LinuxQuestions.org
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ssh_exchange_identification connection reset by peer (https://www.linuxquestions.org/questions/linux-security-4/ssh_exchange_identification-connection-reset-by-peer-4175591176/)

c0wb0y 10-11-2016 04:00 PM
You might need to check the contents of /etc/hosts.{deny,allow} and make sure that none of your IPs are blacklisted there. Also, check the contents of ~/.ssh/config just in case you have any custom configs there (ie ssh keys)

Turbocapitalist 10-11-2016 11:29 PM
The ~/.ssh/config file on your server account might have important info, so I second the suggestion. So would grabbing a copy of the sshd configuration file, which should be in /etc/ssh/sshd_config unless you've changed it. As for the logs, the names depend somewhat on your distro. Which distro do you have on the server and which one on the laptop? You'll want the authentication logs and the system logs for sure. If they fit, grab everything in /var/log/ so you can look around.

Though new versions of OpenSSH ignore tcpd completely and rely on iptables instead. But along those lines, checking the firewall rules would be a good idea.

nibraz 10-12-2016 03:25 AM
This is my sshd_config

Code:
#        $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile        .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem        sftp        /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#        X11Forwarding no
#        AllowTcpForwarding no
#        ForceCommand cvs server
this is what i have in my hosts.deny file (this was recommended by a linux expert to protect from unknown hackers)

Code:
#
# hosts.deny        This file contains access rules which are used to
#                deny connections to network services that either use
#                the tcp_wrappers library or that have been
#                started through a tcp_wrappers-enabled xinetd.
#
#                The rules in this file can also be set up in
#                /etc/hosts.allow with a 'deny' option instead.
#
#                See 'man 5 hosts_options' and 'man 5 hosts_access'
#                for information on rule syntax.
#                See 'man tcpd' for information on tcp_wrappers
#
sshd: .cn, .cn.net, .cn.com, .jp, .jp.com, .pl, .com, .ar, .tw
sshd: UNKNOWN

Turbocapitalist 10-12-2016 03:31 AM
Quote:
Originally Posted by nibraz (Post 5616881)
This is my sshd_config

Code:
PermitRootLogin yes
...
PasswordAuthentication yes
Ok. These two items are problematic, though not nearly as much as the news that FTP is allowed.

About the tcpwrappers (hosts.deny / hosts.allow), new versions of OpenSSH server ignore it completely starting with version 6.7 actually.

Which distro are you using on the server and which version of OpenSSH server does it run?

nibraz 10-12-2016 04:29 AM
Quote:
Originally Posted by Turbocapitalist (Post 5616885)
Ok. These two items are problematic, though not nearly as much as the news that FTP is allowed.

About the tcpwrappers (hosts.deny / hosts.allow), new versions of OpenSSH server ignore it completely starting with version 6.7 actually.

Which distro are you using on the server and which version of OpenSSH server does it run?
This is what I got: OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Os:
CentOS release 6.5 (Final)
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)

Turbocapitalist 10-12-2016 05:05 AM
Ok, you're running CentOS 6.5 which is good until November 2020. Running CentOS 6.5 means that you've got a very old version of OpenSSH, but that it will support tcpd. Really, with the advent of "ipchains", and later "iptables", "tpcd" became mostly irrelevant. According to the configuration you posted for "tcpd" you are using the most basic features and those are better done with the firewall. That would be "iptables" or whatever CentOS 6 has for a front-end for "iptables". With SSH you have a reasonable lock on the front door, but the back porch is open except for an unlatched screen door (FTP).

But back to SSH, your login failures should be showing up in /var/log/secure

What does that log say when you try to connect but fail?

nibraz 10-12-2016 05:50 AM
Quote:
Originally Posted by Turbocapitalist (Post 5616916)
Ok, you're running CentOS 6.5 which is good until November 2020. Running CentOS 6.5 means that you've got a very old version of OpenSSH, but that it will support tcpd. Really, with the advent of "ipchains", and later "iptables", "tpcd" became mostly irrelevant. According to the configuration you posted for "tcpd" you are using the most basic features and those are better done with the firewall. That would be "iptables" or whatever CentOS 6 has for a front-end for "iptables". With SSH you have a reasonable lock on the front door, but the back porch is open except for an unlatched screen door (FTP).

But back to SSH, your login failures should be showing up in /var/log/secure

What does that log say when you try to connect but fail?
Hi Turbo

Is it worth updatin the Centos system itself?

Would it cause any problems for my website running backend DB as mysql?

/var/log/secure got this:

Code:
Oct 11 17:17:34 www sshd[20187]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:17:34 www sshd[20187]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:18:07 www sshd[20203]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:18:07 www sshd[20203]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:18:34 www sshd[20206]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:18:34 www sshd[20206]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:18:49 www sshd[20209]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:18:49 www sshd[20209]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:20:27 www sshd[20291]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:20:27 www sshd[20291]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:22:41 www sshd[20332]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:22:41 www sshd[20332]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:24:08 www sshd[20371]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:24:08 www sshd[20371]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:30:40 www sshd[20586]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:30:40 www sshd[20586]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 17:30:41 www sshd[20586]: Invalid user liam from 50.201.67.38
Oct 11 17:30:41 www sshd[20587]: input_userauth_request: invalid user liam
Oct 11 17:30:41 www sshd[20586]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:30:41 www sshd[20586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50-201-67-38-static.hfc.comcastbusiness.net
Oct 11 17:30:41 www sshd[20586]: pam_succeed_if(sshd:auth): error retrieving information about user liam
Oct 11 17:30:43 www sshd[20586]: Failed password for invalid user liam from 50.201.67.38 port 19697 ssh2
Oct 11 17:30:43 www sshd[20586]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:30:43 www sshd[20586]: pam_succeed_if(sshd:auth): error retrieving information about user liam
Oct 11 17:30:45 www sshd[20586]: Failed password for invalid user liam from 50.201.67.38 port 19697 ssh2
Oct 11 17:30:45 www sshd[20586]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:30:45 www sshd[20586]: pam_succeed_if(sshd:auth): error retrieving information about user liam
Oct 11 17:30:47 www sshd[20589]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:30:47 www sshd[20589]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:30:47 www sshd[20586]: Failed password for invalid user liam from 50.201.67.38 port 19697 ssh2
Oct 11 17:30:47 www sshd[20587]: Connection closed by 50.201.67.38
Oct 11 17:30:47 www sshd[20586]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=50-201-67-38-static.hfc.comcastbusiness.net
Oct 11 17:43:07 www sshd[10291]: pam_unix(sshd:session): session closed for user root
Oct 11 17:45:44 www sshd[21116]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:45:44 www sshd[21116]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 17:45:46 www sshd[21116]: Invalid user james from 65.242.43.109
Oct 11 17:45:46 www sshd[21117]: input_userauth_request: invalid user james
Oct 11 17:45:46 www sshd[21116]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:45:46 www sshd[21116]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.242.43.109
Oct 11 17:45:46 www sshd[21116]: pam_succeed_if(sshd:auth): error retrieving information about user james
Oct 11 17:45:47 www sshd[21116]: Failed password for invalid user james from 65.242.43.109 port 38408 ssh2
Oct 11 17:45:48 www sshd[21116]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:45:48 www sshd[21116]: pam_succeed_if(sshd:auth): error retrieving information about user james
Oct 11 17:45:49 www sshd[21116]: Failed password for invalid user james from 65.242.43.109 port 38408 ssh2
Oct 11 17:45:50 www sshd[21116]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:45:50 www sshd[21116]: pam_succeed_if(sshd:auth): error retrieving information about user james
Oct 11 17:45:52 www sshd[21116]: Failed password for invalid user james from 65.242.43.109 port 38408 ssh2
Oct 11 17:45:52 www sshd[21117]: Connection closed by 65.242.43.109
Oct 11 17:45:52 www sshd[21116]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.242.43.109
Oct 11 17:46:27 www sshd[21135]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:46:27 www sshd[21135]: warning: /etc/hosts.deny, line 14: host name/address mismatch: 89.107.124.244 != nisipp3.canmos.ru
Oct 11 17:46:27 www sshd[21135]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 17:46:27 www sshd[21135]: Did not receive identification string from 89.107.124.244
Oct 11 17:46:27 www sshd[21136]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:46:27 www sshd[21136]: warning: /etc/hosts.deny, line 14: host name/address mismatch: 89.107.124.244 != nisipp3.canmos.ru
Oct 11 17:46:27 www sshd[21136]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 17:46:30 www sshd[21136]: Address 89.107.124.244 maps to nisipp3.canmos.ru, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Oct 11 17:46:30 www sshd[21136]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.107.124.244  user=root
Oct 11 17:46:32 www sshd[21136]: Failed password for root from 89.107.124.244 port 59373 ssh2
Oct 11 17:46:32 www sshd[21137]: Received disconnect from 89.107.124.244: 11: Bye Bye
Oct 11 18:16:29 www sshd[21942]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:29 www sshd[21942]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:29 www sshd[21942]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu  user=root
Oct 11 18:16:31 www sshd[21942]: Failed password for root from 163.172.16.102 port 37657 ssh2
Oct 11 18:16:31 www sshd[21943]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:16:31 www sshd[21944]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:31 www sshd[21944]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:32 www sshd[21944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu  user=root
Oct 11 18:16:33 www sshd[21944]: Failed password for root from 163.172.16.102 port 51357 ssh2
Oct 11 18:16:33 www sshd[21945]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:16:33 www sshd[21946]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:33 www sshd[21946]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:33 www sshd[21946]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu  user=root
Oct 11 18:16:35 www sshd[21946]: Failed password for root from 163.172.16.102 port 33535 ssh2
Oct 11 18:16:35 www sshd[21947]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:16:35 www sshd[21948]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:35 www sshd[21948]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:35 www sshd[21948]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu  user=root
Oct 11 18:16:37 www sshd[21948]: Failed password for root from 163.172.16.102 port 45033 ssh2
Oct 11 18:16:37 www sshd[21949]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:16:37 www sshd[21950]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:37 www sshd[21950]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:38 www sshd[21950]: Invalid user pi from 163.172.16.102
Oct 11 18:16:38 www sshd[21951]: input_userauth_request: invalid user pi
Oct 11 18:16:38 www sshd[21950]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:16:38 www sshd[21950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu
Oct 11 18:16:38 www sshd[21950]: pam_succeed_if(sshd:auth): error retrieving information about user pi
Oct 11 18:16:39 www sshd[21950]: Failed password for invalid user pi from 163.172.16.102 port 57511 ssh2
Oct 11 18:16:39 www sshd[21951]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:19:10 www sshd[22018]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:19:10 www sshd[22018]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:19:40 www sshd[22021]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:19:40 www sshd[22021]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:21:09 www sshd[22103]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:21:09 www sshd[22103]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:21:10 www sshd[22103]: Invalid user help from 50.201.67.38
Oct 11 18:21:10 www sshd[22104]: input_userauth_request: invalid user help
Oct 11 18:21:10 www sshd[22103]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:21:10 www sshd[22103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50-201-67-38-static.hfc.comcastbusiness.net
Oct 11 18:21:10 www sshd[22103]: pam_succeed_if(sshd:auth): error retrieving information about user help
Oct 11 18:21:12 www sshd[22103]: Failed password for invalid user help from 50.201.67.38 port 1777 ssh2
Oct 11 18:21:12 www sshd[22103]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:21:12 www sshd[22103]: pam_succeed_if(sshd:auth): error retrieving information about user help
Oct 11 18:21:14 www sshd[22103]: Failed password for invalid user help from 50.201.67.38 port 1777 ssh2
Oct 11 18:21:14 www sshd[22103]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:21:14 www sshd[22103]: pam_succeed_if(sshd:auth): error retrieving information about user help
Oct 11 18:21:15 www sshd[22103]: Failed password for invalid user help from 50.201.67.38 port 1777 ssh2
Oct 11 18:21:15 www sshd[22104]: Connection closed by 50.201.67.38
Oct 11 18:21:15 www sshd[22103]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=50-201-67-38-static.hfc.comcastbusiness.net
Oct 11 18:29:34 www sshd[22288]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:29:34 www sshd[22288]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:29:42 www sshd[22289]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:29:42 www sshd[22289]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:34:09 www sshd[22429]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:34:09 www sshd[22429]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:37:34 www sshd[22525]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:37:34 www sshd[22525]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:37:35 www sshd[22525]: Invalid user odoo from 65.242.43.109
Oct 11 18:37:35 www sshd[22526]: input_userauth_request: invalid user odoo
Oct 11 18:37:35 www sshd[22525]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:37:35 www sshd[22525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.242.43.109
Oct 11 18:37:35 www sshd[22525]: pam_succeed_if(sshd:auth): error retrieving information about user odoo
Oct 11 18:37:37 www sshd[22525]: Failed password for invalid user odoo from 65.242.43.109 port 38408 ssh2
Oct 11 18:37:37 www sshd[22525]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:37:37 www sshd[22525]: pam_succeed_if(sshd:auth): error retrieving information about user odoo
Oct 11 18:37:39 www sshd[22525]: Failed password for invalid user odoo from 65.242.43.109 port 38408 ssh2
Oct 11 18:37:39 www sshd[22525]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:37:39 www sshd[22525]: pam_succeed_if(sshd:auth): error retrieving information about user odoo
Oct 11 18:37:41 www sshd[22525]: Failed password for invalid user odoo from 65.242.43.109 port 38408 ssh2
Oct 11 18:37:41 www sshd[22526]: Connection closed by 65.242.43.109
Oct 11 18:37:41 www sshd[22525]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.242.43.109
Oct 11 18:57:18 www sshd[23047]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:57:18 www sshd[23047]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:58:12 www sshd[23064]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:58:12 www sshd[23064]: warning: /etc/hosts.deny, line 14: host name/address mismatch: 222.138.139.252 != hn.kd.ny.adsl
Oct 11 18:58:12 www sshd[23064]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:58:14 www sshd[23064]: Address 222.138.139.252 maps to hn.kd.ny.adsl, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Oct 11 18:58:14 www sshd[23064]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.138.139.252  user=root
Oct 11 18:58:15 www sshd[23064]: Failed password for root from 222.138.139.252 port 54792 ssh2
Oct 11 18:58:16 www sshd[23066]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:58:16 www sshd[23066]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:58:17 www sshd[23064]: Failed password for root from 222.138.139.252 port 54792 ssh2
Oct 11 18:58:19 www sshd[23064]: Failed password for root from 222.138.139.252 port 54792 ssh2
Oct 11 18:58:19 www sshd[23065]: Connection closed by 222.138.139.252
Oct 11 18:58:19 www sshd[23064]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.138.139.252  user=root
Oct 11 18:59:15 www sshd[23086]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:59:15 www sshd[23086]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:59:15 www sshd[23086]: Invalid user test1 from 46.32.53.44

Turbocapitalist 10-12-2016 06:01 AM
You have errors in your "tcpd" configuration, both in /etc/hosts.allow and /etc/hosts.deny Do you see them there in the log?

I'd make copies of both files and then clear them and see if you can log in after that. Then if you need to block, use the firewall aka "iptables".

CentOS 6 is fine. They do security updates and patch things until November 2020. If you remember to apply them is another matter. There is some new functionality in more recent versions of OpenSSH, but that's not important. There are some improvements with removing old, insecure encryption though so you might check the patch history to see what was done by the CentOS team. But if you have FTP on your machine, your submarine already has a screen door.

nibraz 10-12-2016 06:07 AM
Quote:
Originally Posted by Turbocapitalist (Post 5616937)
You have errors in your "tcpd" configuration, both in /etc/hosts.allow and /etc/hosts.deny Do you see them there in the log?

I'd make copies of both files and then clear them and see if you can log in after that. Then if you need to block, use the firewall aka "iptables".

CentOS 6 is fine. They do security updates and patch things until November 2020. If you remember to apply them is another matter. There is some new functionality in more recent versions of OpenSSH, but that's not important. There are some improvements with removing old, insecure encryption though so you might check the patch history to see what was done by the CentOS team. But if you have FTP on your machine, your submarine already has a screen door.
Thanks Turbo.

Do I update security updates via "yum update" command? how do I disallow FTP? any option?

Thanks

Turbocapitalist 10-12-2016 07:21 AM
If you are the only user of FTP, then you can just uninstall it. If you have other users or have scripts that are unfortunate enough to use it, then it requires transition to SFTP first.

nibraz 10-14-2016 07:39 AM
Thanks for all the help Turbo all resolved SSH working after removing stuff from the host.deny file and also uninstalled FTP.

Thanks again


All times are GMT -5. The time now is 05:40 AM.
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page