Security Basics mailing list archives
Suddenly faced with password prompt while ssh'ing; two ip's assigned to adsl ppp0 iface?!?
From: John Doe <security.department () tele2 ch>
Date: Thu, 15 Dec 2005 13:23:18 +0100
Hello dear list members yesterday I faced a strange phenomenon on my workstation, and I don't have an explanation for it. I'm sorry for my english as well as for the lengthy or unclear description. Further, I don't think it's an ssh issue - sorry, if I'm wrong with that and hitting an inappropriate list. I never heard/read of something similar, didn't know what to search for in the web, and had no time to start an analysis (I'm not a forensic guy either). Ok. First, some setup info and what normally happens: It's a often patched linux box behind a NAT/firewall with adsl connection to the internet. No fancy software installed or used (p2p, telephony, chat etc.). I just work on it with basic tools. No risky websurfing and such. No open ports from outside in the LAN. I have a tool coded to update my dynamic webapps on a server (hosted by a provider) by rsync over ssh with public key auth on a nonstandard remote port. There, I log in as a non privileged user, and I have ssh agent running under X (locally of course). I run the update tool in a root shell (yes, not optimal). Now what happened: When the phenomenon occured, the root shell was already up for some time, I started the tool and was faced with a "Password: ". I tried the command (/usr/bin/ssh -p <nonstdport> -l <nonprivuser> <remoteserverip>) from another non root shell: everything ok, as well as from another new su root shell. The phenomenon disappeard when I exited the root shell, su'd again and rerun the command. What I found out by inspecting the remote log: <Date> linux sshd[<pid>]: reverse mapping checking getaddrinfo for <dxx-xxx-xxx-xxx.cust.tele2.yy failed - POSSIBLE BREAKIN ATTEMPT! The log entry as such appears from time to time, and I'm 99.9% sure it's not a breakin attempt but a problem with my adsl provider. BUT: the above IP in the name was not the current ip of my adsl connection (but another IP of the same adsl provider). I nmap'ed it from the remote server, and *I* got the packets. What I found out locally: - The tcpdump on the NAT/firewall box showed *this* ip only as target, never as source (the latter in case of outgoing packets). - ssh tried to use the *root* key, not the unpriviledged user's one, and there is no public key for root on the remote box (yes, this reveals a suboptimal remote config). So, somehow the adsl connection was assigned two different ips?!? When running ifconfig ppp0, I just saw the correct adsl ip. From all that, I conclude that's most probably an issue with my local box and/or my adsl provider. Does anybody out there has any idea or any hint what could be the reason for this? (I mean the second ip and the "Password: " prompt in a certain root shell). It would be mostly appreciated, because I hate not having the least idea about such things... I may provide more info if needed. sincerely, joe --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfoc_ml ----------------------------------------------------------------------------
Current thread:
- Suddenly faced with password prompt while ssh'ing; two ip's assigned to adsl ppp0 iface?!? John Doe (Dec 17)