lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4E7C78BF.6070401@blackhat.bz> Date: Fri, 23 Sep 2011 20:17:03 +0800 From: BH <lists@...ckhat.bz> To: full-disclosure@...ts.grok.org.uk Subject: Re: sshd logins without a source Hi all, Thank you all for the suggestions. The systems in question are all Debian based. A typical log stanza for a login would be: Sep 23 18:51:26 test sshd[25011]: Accepted publickey for root from 10.0.1.1 port 35398 ssh2 Sep 23 18:51:27 test sshd[25011]: pam_unix(sshd:session): session opened for user root by (uid=0) Or in the case of password authentication: Sep 23 19:37:33 test sshd[30552]: Accepted password for root from 10.0.1.1 port 50102 ssh2 Sep 23 19:37:33 test sshd[30552]: pam_unix(sshd:session): session opened for user root by (uid=0) I am unable to reproduce an event from sshd that shows a login without a corresponding address, in every case I have tested the IP address is logged. I guess this could possibly mean the logs have been altered, from what I can tell only for this event. The b/wtmp files dont have any events relevant. Only a single binary was running on them afterwards which was doing SIP attacks. The file was rm'ed but a copy was taken which I have. The syslog configs match backups along with the sshd binary matching earlier copies. Thanks On 23/09/2011 8:05 PM, paul.szabo@...ney.edu.au wrote: > Dear Laurelai, > >>> I do not think that sshd normally logs its source. ... To produce the >>> desired log, I added to /etc/hosts.allow the line >>> sshd : all : spawn /usr/bin/logger -t"%d[%p]" "Connection source %h port %r" >> >> Don't most modern Linux distros log sshd by default? If for whatever >> reason yours doesn't you can set the log level in the sshd config. > > My Debian sshd comes with "LogLevel INFO" in /etc/ssh/sshd_config. > I never found documentation on what a "LogLevel VERBOSE" would do, > so never changed it; my hosts.allow line does exactly what I want, > and a similar line can do it for telnetd also. (Don't laugh...) > > Cheers, Paul > > Paul Szabo psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists