. If they didn't know to delete it's contents, you can see the commands that they have been running. I hope you catch them RED HANDED, lol

You're not overly paranoid.

Take some steps to verify the source of the "external" connection, though. It's possible the visitor logged in from "outside" by using a VPN to get back to their "home" network (thus all their traffic was showing up as coming from wherever they usually reside, even if they were connected to your network), or by using a mobile wireless card (the kind that use cellular networks).

Not necessarily. If they aren't using the bash shell, it doesn't exist. Not all shells create a history file by default, and of course the history settings can be overridden.

Hi there --

Thanks for the replies from everyone. Going by the following suggestion:

I have already checked the secure log files as well as run a whois check on the address. Additionally, I have checked the user's history file for anything suspicious. Beyond that, is there anything else or any utilities that can come into play here? Thanks.

Gets the reverse DNS entry, might give more clues to the origin than whois information.

Shows the network path back to them, router names usually have abbreviation for the service provider and/or locality, so this gives you a geographical idea where the connection was from. If that seems to match where the visitor comes from, then they were probably just using a VPN. If it matches a mobile carrier, then they were probably using a wireless data card. If it doesn't match at all, then it's possible an unauthorized party access their account.

Have you tried the simple step of just asking the visitor how/when they accessed the system in question, and if they may have given their login information to anyone else?

Hi there --

Going on somewhat of a tangent here: Is there software that would bring up a world map that could be used in conjunction with dig and traceroute? Thanks.

You could try http://whatismyipaddress.com/staticp...ual-traceroute

Perhaps the easiest thing to do would be to ask your user if they have given their logon info to anyone else; if not, explain that the account info may have been "stolen." Explain vaguely that their account had logged on remotely. Explain your policy. Change the password. If it happens again disable the account.