Full Disclosure mailing list archives

Re: sshd logins without a source

From: BH <lists () blackhat bz>
Date: Fri, 23 Sep 2011 20:17:03 +0800

Hi all,

Thank you all for the suggestions.

The systems in question are all Debian based. A typical log stanza for a 
login would be:

Sep 23 18:51:26 test sshd[25011]: Accepted publickey for root from 
10.0.1.1 port 35398 ssh2
Sep 23 18:51:27 test sshd[25011]: pam_unix(sshd:session): session opened 
for user root by (uid=0)

Or in the case of password authentication:

Sep 23 19:37:33 test sshd[30552]: Accepted password for root from 
10.0.1.1 port 50102 ssh2
Sep 23 19:37:33 test sshd[30552]: pam_unix(sshd:session): session opened 
for user root by (uid=0)

I am unable to reproduce an event from sshd that shows a login without a 
corresponding address, in every case I have tested the IP address is 
logged. I guess this could possibly mean the logs have been altered, 
from what I can tell only for this event.

The b/wtmp files dont have any events relevant. Only a single binary was 
running on them afterwards which was doing SIP attacks. The file was 
rm'ed but a copy was taken which I have.

The syslog configs match backups along with the sshd binary matching 
earlier copies.

Thanks

On 23/09/2011 8:05 PM, paul.szabo () sydney edu au wrote:

Dear Laurelai,

I do not think that sshd normally logs its source. ... To produce the
desired log, I added to /etc/hosts.allow the line
sshd : all : spawn /usr/bin/logger -t"%d[%p]" "Connection source %h port %r"


Don't most modern Linux distros log sshd by default? If for whatever
reason yours doesn't you can set the log level in the sshd config.


My Debian sshd comes with "LogLevel INFO" in /etc/ssh/sshd_config.
I never found documentation on what a "LogLevel VERBOSE" would do,
so never changed it; my hosts.allow line does exactly what I want,
and a similar line can do it for telnetd also. (Don't laugh...)

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

sshd logins without a source BH (Sep 23)
- Re: sshd logins without a source Guillaume Friloux (Sep 23)
- Re: sshd logins without a source paul . szabo (Sep 23)
  - Re: sshd logins without a source Laurelai (Sep 23)
    - Re: sshd logins without a source paul . szabo (Sep 23)
    - Re: sshd logins without a source BH (Sep 23)
    - Re: sshd logins without a source Laurelai (Sep 23)
    - Re: sshd logins without a source paul . szabo (Sep 23)
    - Re: sshd logins without a source Jason A. Donenfeld (Sep 26)
- Re: sshd logins without a source Bacanu Adrian-Daniel (Sep 23)
  - Re: sshd logins without a source james (Sep 23)
- Re: sshd logins without a source Valdis . Kletnieks (Sep 23)
- Re: sshd logins without a source GloW - XD (Sep 23)
- <Possible follow-ups>
- Re: sshd logins without a source Nikolaos Mitsis (Sep 26)