Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ssh audit messages in dmesg
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
evoweiss
Veteran
Veteran


Joined: 07 Sep 2003
Posts: 1677
Location: Edinburgh, UK

PostPosted: Thu Jan 29, 2015 5:26 pm    Post subject: ssh audit messages in dmesg Reply with quote

Hi all,

For some strange reason I have recently been getting messages in dmesg related to ssh. I haven't changed my configuration in any way and I haven't found any indication of what it might be. Here's what I have so far, though it usually builds up more.

Code:

[ 1366.978630] audit: type=1326 audit(1422551004.132:2): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=2351 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb7669aa8 code=0x0
[ 1552.767898] audit: type=1326 audit(1422551189.921:3): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=4209 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb76e9aa8 code=0x0
[ 1733.752967] audit: type=1326 audit(1422551370.910:4): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=13673 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb765eaa8 code=0x0
[ 1924.744755] audit: type=1326 audit(1422551561.900:5): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=27673 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb7621aa8 code=0x0
[ 2114.616020] audit: type=1326 audit(1422551751.773:6): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=1104 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb7615aa8 code=0x0
[ 2304.773969] audit: type=1326 audit(1422551941.930:7): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=1830 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb76ebaa8 code=0x0
[ 2497.640622] audit: type=1326 audit(1422552134.799:8): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=10021 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb7651aa8 code=0x0


Finally, I use paired ssh keys and not passwords to get into my system. I am using a dynamic dns service, though.

Best,

Alex
Back to top
View user's profile Send private message
teliot
n00b
n00b


Joined: 26 Jan 2015
Posts: 6
Location: USA

PostPosted: Fri Jan 30, 2015 7:58 am    Post subject: Reply with quote

do you have anything that looks like "connection closed preauth" ?

i am guessing its not sshd login attempts but something else with ssh that isn't actually anything bad (but just a guess). when i have had to open up ssh publicly in the past i would setup pam with sshd. then i could block IP address after x number of failed attempts. additionally i would change the ssh port to 6022 (the 6xxx ports are microsoft outgoing traffic ports and seem to never get scanned). The safest thing is to block the port, and then allow incoming traffic from a range of trusted IP's, this does not always allow you access though :(
Back to top
View user's profile Send private message
evoweiss
Veteran
Veteran


Joined: 07 Sep 2003
Posts: 1677
Location: Edinburgh, UK

PostPosted: Fri Jan 30, 2015 9:07 am    Post subject: Reply with quote

teliot wrote:
do you have anything that looks like "connection closed preauth" ?

i am guessing its not sshd login attempts but something else with ssh that isn't actually anything bad (but just a guess). when i have had to open up ssh publicly in the past i would setup pam with sshd. then i could block IP address after x number of failed attempts. additionally i would change the ssh port to 6022 (the 6xxx ports are microsoft outgoing traffic ports and seem to never get scanned). The safest thing is to block the port, and then allow incoming traffic from a range of trusted IP's, this does not always allow you access though :(


I do have people trying to get into the system, though I lock it down very tight as I'm the only user allowed to access it, I have good passwords, etc. This is new behavior that was not present before, though the break-in attempts were.

I just compared my sshd_config file with a server that didn't appear to have the problem. There were differences and I changed the two to be similar, particularly as I have the same needs in both cases. We'll see whether that takes care of the problem.

Best,

Alex
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3724
Location: Hamburg

PostPosted: Fri Jan 30, 2015 10:36 am    Post subject: Reply with quote

evoweiss wrote:
, I have good passwords, etc.
Alex
Pff - best practise IMO is nowadays to disallow ssh password login and just to allow login per ssh key (and even then not for root)
Back to top
View user's profile Send private message
evoweiss
Veteran
Veteran


Joined: 07 Sep 2003
Posts: 1677
Location: Edinburgh, UK

PostPosted: Fri Jan 30, 2015 10:38 am    Post subject: Reply with quote

toralf wrote:
evoweiss wrote:
, I have good passwords, etc.
Alex
Pff - best practise IMO is nowadays to disallow ssh password login and just to allow login per ssh key (and even then not for root)


I meant passwords on my main system. As per ssh, I do that all with keys and disallow passwords. I've always disallowed root logins.

Best,

Alex
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum