Ungewöhnliche Einträge in auth.log

P

parkbank

New Member
Hallo,

soeben bin ich auf folgende, für mich ungewöhnliche, Einträge in der auth.log meines Servers gestoßen:
Code: 
Apr  2 16:13:00 debian login[1720]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=root
Apr  2 16:13:04 debian login[1720]: FAILED LOGIN (1) on '/dev/tty1' FOR 'root', Authentication failure
Apr  2 16:13:41 debian login[11183]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= 
Apr  2 16:13:44 debian login[11183]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure
Apr  2 16:16:42 debian login[11185]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= 
Apr  2 16:16:45 debian login[11185]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure
Apr  2 16:22:27 debian login[11190]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= 
Apr  2 16:22:30 debian login[11190]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure
Apr  2 16:22:44 debian login[11190]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= 
Apr  2 16:22:46 debian login[11190]: FAILED LOGIN (2) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure
Was genau hat es denn damit auf sich?

Gruß
parkbank
 
Last edited by a moderator:
Deutet /dev/tty1 nicht darauf hin, dass jemand mit physischem Zugang zum Server versucht hatte sich einzuloggen? Insofern interessiert die sshd_config doch gar nicht, oder irre ich mich jetzt?
 
Nein, ttyn bedeutet nicht zwangsweise physischer Zugriff.
Zeige bitte mal Deine vollständige sshd_config
 
Im konkreten Fall hatte tatsächlich ein Mitarbeiter meines Providers laut Aussage des Supports die KVM am falschen Server angeschlossen.

sshd_config:
Code: 
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# DNS lookup
UseDNS no

# Authentication:
AllowUsers ...
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
 
So sollte eine sshd_config optimalerweise aussehen:
Code: 
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

AllowGroups wheel
#AllowUsers admin

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
 
Danke :)
Eine Frage habe ich gleich zu deiner sshd_config: Warum nutzt du den Default-Wert, also "no", für UsePAM? Ich dachte in Kombination mit
Code: 
ChallengeResponseAuthentication no
PasswordAuthentication no
sei ein aktiviertes UsePAM unbedenklich?
Interessanterweise konnte ich bislang weder hier im Forum noch per Google eindeutige Aussagen finden, welche Einstellung empfehlenswerter ist.
 
parkbank said:
Warum nutzt du den Default-Wert, also "no", für UsePAM?
Click to expand...
Weil ich PAM, insbesondere Linux-PAM, nicht traue und weil PAM in einigen Distros zu unsicher vorkonfiguriert war/ist. Zudem macht PAM nur bei physischen Logins überhaupt Sinn und ist auf Servern somit überflüssig.

Ich sehe auch keinen Nutzwert in PAM, da alle interessanten Features von PAM auch mit Bordmitteln des OS und/oder der Dienste bequemer und sicherer erreicht werden können. Ohne PAM ist einfach eine potentielle Fehlerquelle/Sicherheitslücke weniger im Spiel, was man gerade an den unsicher vorkonfigurierten sshd_configs der diversen Linux-Distros sehr gut aufzeigen kann. Es hat schon einen Grund, warum die OpenSSH-Devs UsePAM per Default deaktivieren, denn wenn es sicher wäre, wäre es per Default aktiviert.
 
You must log in or register to reply here.
Back
Top