Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

strange sshd logs entry
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
weyhan
Apprentice
Apprentice


Joined: 27 May 2003
Posts: 245
PostPosted: Wed Oct 13, 2004 4:46 pm    Post subject: strange sshd logs entry Reply with quote
Hi, I have found the following log entries appearing in my syslog even when I have disable password authentication for my sshd and only allowing key base authentication.
Code:
Oct 13 16:28:51 myhost sshd[20808]: Illegal user admin from 134.174.176.76
Oct 13 16:28:53 myhost sshd[20810]: Illegal user admin from 134.174.176.76
Oct 13 16:28:56 myhost sshd[20812]: Illegal user user from 134.174.176.76
Oct 13 16:29:07 myhost sshd[20820]: Illegal user test from 134.174.176.76

The strange thing is that I cannot reproduce it by trying to login without a key. Apparently when I try to ssh into my system without the keys, I don't get any logs entry at all. All I get is fail ssh attempt on the client side. So how does the end up in my logs? Should I be concern?

The following is my sshd_config. Comments and empty lines omitted.
Code:
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
Subsystem       sftp    /usr/lib/misc/sftp-server

_________________
Han.
Back to top
View user's profile Send private message
asv
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jul 2003
Posts: 138
Location: State College, PA United States
PostPosted: Wed Oct 13, 2004 4:59 pm    Post subject: Re: strange sshd logs entry Reply with quote
weyhan wrote:
Hi, I have found the following log entries appearing in my syslog even when I have disable password authentication for my sshd and only allowing key base authentication.
Code:
Oct 13 16:28:51 myhost sshd[20808]: Illegal user admin from 134.174.176.76
Oct 13 16:28:53 myhost sshd[20810]: Illegal user admin from 134.174.176.76
Oct 13 16:28:56 myhost sshd[20812]: Illegal user user from 134.174.176.76
Oct 13 16:29:07 myhost sshd[20820]: Illegal user test from 134.174.176.76

The strange thing is that I cannot reproduce it by trying to login without a key. Apparently when I try to ssh into my system without the keys, I don't get any logs entry at all. All I get is fail ssh attempt on the client side. So how does the end up in my logs? Should I be concern?

The following is my sshd_config. Comments and empty lines omitted.
Code:
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
Subsystem       sftp    /usr/lib/misc/sftp-srver


I guess the first question would be is
Code:
134.174.176.76
the ip your logging in from or is that somebody else? If its somebody else, its most likely a bot or someone trying to log in with random usernames/passwords.
Back to top
View user's profile Send private message
weyhan
Apprentice
Apprentice


Joined: 27 May 2003
Posts: 245
PostPosted: Wed Oct 13, 2004 5:11 pm    Post subject: Re: strange sshd logs entry Reply with quote
asv wrote:

I guess the first question would be is
Code:
134.174.176.76
the ip your logging in from or is that somebody else? If its somebody else, its most likely a bot or someone trying to log in with random usernames/passwords.

That IP is someone else's and I know it's either a bot or someone attempting to break in. However, I am interested to find out how that bot or person is able to get that far because I have disable password login and only allow key based logins. I have also seen entry showing the attempts goes as far as trying to launch the shell which is /dev/null:
Code:
Oct 13 16:28:48 myhost sshd[20806]: User guest not allowed because shell /dev/null is not executable

What is more interesting is that I can't reproduce this types of log entry when I try to login without the key to forcing a password login. All that happened is that the ssh client exit with a fail attempt to authenticate without the keys. No entry in the syslog.

So how did the bot or person get so far?
_________________
Han.
Back to top
View user's profile Send private message
weyhan
Apprentice
Apprentice


Joined: 27 May 2003
Posts: 245
PostPosted: Thu Oct 14, 2004 9:33 am    Post subject: Reply with quote
anyone?
_________________
Han.
Back to top
View user's profile Send private message
asv
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jul 2003
Posts: 138
Location: State College, PA United States
PostPosted: Thu Oct 14, 2004 1:39 pm    Post subject: Reply with quote
weyhan wrote:
anyone?


I don't think they got far, its just a bot that tried to use a login that didn't exist.
Back to top
View user's profile Send private message
weyhan
Apprentice
Apprentice


Joined: 27 May 2003
Posts: 245
PostPosted: Thu Oct 14, 2004 4:17 pm    Post subject: Reply with quote
Quote:
I don't think they got far, its just a bot that tried to use a login that didn't exist.

My bad. :oops:
Should have tried with non-existing username.

Thanks. I feel better now. :)
_________________
Han.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy