Fedora Security :: Email On ALL Ssh Login Attempts?
Apr 28, 2009
I know this is probably easy and if I only took a while to figure it out maybe I could but I have some stuff that needs to happen soon and I can't figure this out. I was wondering how I could have a log monitor that would email me whenever someone tries to login over ssh to my system. I'm open to everything daemons/scripts or cron itl works as I am not running a production server (but I might be starting that soon). Oh and just a side how do I get sent an email when I get port scanned
I have an SSH server on my laptop, and I'm using the default configuration file, but I added "AllowUsers <myUserName>". I get lots of login attempts like the ones below in my /var/log/auth.log.From Google, I find that pam_winbind allows some kind of Windows authentication. This leaves me with 2 questions. What does winbind do when I have not configured any Windows/Samba accounts? How can I turn it off?
Code: Oct 23 20:01:49 muon sshd: User root from 126.96.36.199 not allowed because not listed in AllowUsers
I am running a ubuntu server 10.10 with SSH, and OpenVPN. I use it mainly for the VPN, but I have seen log in attempts such as:
Mar 22 14:52:53 UbuntuSvr sshd: Invalid user support from 188.8.131.52 Mar 22 14:52:55 UbuntuSvr sshd: Invalid user student from 184.108.40.206 Mar 22 14:52:57 UbuntuSvr sshd: Invalid user transfer from 220.127.116.11 Mar 22 14:52:59 UbuntuSvr sshd: Invalid user user from 18.104.22.168
Is it possible to make it so when some one has tried logging in 5 times with an invalid user/pass that the ip is banned for 10 minutes? I have password auth set to no and am using keys.
I am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.
I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:
Installed OpenLDAP server/client on host (plus nss_ldap). Configured /etc/openldap/slapd.conf (see below) Configured /etc/openldap/ldap.conf (see below)
How do I limit the max login attempts in the sshd_config file? I found a way to do it on Google some time back but I can't find it now. I have Denyhost already, but I really wanna do the "MAx Login Attempts" what ever it was that I was able to do in the config file.
I'm running the firestarter firewall and its been showing the odd ssh attempt quite often. e.g. I've had 4 attempts today, 3 in the last 40mins. I realize that this may be nothing to serious but it's got me curious, aside from having a secure password (which I have) is there anything that else that I can do to ensure that my system is as secure as possible from ssh? I do use ssh within my home network so I don't want to disable it completely.
Somehow an app on this box seems to have disappeared long ago which was configured to start immediatedly with a root login (eg su). Now, whenever upgrading permissions to root or logging (and assuming login as root), an error displays saying "cannot find <application>"
Considering root usually is different than other logins, am not sure where to start looking on an OpenSuSE box. I've tried without success
BASH -v to enable verbose mode before executing a "su." BASH --debugger to enable debugging mode before executing a "su."
Logout, Login as root and inspect /var/log/ hoping to find some logfile that audits the login sequence, but may be looking at a wrong logfile.
My server (CentOS 5.4) is being bombarded 24x7 with IP addresses from China trying to exploit phpMyAdmin. For every one I block on the firewall, half a dozen come to the funeral! It's a pity these morons don't have something better to occupy their time. I'm getting page after page of this (see below) every day and it's been going on for weeks. I don't even have phpMyAdmin on the server. I don't use it and I deleted it.
I've read that you can use .htaccess and / or mod_rewrite to redirect / block them based on any query for phpMyAdmin (they try all letters in upper and lower case, leading to page after page). Unfortunately, I have no idea of how to do this. I already have an .htaccess file. Maybe someone can suggest what to add to stop these pests from wasting my bandwidth and suggest somewhere I could redirect them to to cause them maximum problems. I don't want to block the entire country, seems a bit like overkill, not all Chinese are morons. we aren't even in the USA, so why they are doing this is beyond me.
A TINY sample! [Sun Aug 08 13:29:08 2010] [error] [client 22.214.171.124] File does not exist: /var/www/corp/phpMyAdmin-2.7.2
currently I'm fiddling around with mod_security for apache2 configurations on CentOS boxes, right now in a test environment first (i.e. separate non production box).CentOS includes the mod_security "Core Rule Set" by Breach Security Inc, the devs behind that module.So far all's running mostly, logs/auditlogs etc.For simple testing, I made a small php form as following:
Code: <?php $link = mysql_connect("localhost",$user,$pass); //un/pw obfuscated for forum post
On my server I some times login from my home where I have an internet connection which does not have a static IP each time I switch on my modem a dynamic IP isgenerated.I see in auth.log logs of following lines Quote:reverse mapping checking getaddrinfo forkkts-kk-dynamic-01.1.168.192.some_broadband.in [192.168.1.2] failed - POSSIBLE BREAK-IN ATTEMPT Accepted publickey for root from 192.168.1.2 port 22852 ssh2when ever I login to my server from home.In this case I do know that it was me who logged in but still why do I see such a log.What is this complaining about?
Yesterday I applied the su security patch to my openSuSE 11.2 x86_64 system.After applying the patch, any attempt at su failed, and after rebooting the system earlier this morning any login (root, user, otherwise) fails with a "Permission Denied".Is it possible that the su update somehow messed up my (standard) pam settings?
For about a week now I've been seeing mass attempts to relay through postfix and login to dovecot from the same 2 addresses, none are successful due to how postfix/dovecot are configured and I wouldn't be overly worried but my isp have picked up on it and are nagging at me
What ways do people go about just dropping connection attempts from offending addresses/ranges when stuff like that happens? An ideal thing would be something that detects repeated failed attempts from a host or range and subsequently ignore/ban them, perhaps for a specified length of time, something along the lines of denyhosts and fail2ban for ssh would be great Don't know if there's anything out there or just a plain tried and trusted method anyone might use for stuff like this, if not a hint on the most appropriate way to go about it 'manually' would do
Hi I am running a fedora 10 desktop. when i send an email using evolution the message was not sent but returns a error message:"Error while performing operation.DATA command failedError: 550 Viagra SPAM - Hi in Subject" and the message did not have an attachment just plain words. what might have gone wrong for i have been using this for sometime without a problem. or what security measures should be in place to remove this viagra spamAm I infected by virus on this fedora, all my updates are up to date.
Yesterday, I updated my system with the latest security update and other software updates. Following the update, I am not able to log into the system after restart.As usual, I was prompted with the login page which looks as per normal. I chose my login id and entered my password. It brings me briefly to my desktop showing only my wallpaper (without any upper and bottom taskbars/panels). Then the screen went blank and the login page appeared again.I entered the login id and password, was shown the desktop wallpaper, screen went blank and the login page appeared. This continues over and over and over. After multiple tries and with some luck, I am able to log in as per normal.What seems to be the problem?
1. How do I check the system for errors? 2. How do I check which update has been updated? 3. Is there any way for me to restore to its original state (I migrated from FC10 to FC11 via yum update)?
The only other change apart from the security update is that I installed wine - which has been uninstalled the moment I was able to re-logged in.I attach the details of my grub.conf file below which I hope could be of some useful info.
I have had two instances recently where I was unable to log in to my computer with uid 500, but I could log in as root. In the first case, I could log in as user 500 to virtual terminals (ctrl-alt-F2, etc) but I could not log in to X. I found that, in the file /etc/pam.d/password-auth-acthere was an extra line that read"accountrequiredpam.access.so"I did not put that line there. When I removed the line, I could log in fine.In the other case, I could log in as user 500 to X, but could not log in to virtual terminals as user 500 (but could as root). I found that, in the file/etc/pam.d/system-auth-acThere was the same extra line as above. And again, I did not put it there, but when I removed it the problem was solved and I could log in to virtual terminals as user 500.I would like to find out, step by step, what happens when I enter my username and password in either a virtual terminal or in X. The login info must be passed to something that checks some files and then lets me in or not. How does that work?
I'm migrating my file server from Fedora 9 to Fedora 11 (clean install), and I'm having a horrendous time trying to get key based SSH logins working. I've set it up before, and I can't figure out why it won't work now. I copied my public key into ~/.ssh/authorized_keys2 and set the folder permissions for 700 and the file permissions for 600. Then I restarted sshd. Now unless I remember wrong I thought that's all you have to do. It didn't work. So I rebooted just for good measure. Still didn't work. So I made sure that my client was still sane. I can log into my OpenBSD machine just fine. I compared the sshd_config from OpenBSD to the Fedora one, and the options seem pretty close.
At that point I had nothing to lose and just started messing with the Fedora sshd_config. I also noticed in the config that the commented AuthorizedKeys file had dropped the 2 off the end, so I tried changing that as well. Still nothing. Password based logins work, but I really don't want to go that route. Now I can only think of two possibilities. One, some sshd_config setting is wrong and I don't know what it is. Two, there's some package that's required for key based logins that I accidentally unchecked during the install process. That's about all I can come up with. Here's my sshd_config, I tried to just set everything back to default.
Code: #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 .....