Problem with logs

Derek Ragona derek at computinginnovations.com
Wed Sep 12 06:34:48 PDT 2007


At 08:14 AM 9/12/2007, Aldisa Admin wrote:
>Hello All,
>
>I am having trouble understanding what is going on and how to solve the 
>problem:
>
>For the last few days, I am getting the following messages (some names 
>removed for privacy) in the daily security run output:
>
>[hostname].ca login failures:
>Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0
>
>[hostname].ca login failures:
>Sep  8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0
>
>
>I got worried because both these instances are times when I am positive 
>that I am not accessing the system.  I am the only user of the system.  I 
>use ssh to access the system.  Root access is disabled in sshd.  I log in 
>using my username (abid) and SU to root when necessary.
>
>So I went to check the auth.log, and here is the concerned section:
>
>Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 1203 ssh2
>Aug 31 17:01:40 server su: abid to root on /dev/ttyp0
>Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 1688 ssh2
>Aug 31 18:43:01 server su: abid to root on /dev/ttyp0
>Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 2032 ssh2
>Aug 31 22:58:32 server su: abid to root on /dev/ttyp0
>Sep  9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 4146 ssh2
>Sep  9 13:41:00 server su: abid to root on /dev/ttyp0
>Sep  9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for 
>abid from 192.168.2.149 port 1116 ssh2
>Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for 
>abid from 192.168.1.30 port 2599 ssh2
>Sep 10 09:04:47 server su: abid to root on /dev/ttyp0
>Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for 
>abid from 192.168.1.30 port 1361 ssh2
>Sep 11 11:37:15 server su: abid to root on /dev/ttyp0
>Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for 
>abid from 192.168.1.30 port 2521 ssh2
>Sep 12 08:41:53 server su: abid to root on /dev/ttyp0
>
>
>As you can see, there is no matching incidence in the auth.log.  How can 
>the security run show a BAD SU when there is no matching entry in the 
>auth.log for somebody authenticating successfully under my username.
>
>Some other facts:
>
>The machine is behind a NAT router and only apache and email ports (25, 
>80, 110, 143, 443, 587) are open.  SSH access is restricted to intranet IP 
>ranges.

How are you limiting this ssh access?  Are you using hosts.allow?  If you 
are not using hosts.allow, I would suggest you do so.

         -Derek

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.



More information about the freebsd-questions mailing list