From owner-freebsd-questions@FreeBSD.ORG Wed Sep 12 13:34:48 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F11316A468 for ; Wed, 12 Sep 2007 13:34:48 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from betty.computinginnovations.com (mail.computinginnovations.com [64.81.227.250]) by mx1.freebsd.org (Postfix) with ESMTP id C812B13C45A for ; Wed, 12 Sep 2007 13:34:47 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from p28.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0) by betty.computinginnovations.com (8.13.8/8.12.11) with ESMTP id l8CDY1pw020520; Wed, 12 Sep 2007 08:34:02 -0500 (CDT) Message-Id: <6.0.0.22.2.20070912083213.026faac0@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 12 Sep 2007 08:33:28 -0500 To: Aldisa Admin , freebsd-questions@freebsd.org From: Derek Ragona In-Reply-To: <46E7E651.4010708@aldisa.ca> References: <46E7E651.4010708@aldisa.ca> Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean X-ComputingInnovations-MailScanner-From: derek@computinginnovations.com X-Spam-Status: No Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Problem with logs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2007 13:34:48 -0000 At 08:14 AM 9/12/2007, Aldisa Admin wrote: >Hello All, > >I am having trouble understanding what is going on and how to solve the >problem: > >For the last few days, I am getting the following messages (some names >removed for privacy) in the daily security run output: > >[hostname].ca login failures: >Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0 > >[hostname].ca login failures: >Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0 > > >I got worried because both these instances are times when I am positive >that I am not accessing the system. I am the only user of the system. I >use ssh to access the system. Root access is disabled in sshd. I log in >using my username (abid) and SU to root when necessary. > >So I went to check the auth.log, and here is the concerned section: > >Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for >abid from 192.168.2.149 port 1203 ssh2 >Aug 31 17:01:40 server su: abid to root on /dev/ttyp0 >Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for >abid from 192.168.2.149 port 1688 ssh2 >Aug 31 18:43:01 server su: abid to root on /dev/ttyp0 >Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for >abid from 192.168.2.149 port 2032 ssh2 >Aug 31 22:58:32 server su: abid to root on /dev/ttyp0 >Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for >abid from 192.168.2.149 port 4146 ssh2 >Sep 9 13:41:00 server su: abid to root on /dev/ttyp0 >Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for >abid from 192.168.2.149 port 1116 ssh2 >Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for >abid from 192.168.1.30 port 2599 ssh2 >Sep 10 09:04:47 server su: abid to root on /dev/ttyp0 >Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for >abid from 192.168.1.30 port 1361 ssh2 >Sep 11 11:37:15 server su: abid to root on /dev/ttyp0 >Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for >abid from 192.168.1.30 port 2521 ssh2 >Sep 12 08:41:53 server su: abid to root on /dev/ttyp0 > > >As you can see, there is no matching incidence in the auth.log. How can >the security run show a BAD SU when there is no matching entry in the >auth.log for somebody authenticating successfully under my username. > >Some other facts: > >The machine is behind a NAT router and only apache and email ports (25, >80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP >ranges. How are you limiting this ssh access? Are you using hosts.allow? If you are not using hosts.allow, I would suggest you do so. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support.