Security Incidents mailing list archives

Re: OpenSSH anomaly

From: Benjamin Franz <snowhare () nihongo org>
Date: Sun, 22 Feb 2004 11:21:27 -0800 (PST)

On Sun, 22 Feb 2004, Paul Schmehl wrote:

--On Sunday, February 22, 2004 9:45 AM -0800 Benjamin Franz 
<snowhare () nihongo org> wrote:


I'm running a RedHat Enterprise 3 ES server that has been running fairly
reliably for a month. This morning we could not remotely login to the
server via SSH because openssh would terminate the connection immediately
(no delay) after apparently successfully logging in - without giving a
prompt. We are current on patches up to Feb 1 with the exception of the
kernel which is RHES 2.4.21-4.0.1.ELsmp. A console reboot succeeded in
restoring connectivity. We couldn't find any footprints in any log or any
suspicious file activity. No record of the failed logins (we attempted
using both pubkey and password) were in the logs. The openssh version is
RedHat's 3.6.1p2-18.

Has anyone else seen something similar?

Sounds like tcpwrappers was rejecting the login.  Check /var/log/messages 
to see if the reverse lookup on the remote IP was failing.  If it was, you 
might have to add that IP to the /etc/hosts.allow file.


No messages at all in /var/log/messages (or /var/log/secure) related to
sshd at all with the exception of a bad protocal version id complaint in
/var/log/secure caused when I tried a telnet to port 22 during the
not-working period of time.

-- 
Jerry

On that of which one cannot speak, one must remain silent.
                                   ---Wittgenstein



---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_incidents_040219
----------------------------------------------------------------------------

Current thread:

OpenSSH anomaly Benjamin Franz (Feb 22)
- Re: OpenSSH anomaly Paul Schmehl (Feb 22)
  - Re: OpenSSH anomaly Benjamin Franz (Feb 22)
- Re: OpenSSH anomaly Mike Hoskins (Feb 22)
- Re: OpenSSH anomaly Will Tipton (Feb 23)
  - Re: OpenSSH anomaly Benjamin Franz (Feb 23)
- Re: OpenSSH anomaly Honza Vlach (Feb 23)
- Re: OpenSSH anomaly Tavis Paquette (Feb 23)
- <Possible follow-ups>
- FW: OpenSSH anomaly AJ Cochenour (Feb 23)
- RE: OpenSSH anomaly GUSAIN,SUBODH (HP-Canada,ex1) (Feb 24)