|
PAM authentication failure
I've just upgraded a computer to Slackware 15.0. This release includes PAM. I'm having some authentication issue, the first of which is shown below in /var/log/secure:
Code:
Jan 22 00:16:11 mail sshd[1488]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.225 user=rootAny idea why? |
Yeah. Someone in China is trying to break into your system via ssh. If you haven't already then lockdown your sshd configuration as tightly as possible (or better yet, don't run it if you don't need it), and check your log thoroughly for any successful logins.
You could try blocking that source address at the firewall, but it's a game of whack-a-mole. |
Do you run sshd on port 22 (or NAT 22 -> 22)?
If so, avoid this Change the port, or forward a port between 40000 - 65000 to port 22 on your router |
Looks like a serial offender conducting a password brute force attack for root.
I am a big fan of Code:
PermitRootLogin noIf I need root privileges, I am happy to use 'su -'. |
Quote:
AllowGroups users Allowing only pubkey authentication is preferable if your use situation allows for it. |
Quote:
Quote:
I do have a whack-a-mole script. This is a new domain controller just installed yesterday and I haven't fired up that script yet. Will do so ASAP. Meanwhile, I have blocked that IP. Quote:
Quote:
Quote:
Thanks all! I've turned on my whack-a-mole script. |
Whack-a-mole, honey pot... I remember having so much fun.
It was a special kind of fun, when I was fighting back the latest Internet DDoS. I wrote a simple Bash script to detect and block it. Then I tested it. While I was online. Oooh! It worked, almost too well. :redface: :doh: The web site still ran just fine; all evil testing was blocked off (incl. mine) while the botnets were still waiting to find out if this "victim" was online or not (incl. mine). Like I said, almost too well. After a reboot, I decided to keep the script and use it, until better protections came in for Windows, via Norton and McAfee. And yes, it was fun! |
I log all addresses that fail connecting by ssh to my machine. At the time of this writing, it is 53661 different IP addresses, many of them from China. They do not only attempt the root account. I am not listening om port 22, but the rather easy to use port 2222.
Those 53661 IP addresses has accumulated since 2018. regards Henrik |
Quote:
|
I just use simple iptables rules.
iptables -A INPUT -s 192.168.17.0/24 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s xxx.yyy.zzz.abc -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "Denied SSH: " --log-level 2 iptables -A INPUT -p tcp --dport 22 -j DROP |
Rather than making the SSH port vulnerable, IMO it would be best to use a VPN (either OpenVPN or WireGuard). That would give you remote access to the LAN, thereby allowing you to SSH to any machine you want. Running it on a high-numbered UDP port would be ideal. Your machine becomes practically invisible. No whack-a-mole necessary, because the moles stop coming.
|
So what about those gkr-pam messages? I see those in my log too, but no attempts on sshd since I'm not running that.
(Update: removepkging gnome-keyring, maybe that will help.) |
Quote:
regards Henrik |
Quote:
Code:
#-session optional pam_gnome_keyring.so auto_start |
Quote:
Code:
AllowUsers user1@192.168.0.25 user2@192.168.0.26Code:
AllowUsers |
| All times are GMT -5. The time now is 12:10 AM. |