LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-11-2016, 04:00 PM   #16
c0wb0y
Member
 
Registered: Jan 2012
Location: Inside the oven
Distribution: Windows
Posts: 417

Rep: Reputation: 74

You might need to check the contents of /etc/hosts.{deny,allow} and make sure that none of your IPs are blacklisted there. Also, check the contents of ~/.ssh/config just in case you have any custom configs there (ie ssh keys)
 
Old 10-11-2016, 11:29 PM   #17
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,058
Blog Entries: 3

Rep: Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958
The ~/.ssh/config file on your server account might have important info, so I second the suggestion. So would grabbing a copy of the sshd configuration file, which should be in /etc/ssh/sshd_config unless you've changed it. As for the logs, the names depend somewhat on your distro. Which distro do you have on the server and which one on the laptop? You'll want the authentication logs and the system logs for sure. If they fit, grab everything in /var/log/ so you can look around.

Though new versions of OpenSSH ignore tcpd completely and rely on iptables instead. But along those lines, checking the firewall rules would be a good idea.
 
Old 10-12-2016, 03:25 AM   #18
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
This is my sshd_config

Code:
#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server
this is what i have in my hosts.deny file (this was recommended by a linux expert to protect from unknown hackers)

Code:
#
# hosts.deny	This file contains access rules which are used to
#		deny connections to network services that either use
#		the tcp_wrappers library or that have been
#		started through a tcp_wrappers-enabled xinetd.
#
#		The rules in this file can also be set up in
#		/etc/hosts.allow with a 'deny' option instead.
#
#		See 'man 5 hosts_options' and 'man 5 hosts_access'
#		for information on rule syntax.
#		See 'man tcpd' for information on tcp_wrappers
#
sshd: .cn, .cn.net, .cn.com, .jp, .jp.com, .pl, .com, .ar, .tw
sshd: UNKNOWN
 
Old 10-12-2016, 03:31 AM   #19
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,058
Blog Entries: 3

Rep: Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958
Quote:
Originally Posted by nibraz View Post
This is my sshd_config

Code:
PermitRootLogin yes
...
PasswordAuthentication yes
Ok. These two items are problematic, though not nearly as much as the news that FTP is allowed.

About the tcpwrappers (hosts.deny / hosts.allow), new versions of OpenSSH server ignore it completely starting with version 6.7 actually.

Which distro are you using on the server and which version of OpenSSH server does it run?
 
Old 10-12-2016, 04:29 AM   #20
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by Turbocapitalist View Post
Ok. These two items are problematic, though not nearly as much as the news that FTP is allowed.

About the tcpwrappers (hosts.deny / hosts.allow), new versions of OpenSSH server ignore it completely starting with version 6.7 actually.

Which distro are you using on the server and which version of OpenSSH server does it run?
This is what I got: OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Os:
CentOS release 6.5 (Final)
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarchrinting-4.0-amd64rinting-4.0-noarch
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
 
Old 10-12-2016, 05:05 AM   #21
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,058
Blog Entries: 3

Rep: Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958
Ok, you're running CentOS 6.5 which is good until November 2020. Running CentOS 6.5 means that you've got a very old version of OpenSSH, but that it will support tcpd. Really, with the advent of "ipchains", and later "iptables", "tpcd" became mostly irrelevant. According to the configuration you posted for "tcpd" you are using the most basic features and those are better done with the firewall. That would be "iptables" or whatever CentOS 6 has for a front-end for "iptables". With SSH you have a reasonable lock on the front door, but the back porch is open except for an unlatched screen door (FTP).

But back to SSH, your login failures should be showing up in /var/log/secure

What does that log say when you try to connect but fail?
 
Old 10-12-2016, 05:50 AM   #22
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by Turbocapitalist View Post
Ok, you're running CentOS 6.5 which is good until November 2020. Running CentOS 6.5 means that you've got a very old version of OpenSSH, but that it will support tcpd. Really, with the advent of "ipchains", and later "iptables", "tpcd" became mostly irrelevant. According to the configuration you posted for "tcpd" you are using the most basic features and those are better done with the firewall. That would be "iptables" or whatever CentOS 6 has for a front-end for "iptables". With SSH you have a reasonable lock on the front door, but the back porch is open except for an unlatched screen door (FTP).

But back to SSH, your login failures should be showing up in /var/log/secure

What does that log say when you try to connect but fail?
Hi Turbo

Is it worth updatin the Centos system itself?

Would it cause any problems for my website running backend DB as mysql?

/var/log/secure got this:

Code:
Oct 11 17:17:34 www sshd[20187]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:17:34 www sshd[20187]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:18:07 www sshd[20203]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:18:07 www sshd[20203]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:18:34 www sshd[20206]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:18:34 www sshd[20206]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:18:49 www sshd[20209]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:18:49 www sshd[20209]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:20:27 www sshd[20291]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:20:27 www sshd[20291]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:22:41 www sshd[20332]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:22:41 www sshd[20332]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:24:08 www sshd[20371]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:24:08 www sshd[20371]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:30:40 www sshd[20586]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:30:40 www sshd[20586]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 17:30:41 www sshd[20586]: Invalid user liam from 50.201.67.38
Oct 11 17:30:41 www sshd[20587]: input_userauth_request: invalid user liam
Oct 11 17:30:41 www sshd[20586]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:30:41 www sshd[20586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50-201-67-38-static.hfc.comcastbusiness.net 
Oct 11 17:30:41 www sshd[20586]: pam_succeed_if(sshd:auth): error retrieving information about user liam
Oct 11 17:30:43 www sshd[20586]: Failed password for invalid user liam from 50.201.67.38 port 19697 ssh2
Oct 11 17:30:43 www sshd[20586]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:30:43 www sshd[20586]: pam_succeed_if(sshd:auth): error retrieving information about user liam
Oct 11 17:30:45 www sshd[20586]: Failed password for invalid user liam from 50.201.67.38 port 19697 ssh2
Oct 11 17:30:45 www sshd[20586]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:30:45 www sshd[20586]: pam_succeed_if(sshd:auth): error retrieving information about user liam
Oct 11 17:30:47 www sshd[20589]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:30:47 www sshd[20589]: refused connect from host109-148-103-166.range109-148.btcentralplus.com (109.148.103.166)
Oct 11 17:30:47 www sshd[20586]: Failed password for invalid user liam from 50.201.67.38 port 19697 ssh2
Oct 11 17:30:47 www sshd[20587]: Connection closed by 50.201.67.38
Oct 11 17:30:47 www sshd[20586]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=50-201-67-38-static.hfc.comcastbusiness.net 
Oct 11 17:43:07 www sshd[10291]: pam_unix(sshd:session): session closed for user root
Oct 11 17:45:44 www sshd[21116]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:45:44 www sshd[21116]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 17:45:46 www sshd[21116]: Invalid user james from 65.242.43.109
Oct 11 17:45:46 www sshd[21117]: input_userauth_request: invalid user james
Oct 11 17:45:46 www sshd[21116]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:45:46 www sshd[21116]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.242.43.109 
Oct 11 17:45:46 www sshd[21116]: pam_succeed_if(sshd:auth): error retrieving information about user james
Oct 11 17:45:47 www sshd[21116]: Failed password for invalid user james from 65.242.43.109 port 38408 ssh2
Oct 11 17:45:48 www sshd[21116]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:45:48 www sshd[21116]: pam_succeed_if(sshd:auth): error retrieving information about user james
Oct 11 17:45:49 www sshd[21116]: Failed password for invalid user james from 65.242.43.109 port 38408 ssh2
Oct 11 17:45:50 www sshd[21116]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 17:45:50 www sshd[21116]: pam_succeed_if(sshd:auth): error retrieving information about user james
Oct 11 17:45:52 www sshd[21116]: Failed password for invalid user james from 65.242.43.109 port 38408 ssh2
Oct 11 17:45:52 www sshd[21117]: Connection closed by 65.242.43.109
Oct 11 17:45:52 www sshd[21116]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.242.43.109 
Oct 11 17:46:27 www sshd[21135]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:46:27 www sshd[21135]: warning: /etc/hosts.deny, line 14: host name/address mismatch: 89.107.124.244 != nisipp3.canmos.ru
Oct 11 17:46:27 www sshd[21135]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 17:46:27 www sshd[21135]: Did not receive identification string from 89.107.124.244
Oct 11 17:46:27 www sshd[21136]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 17:46:27 www sshd[21136]: warning: /etc/hosts.deny, line 14: host name/address mismatch: 89.107.124.244 != nisipp3.canmos.ru
Oct 11 17:46:27 www sshd[21136]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 17:46:30 www sshd[21136]: Address 89.107.124.244 maps to nisipp3.canmos.ru, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Oct 11 17:46:30 www sshd[21136]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.107.124.244  user=root
Oct 11 17:46:32 www sshd[21136]: Failed password for root from 89.107.124.244 port 59373 ssh2
Oct 11 17:46:32 www sshd[21137]: Received disconnect from 89.107.124.244: 11: Bye Bye
Oct 11 18:16:29 www sshd[21942]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:29 www sshd[21942]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:29 www sshd[21942]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu  user=root
Oct 11 18:16:31 www sshd[21942]: Failed password for root from 163.172.16.102 port 37657 ssh2
Oct 11 18:16:31 www sshd[21943]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:16:31 www sshd[21944]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:31 www sshd[21944]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:32 www sshd[21944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu  user=root
Oct 11 18:16:33 www sshd[21944]: Failed password for root from 163.172.16.102 port 51357 ssh2
Oct 11 18:16:33 www sshd[21945]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:16:33 www sshd[21946]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:33 www sshd[21946]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:33 www sshd[21946]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu  user=root
Oct 11 18:16:35 www sshd[21946]: Failed password for root from 163.172.16.102 port 33535 ssh2
Oct 11 18:16:35 www sshd[21947]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:16:35 www sshd[21948]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:35 www sshd[21948]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:35 www sshd[21948]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu  user=root
Oct 11 18:16:37 www sshd[21948]: Failed password for root from 163.172.16.102 port 45033 ssh2
Oct 11 18:16:37 www sshd[21949]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:16:37 www sshd[21950]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:16:37 www sshd[21950]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:16:38 www sshd[21950]: Invalid user pi from 163.172.16.102
Oct 11 18:16:38 www sshd[21951]: input_userauth_request: invalid user pi
Oct 11 18:16:38 www sshd[21950]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:16:38 www sshd[21950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163-172-16-102.rev.poneytelecom.eu 
Oct 11 18:16:38 www sshd[21950]: pam_succeed_if(sshd:auth): error retrieving information about user pi
Oct 11 18:16:39 www sshd[21950]: Failed password for invalid user pi from 163.172.16.102 port 57511 ssh2
Oct 11 18:16:39 www sshd[21951]: Received disconnect from 163.172.16.102: 11: Bye Bye
Oct 11 18:19:10 www sshd[22018]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:19:10 www sshd[22018]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:19:40 www sshd[22021]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:19:40 www sshd[22021]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:21:09 www sshd[22103]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:21:09 www sshd[22103]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:21:10 www sshd[22103]: Invalid user help from 50.201.67.38
Oct 11 18:21:10 www sshd[22104]: input_userauth_request: invalid user help
Oct 11 18:21:10 www sshd[22103]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:21:10 www sshd[22103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50-201-67-38-static.hfc.comcastbusiness.net 
Oct 11 18:21:10 www sshd[22103]: pam_succeed_if(sshd:auth): error retrieving information about user help
Oct 11 18:21:12 www sshd[22103]: Failed password for invalid user help from 50.201.67.38 port 1777 ssh2
Oct 11 18:21:12 www sshd[22103]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:21:12 www sshd[22103]: pam_succeed_if(sshd:auth): error retrieving information about user help
Oct 11 18:21:14 www sshd[22103]: Failed password for invalid user help from 50.201.67.38 port 1777 ssh2
Oct 11 18:21:14 www sshd[22103]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:21:14 www sshd[22103]: pam_succeed_if(sshd:auth): error retrieving information about user help
Oct 11 18:21:15 www sshd[22103]: Failed password for invalid user help from 50.201.67.38 port 1777 ssh2
Oct 11 18:21:15 www sshd[22104]: Connection closed by 50.201.67.38
Oct 11 18:21:15 www sshd[22103]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=50-201-67-38-static.hfc.comcastbusiness.net 
Oct 11 18:29:34 www sshd[22288]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:29:34 www sshd[22288]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:29:42 www sshd[22289]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:29:42 www sshd[22289]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:34:09 www sshd[22429]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:34:09 www sshd[22429]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:37:34 www sshd[22525]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:37:34 www sshd[22525]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:37:35 www sshd[22525]: Invalid user odoo from 65.242.43.109
Oct 11 18:37:35 www sshd[22526]: input_userauth_request: invalid user odoo
Oct 11 18:37:35 www sshd[22525]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:37:35 www sshd[22525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.242.43.109 
Oct 11 18:37:35 www sshd[22525]: pam_succeed_if(sshd:auth): error retrieving information about user odoo
Oct 11 18:37:37 www sshd[22525]: Failed password for invalid user odoo from 65.242.43.109 port 38408 ssh2
Oct 11 18:37:37 www sshd[22525]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:37:37 www sshd[22525]: pam_succeed_if(sshd:auth): error retrieving information about user odoo
Oct 11 18:37:39 www sshd[22525]: Failed password for invalid user odoo from 65.242.43.109 port 38408 ssh2
Oct 11 18:37:39 www sshd[22525]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 18:37:39 www sshd[22525]: pam_succeed_if(sshd:auth): error retrieving information about user odoo
Oct 11 18:37:41 www sshd[22525]: Failed password for invalid user odoo from 65.242.43.109 port 38408 ssh2
Oct 11 18:37:41 www sshd[22526]: Connection closed by 65.242.43.109
Oct 11 18:37:41 www sshd[22525]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.242.43.109 
Oct 11 18:57:18 www sshd[23047]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:57:18 www sshd[23047]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:58:12 www sshd[23064]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:58:12 www sshd[23064]: warning: /etc/hosts.deny, line 14: host name/address mismatch: 222.138.139.252 != hn.kd.ny.adsl
Oct 11 18:58:12 www sshd[23064]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:58:14 www sshd[23064]: Address 222.138.139.252 maps to hn.kd.ny.adsl, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Oct 11 18:58:14 www sshd[23064]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.138.139.252  user=root
Oct 11 18:58:15 www sshd[23064]: Failed password for root from 222.138.139.252 port 54792 ssh2
Oct 11 18:58:16 www sshd[23066]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:58:16 www sshd[23066]: refused connect from host86-161-198-208.range86-161.btcentralplus.com (xxx.xxx.xx.xx)
Oct 11 18:58:17 www sshd[23064]: Failed password for root from 222.138.139.252 port 54792 ssh2
Oct 11 18:58:19 www sshd[23064]: Failed password for root from 222.138.139.252 port 54792 ssh2
Oct 11 18:58:19 www sshd[23065]: Connection closed by 222.138.139.252
Oct 11 18:58:19 www sshd[23064]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.138.139.252  user=root
Oct 11 18:59:15 www sshd[23086]: warning: /etc/hosts.allow, line 10: missing newline or line too long
Oct 11 18:59:15 www sshd[23086]: warning: /etc/hosts.deny, line 14: missing newline or line too long
Oct 11 18:59:15 www sshd[23086]: Invalid user test1 from 46.32.53.44
 
Old 10-12-2016, 06:01 AM   #23
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,058
Blog Entries: 3

Rep: Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958
You have errors in your "tcpd" configuration, both in /etc/hosts.allow and /etc/hosts.deny Do you see them there in the log?

I'd make copies of both files and then clear them and see if you can log in after that. Then if you need to block, use the firewall aka "iptables".

CentOS 6 is fine. They do security updates and patch things until November 2020. If you remember to apply them is another matter. There is some new functionality in more recent versions of OpenSSH, but that's not important. There are some improvements with removing old, insecure encryption though so you might check the patch history to see what was done by the CentOS team. But if you have FTP on your machine, your submarine already has a screen door.
 
Old 10-12-2016, 06:07 AM   #24
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by Turbocapitalist View Post
You have errors in your "tcpd" configuration, both in /etc/hosts.allow and /etc/hosts.deny Do you see them there in the log?

I'd make copies of both files and then clear them and see if you can log in after that. Then if you need to block, use the firewall aka "iptables".

CentOS 6 is fine. They do security updates and patch things until November 2020. If you remember to apply them is another matter. There is some new functionality in more recent versions of OpenSSH, but that's not important. There are some improvements with removing old, insecure encryption though so you might check the patch history to see what was done by the CentOS team. But if you have FTP on your machine, your submarine already has a screen door.
Thanks Turbo.

Do I update security updates via "yum update" command? how do I disallow FTP? any option?

Thanks
 
Old 10-12-2016, 07:21 AM   #25
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,058
Blog Entries: 3

Rep: Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958Reputation: 1958
If you are the only user of FTP, then you can just uninstall it. If you have other users or have scripts that are unfortunate enough to use it, then it requires transition to SFTP first.
 
Old 10-14-2016, 07:39 AM   #26
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
Thanks for all the help Turbo all resolved SSH working after removing stuff from the host.deny file and also uninstalled FTP.

Thanks again
 
  


Reply

Tags
putty


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh_exchange_identification: read: Connection reset by peer BCarey Slackware 4 12-12-2016 02:27 PM
NetBSD 7.0 ssh error:ssh_exchange_identification: read: Connection reset by peer jorton *BSD 0 11-25-2015 08:48 PM
ssh_exchange_identification: read: Connection reset by peer rblampain Linux - Networking 3 03-03-2014 02:51 AM
Help me.... why Connection reset by peer Connection to medusa closed. Cabellos-Quiroz-JL Linux - Newbie 1 06-04-2009 12:58 PM
eth0 going down (connection reset by peer, then connection refused) Astarath Slackware 1 09-05-2007 05:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration