Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Sep 2007 08:33:28 -0500
From:      Derek Ragona <derek@computinginnovations.com>
To:        Aldisa Admin <admin@aldisa.ca>, freebsd-questions@freebsd.org
Subject:   Re: Problem with logs
Message-ID:  <6.0.0.22.2.20070912083213.026faac0@mail.computinginnovations.com>
In-Reply-To: <46E7E651.4010708@aldisa.ca>
References:  <46E7E651.4010708@aldisa.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
At 08:14 AM 9/12/2007, Aldisa Admin wrote:
>Hello All,
>
>I am having trouble understanding what is going on and how to solve the 
>problem:
>
>For the last few days, I am getting the following messages (some names 
>removed for privacy) in the daily security run output:
>
>[hostname].ca login failures:
>Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0
>
>[hostname].ca login failures:
>Sep  8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0
>
>
>I got worried because both these instances are times when I am positive 
>that I am not accessing the system.  I am the only user of the system.  I 
>use ssh to access the system.  Root access is disabled in sshd.  I log in 
>using my username (abid) and SU to root when necessary.
>
>So I went to check the auth.log, and here is the concerned section:
>
>Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 1203 ssh2
>Aug 31 17:01:40 server su: abid to root on /dev/ttyp0
>Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 1688 ssh2
>Aug 31 18:43:01 server su: abid to root on /dev/ttyp0
>Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 2032 ssh2
>Aug 31 22:58:32 server su: abid to root on /dev/ttyp0
>Sep  9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 4146 ssh2
>Sep  9 13:41:00 server su: abid to root on /dev/ttyp0
>Sep  9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 1116 ssh2
>Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for 
>abid from 192.168.1.30 port 2599 ssh2
>Sep 10 09:04:47 server su: abid to root on /dev/ttyp0
>Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for 
>abid from 192.168.1.30 port 1361 ssh2
>Sep 11 11:37:15 server su: abid to root on /dev/ttyp0
>Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for 
>abid from 192.168.1.30 port 2521 ssh2
>Sep 12 08:41:53 server su: abid to root on /dev/ttyp0
>
>
>As you can see, there is no matching incidence in the auth.log.  How can 
>the security run show a BAD SU when there is no matching entry in the 
>auth.log for somebody authenticating successfully under my username.
>
>Some other facts:
>
>The machine is behind a NAT router and only apache and email ports (25, 
>80, 110, 143, 443, 587) are open.  SSH access is restricted to intranet IP 
>ranges.

How are you limiting this ssh access?  Are you using hosts.allow?  If you 
are not using hosts.allow, I would suggest you do so.

         -Derek

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20070912083213.026faac0>