| View previous topic :: View next topic |
| Author |
Message |
phajdan.jr
Retired Dev
Joined: 23 Mar 2006
Posts: 1777
Location: Poland
|
 Posted: Wed Oct 13, 2010 3:49 pm Post subject: [SOLVED] Failed ssh authentication creates a user account? |
 |
|
Today I noticed a lot of new entries in /home in one of my boxes. After examining the logs here's the likely cause:
| /var/log/auth.log wrote: |
Oct 11 03:10:54 hq sshd[27684]: Invalid user xenia from 61.63.11.93
Oct 11 03:10:54 hq sshd[29351]: pam_tally(sshd:auth): pam_get_uid; no such user
Oct 11 03:10:54 hq sshd[29351]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 03:10:54 hq sshd[29351]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-63-11-host93.kbtelecom.net.tw
Oct 11 03:10:54 hq useradd[29915]: new group: name=xenia, GID=5856
Oct 11 03:10:54 hq useradd[29915]: new user: name=xenia, UID=5856, GID=5856, home=/home/xenia, shell=/bin/bash
Oct 11 03:10:58 hq sshd[27684]: Failed keyboard-interactive/pam for invalid user xenia from 61.63.11.93 port 58368 ssh2
Oct 11 03:11:04 hq sshd[2636]: Invalid user xochitl from 61.63.11.93
Oct 11 03:11:04 hq sshd[6392]: pam_tally(sshd:auth): pam_get_uid; no such user
Oct 11 03:11:04 hq sshd[6392]: pam_unix(sshd:auth): check pass; user unknown
Oct 11 03:11:04 hq sshd[6392]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-63-11-host93.kbtelecom.net.tw
Oct 11 03:11:04 hq useradd[6708]: new group: name=xochitl, GID=5857
Oct 11 03:11:04 hq useradd[6708]: new user: name=xochitl, UID=5857, GID=5857, home=/home/xochitl, shell=/bin/bash
Oct 11 03:11:08 hq sshd[2636]: Failed keyboard-interactive/pam for invalid user xochitl from 61.63.11.93 port 58894 ssh2
|
Here are possibly relevant pieces of configuration:
| /etc/pam.d/sshd wrote: |
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
|
| /etc/pam.d/system-remote-login wrote: |
auth include system-login
account include system-login
password include system-login
session include system-login
|
| /etc/pam.d/system-login wrote: |
auth required pam_tally.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally.so onerr=succeed
password include system-auth
session required pam_env.so
session optional pam_lastlog.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
|
| /etc/pam.d/system-auth wrote: |
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_smbpass.so migrate
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
|
It obviously looks very weird, and my first thought was a break-in. However, with so much noise (and all those new users have disabled passwords), I'm not so sure. It might be a configuration issue. What do you think?
_________________
http://phajdan-jr.blogspot.com/
Last edited by phajdan.jr on Sun Oct 17, 2010 4:35 pm; edited 1 time in total |
|
| Back to top |
|
 |
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Wed Oct 13, 2010 4:13 pm Post subject: |
|
|
Hi Pawel,
i just had a look at my testbox, and the only difference i see in these pam-files is that mine is using pam_tally2.so in system-login.
I could also think of some weird nss failure!?
This is my default /etc/nsswitch.conf, but even with "compat" for example proftpd could create homedirs (of course for valid users only via ftp [i use this for ldap-users]).
Maybe it could be worth a try to set it to "files" instead of "compat" to get a little closer!?
| Code: | # /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $
passwd: compat
shadow: compat
group: compat
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files |
Or did you got a very screwed sshd_config!? 
For the record... The only difference in your log is the invoked useradd command | Code: | Oct 11 03:10:54 hq useradd[29915]: new group: name=xenia, GID=5856
Oct 11 03:10:54 hq useradd[29915]: new user: name=xenia, UID=5856, GID=5856, home=/home/xenia, shell=/bin/bash |
...i would suggest rkhunter and maybe aide for the future!?
Good luck!
_________________
Power to the people! |
|
| Back to top |
|
|
avendesora
Veteran
Joined: 16 Aug 2002
Posts: 1739
Location: Betelgeuse vicinity
|
| Posted: Wed Oct 13, 2010 6:52 pm Post subject: |
|
|
| I wouldn't be too surprised if this was linked to the pam_smbpass.so module somehow. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20585
|
| Posted: Wed Oct 13, 2010 9:01 pm Post subject: |
|
|
Wow... if samba is causing accounts to automatically be created, that's a huge security hole. I'd poke at some more logs to see if it looks more like hacking.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
phajdan.jr
Retired Dev
Joined: 23 Mar 2006
Posts: 1777
Location: Poland
|
| Posted: Sun Oct 17, 2010 4:34 pm Post subject: |
|
|
Okay, I think I know what's going on (maybe not entirely, but to a reasonable degree).
pam_smbpass turned out to be indeed responsible for the mess. I was suspecting it since the beginning, but I don't understand why it didn't "break" before. However, I was updating that box shortly before it happened, and I remember some PAM updates, so maybe it was just a weird config file merge, or a change of PAM/samba behavior. Anyway, for last few days everything was fine. I have done some other checks about the box, but I'm not going to reinstall because it was really too noisy for a "hack", and I think the explanation and fix I have found sounds reasonable (right?).
Here's the change I have made to fix it. "required" doesn't prevent further modules from executing if it fails, but "requisite" does.
| /etc/pam.d/system-auth wrote: |
auth required pam_env.so
auth requisite pam_unix.so try_first_pass likeauth nullok
auth optional pam_smbpass.so migrate
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
|
_________________
http://phajdan-jr.blogspot.com/ |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
