Trouble reading btmp

brownsman · 08-30-2010, 07:16 AM

Hi

I have recently installed centos 5.5 on a couple of servers. I've been getting a lot of unauthorised ssh access attempts and have a few unusual entries in btmp, ie:

[root@zzzzzz log]# last -f btmp | grep -v "00\:00"
gecimeci ssh:notty ip65-44-224-10.z Sun Aug 29 19:00 - 23:13 (04:12)
gopher ssh:notty 74-95-79-97-delm Sun Aug 29 07:41 - 19:00 (11:19)
barone ssh:notty 218.90.183.190 Sat Aug 28 23:42 - 07:32 (07:49)
foobar ssh:notty 163.178.170.75 Tue Aug 24 19:07 - 23:06 (4+03:58)
macthom ssh:notty 163.178.170.75 Tue Aug 24 17:45 - 19:04 (01:19)
test ssh:notty 109.226.9.95 Tue Aug 24 08:05 - 17:41 (09:36)
test ssh:notty 109.226.9.95 Tue Aug 24 06:23 - 08:04 (01:41)
test ssh:notty 222.255.236.141 Mon Aug 23 23:58 - 06:23 (06:24)
root ssh:notty 218.240.40.25 Mon Aug 23 07:06 - 23:57 (16:51)
root ssh:notty ip-64-15-159-171 Sun Aug 22 17:37 - 07:05 (13:28)
test ssh:notty 211.154.133.20 Sun Aug 22 08:43 - 17:37 (08:54)
root ssh:notty 119.158.59.18 Sat Aug 21 19:16 - 08:42 (13:25)
shutdown ssh:notty 95.211.130.79 Sat Aug 21 11:25 - 19:15 (07:50)
ritchie ssh:notty 119.188.7.174 Fri Aug 20 17:50 - 11:12 (17:21)
root ssh:notty 119.152.159.137 Fri Aug 20 14:12 - 14:49 (00:37)
root ssh:notty 78.33.208.65 Thu Aug 19 23:39 - 14:12 (14:32)
gopher ssh:notty ms.onpcs.com Thu Aug 19 17:28 - 23:38 (06:10)

If /var/log/btmp registers bad login attempts, howcome these "failed" logins lasted so long? Or am I reading this wrong?

I have since changed the port ssh is running on and the attempts have calmed down.

Thanks!

And... Howcome when I do a lastb, I get a different result:

gecimeci ssh:notty ip65-44-224-10.z Sun Aug 29 19:00 - 19:00 (00:00)
gecimeci ssh:notty ip65-44-224-10.z Sun Aug 29 19:00 - 19:00 (00:00)
PlcmSpIp ssh:notty ip65-44-224-10.z Sun Aug 29 19:00 - 19:00 (00:00)
PlcmSpIp ssh:notty ip65-44-224-10.z Sun Aug 29 19:00 - 19:00 (00:00)
nobody ssh:notty ip65-44-224-10.z Sun Aug 29 19:00 - 19:00 (00:00)
gopher ssh:notty 74-95-79-97-delm Sun Aug 29 07:41 - 07:41 (00:00)
rpc ssh:notty 74-95-79-97-delm Sun Aug 29 07:41 - 07:41 (00:00)
rpcuser ssh:notty 74-95-79-97-delm Sun Aug 29 07:41 - 07:41 (00:00)
nfsnobod ssh:notty 74-95-79-97-delm Sun Aug 29 07:40 - 07:40 (00:00)

?

unSpawn · 08-31-2010, 08:02 AM

Could you return (in BB code tags) the output of: '( grep -v ^# /etc/ssh/sshd_config;grep -v ^# /etc/pam.d/sshd;grep -v ^# /etc/pam.d/system-auth ) | grep .; rpm -qVv openssh-server pam|grep -v '\.\{8\}''?

brownsman · 09-01-2010, 05:19 AM

Hi

I have since rebuilt this server as I was concerned about its integrity. Here is the output on the rebuilt system:

Code:

[root@xxxxxx kexec]# ( grep -v ^# /etc/ssh/sshd_config;grep -v ^# /etc/pam.d/sshd;grep -v ^# /etc/pam.d/system-auth ) | grep .; rpm -qVv openssh-server pam|grep -v '\.\{8\}'
Port xxxx
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
Subsystem	sftp	/usr/libexec/openssh/sftp-server
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
S.5....T  c /etc/ssh/sshd_config
....L...  c /etc/pam.d/system-auth
prelink: /lib64/libpam.so.0.81.5: at least one of file's dependencies has changed since prelinking
S.?.....    /lib64/libpam.so.0.81.5
prelink: /lib64/libpam_misc.so.0.81.2: at least one of file's dependencies has changed since prelinking
S.?.....    /lib64/libpam_misc.so.0.81.2
prelink: /sbin/pam_console_apply: at least one of file's dependencies has changed since prelinking
S.?.....    /sbin/pam_console_apply
prelink: /sbin/pam_tally: at least one of file's dependencies has changed since prelinking
S.?.....    /sbin/pam_tally
prelink: /sbin/pam_tally2: at least one of file's dependencies has changed since prelinking
S.?.....    /sbin/pam_tally2
....L...  c /etc/pam.d/system-auth
[root@xxxxxx kexec]#

There were actually 2 boxes with identical issues. Have rebuilt both. The other box now crashes every time I run a yum update, but this is a separate issue.

unSpawn · 09-01-2010, 11:34 AM

I was wondering if something in your setup could have cause logins to linger but as you have rebuilt the server there is no reason to go over config changes unless you deployed them exactly like on the "old" system. Even then they look pretty much stock configs. By default I'm alsways interested in assessing system integrity but again as you have rebuilt the server there is no reason to go over that either...