Re: sshd logs and possible security violation

To: debian-user@lists.debian.org
Subject: Re: sshd logs and possible security violation
From: Dave Sherohman <esper@sherohman.org>
Date: Fri, 15 Feb 2002 09:45:56 -0600
Message-id: <[🔎] 20020215094556.B8778@sherohman.org>
Mail-followup-to: Dave Sherohman <esper@sherohman.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] 3C6D0A5B.29521.80AE15C@localhost>; from chris1@psyctc.org on Fri, Feb 15, 2002 at 01:17:15PM -0000
References: <[🔎] 3C6D0A5B.29521.80AE15C@localhost>

On Fri, Feb 15, 2002 at 01:17:15PM -0000, Chris Evans wrote:
> What I see in auth.log is (consecutive lines):
> Feb 14 23:19:29 www sshd[438]: Did not receive ident string from
>    xxx.yy.zzz.uu (actual number removed in case!)
>        I think that's an usuccessful attempt to log in, am I right?

Not exactly.  It means that xxx.yy.zzz.uu attempted to initiate an
ssh connection, but failed to properly identify the user running the
client.  A failed login attempt looks like:

Feb 15 09:29:23 altima sshd[13760]: Failed password for esper from 127.0.0.1 port 4256

> Feb 14 23:49:32 www sshd[242]: Generating new 768 bit RSA key.
> Feb 14 23:49:33 www sshd[242]: RSA key generation complete.
>       don't understand why sshd did that then, 30 minutes later

That's normal activity.  It protects against the key being compromised
by, essentially, causing the old one to expire.

>       then the next lines are me testing what happens if I try to do 
> an illegal login:
> Feb 15 07:36:08 www su[1154]: + ??? root-www-data
> Feb 15 07:36:08 www PAM_unix[1154]: (su) session opened for user www-
> data by (uid=0)
>       which looks alarming but I was slung out by shell being
>       /usr/bin/false or by fact I didn't give right password

It was the shell that did it.  If you had given the wrong password,
you would have seen something like:

Feb 15 09:34:19 altima PAM_unix[13778]: authentication failure; esper(uid=1000) -> root for su service
Feb 15 09:34:21 altima su[13778]: pam_authenticate: Authentication failure
Feb 15 09:34:21 altima su[13778]: - pts/3 esper-root

Note the + for successful auth, - for failed.

> Feb 15 07:55:52 www sshd[1375]: Accepted password for xxxxxxx from
>    zzz.zzz.zzz.zzz port yyyy
> 
> That last line seems to be the logging of a successful login and it's 
> very reassuringly different from the one from someone else, from an 
> outside IP address.

Yep.

> I'm also under the impression that sshd generates new keys when 
> restarted and at intervals, does anyone know if that is right?

Correct.  That's what the "RSA key generation" lines you asked about
were from.

-- 
When we reduce our own liberties to stop terrorism, the terrorists
have already won. - reverius

Innocence is no protection when governments go bad. - Tom Swiss

Reply to:

References:
- sshd logs and possible security violation
  - From: "Chris Evans" <chris1@psyctc.org>

Prev by Date: Re: cups drivers
Next by Date: Kernel support for MISC binaries not working under 2.4.17
Previous by thread: Re: sshd logs and possible security violation
Next by thread: Configuring Majordomo
Index(es):
- Date
- Thread