Ubuntu Security :: Sshd Logs And Connection Ports ?
Feb 9, 2011
What is happening when I log in to my Ubuntu server machine via ssh and putty. trying to understand everything, primarily securing my server.
I have specified the ssh server to listen on port 5525, and can login without a problem.
When I look at the logs though it says I connected from xxx.xx.xx.xx on port 53602.
What is happening here and why is the logged connection a different port to the one specified in the config file?
View 1 Replies
ADVERTISEMENT
May 25, 2011
Tried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
Code:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Code:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
View 2 Replies
View Related
Apr 22, 2010
I have my router configured so that it drops outgoing telnet connections (and other protocols I don't use). It's a 2wire gateway. 192.168.1.65 is the internal IP of my ubuntu box.I'm trying to figure out what normal network traffic looks like and whether I should be worried by this log entry. At the time this happened I was testing out TOR (just navigating to a few sites (dell, ubuntu forums, etc.) nothing all that interesting.)
View 2 Replies
View Related
May 17, 2011
How to separate sftp and ssh and run on different ports.
i.e.
a) sftp on port x
b) ssh on port 22
I searched from the web and there are no detailed instructions. They suggested something like separating sshd_config into two files (file A and file B) and run two instances. Each instance points to its configuration file.
However, they didnt write down the detailed procedure of:
a) how to modify file A and file B (i.e. which line should insert specific commands)?
b) how to run two instances?
c) how to point each instance to its config file.
I am using Linux CentOS and the latest open-ssh.
View 4 Replies
View Related
Sep 11, 2010
A portscan reveals that port 39878 is 'open', service: 'unknown. I deny service for this port in Firestarter FW 'policy' Firestarter does not show any active connection. I am not running any apps, so how can I close this port?
View 9 Replies
View Related
Feb 14, 2011
I'm trying to ssh into my Ubuntu box, but the connection is getting denied.
When I look at /var/log/auth.log, I see the following:
Code:
I googled for this, and ran across the following: [url]
Here's the part that I think relates to the problem that I'm having:
Quote:
It's not clear from context which configuration file needs to be edited, and I'm not at all familiar with SELinux configuration.
View 3 Replies
View Related
Mar 13, 2011
I have been trying for weeks to solve this one and have researched everywhere I know to look. Nothing has helped. I am trying to ssh to my other machine (machine1=galla, machine2=cachin). Both run Maverick Meerkat 10.10. I get the following error when trying to ssh to galla:ssh: connect to host galla port 22: Connection refused
uname -a outputs:Linux galla 2.6.35-27-generic #48-Ubuntu SMP Tue Feb 22 20:25:46 UTC 2011 x86_64 GNU/LinuxAlso, sshd does not stay running. I can start it, but a ps tells me it is never running. I imagine herein lies the problem. But why won't it stay running?I am not running any firewall on galla (iptables -L told me that).P.S. I can sucessfully ssh out of galla to cachin. And, even if I just try to ssh localhost on galla, same thing happens.
View 9 Replies
View Related
Jan 18, 2010
I'm having troubles trying to understand this problem:my homeserver until yesterday had a public IP, staying on network, with sshd running and all was fine;this evening I changed the IP, giving it a local lan address, and what happened if I tried to connect to it by ssh?I got an error about "Connection closed by remote host". Google helped me finding that was regarded to hosts.deny file, that was actually containing a lineALL:ALLthat I commented, and all was fine.My question is: why the hosts.deny (that has never changed) was observed only with the local IP?I tried to switch back to the public IP and leaving ALL:ALL, and it did connect without any problem
View 1 Replies
View Related
Jun 11, 2011
I've been using ssh for a LONG time to connect my laptop to my desktop with no problems. I use a non-standard port (nnnnn) and keys. After a power outage that caused a shutdown and reboot, I can no longer ssh into the desktop. The only changes I've made are updates (laptop and desktop both running ubuntu 10.04).
$ ssh -p nnnnn Desktop
ssh: connect to host Desktop port nnnnn: Connection refused
No messages are generated in any of the logs on Desktop!
$ /usr/sbin/sshd -T
port nnnnn
protocol 2
addressfamily any
listenaddress 0.0.0.0:12023
listenaddress [::]:12023 .....
View 9 Replies
View Related
Jul 19, 2011
I just putup the fedora15 on my PC. there are several msg coming up from selinux saying permission denied, though I am not doing any administrative activity. the PC being a workstation for reaserch. how can I know the denial is for an security intrusion attempt. how can I set conditions to see the logs of all security intrusions. how can I set exclusive msg-ing from selinux that the denial is for a security intrusion attempt.
View 5 Replies
View Related
Aug 8, 2010
I have installed Fedora 13 and updated it. I simply cant use ssh to connect to this Fedora, not even locally. I have enabled port22 in firewall settings and nothing. Tried to disable firewall completely and nothing. I have disabled SELinux (not sure if it has something to do with this, but... ) and nothing. Entered "ALL: ALL" in /etc/hosts.allow and still nothing. Dont know what to do anymore.
Here is what happens when I try to ssh to this machine, even from it:
[flibio@surf ~]$ ssh localhost
warning: Need basic cursor movement capability, using vt100
flibio's password:
Authentication successful.
Disconnected; connection lost (Connection closed.).
Connection to localhost closed.
[flibio@surf ~]$
Looking into Services > sshd and it says "This service is dead."
So I tried:
[root@surf etc]# service sshd restart
Stopping sshd: [FAILED]
Starting sshd: : OpenSSH_5.4p1 on
: FATAL: Creating listener failed: port 22 probably already in use! .....
And still I get disconnected whenever I try to ssh to this machine from anywhere. Services says that sshd is allways dead, even restarting it but I can only restart it by doing a pkill sshd before.
View 7 Replies
View Related
Mar 9, 2011
I want to enable sshd from Internet, but I want to secure it as much as possible.Therefore, despite the fact that the service will run on a tcp port above 2000 to prevent most scans, I would like to :- First, force the use of a client certificate, to avoid brute force attack on my users/passwords- second force the use of a username/password to avoid someone having access to my system just by stealing my key..When I look at the configuration, it's possible to enable both, but one of them is sufficient to login, but I can't find how to make them both mandatory...
View 2 Replies
View Related
Mar 9, 2010
I have a RHEL server with users logging in via ssh. I want to start using public keys instead of passwords with ssh. But public key is as good as a rotten tomato if it is unpassphrased and I cannot guarantee that all users will use passphrases. Therefore I will generate both private and public key on the server and will distribute the private key to the user via user-friendly web interface and thats where I will force them to use passphrase. I know they can change later the passphrase or remove it totally but my users are not so advanced.
So now I am trying to setup a centralized authorized_keys file with to be able to make them only root writable so they cannot put their own public keys on the server , it will be handled by scripts. Now the actual problem. I created /etc/ssh/keys directory instead of ~/.ssh and changed AuthorizedKeysFile to /etc/ssh/keys/%u in sshd_config But when I try to connect with the key I get the following error in the logs (after enabling DEBUG3 in sshd_config)
<CUT>
Mar 8 15:22:28 stagesmpp sshd[12248]: debug3: mm_request_receive entering
Mar 8 15:22:29 stagesmpp sshd[22358]: debug2: channel 0: rcvd adjust 33544
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: monitor_read: checking request 20
[code]...
View 2 Replies
View Related
Nov 4, 2010
Quick explanation about what this thread is: by way of an article featured on linuxtoday, I learned about what appears to be an actively managed IP blacklist: [URL]
# This is a compiled list of dirty hosts associated with
# bruteforcing attempts, spam, botnets, RBN and the list
# continues to grow. The data is comprised of information
# compiled from Arbor Networks, Project Honeypot, FIRE
# (maliciousnetwork.org), Host Exploit, Shadowserver and
# a variety of other similarly based sites.
Quick explanation about what this thread is not: this is not intended to be a discussion about default deny vs. default allow (i.e. whitelists vs. blacklists), nor is this a call for enumerations of your own sshd hardening strategy. Please try to keep on point. That said, can anyone speak to the quality of the blacklist information noted above? And/or are there any suggestions for a readily available blacklist of "known better" quality? I plan to try including an actively maintained blacklist like this into a multi-layered approach for hardening an sshd bastion host.
View 4 Replies
View Related
May 11, 2011
I am running a fresh installation of RHEL 6 box and it shipped with Openssh 5.3.But, /etc/ssh/moduli file doesn't exist even in this new installation and the SSH log warns as below:PHP Code:WARNING: /etc/ssh/moduli does not exist, using fixed modulusDoes this imply that it is using the same random number for key exchange purpose ? Also, does it impose any security risks
View 2 Replies
View Related
Feb 18, 2011
I have an sshd server up and running (F13 64bit) I'd like to connect to a pc that's behind a firewall using ssh tunnelling, so I have something like
ssh -R 1234:127.0.0.1:22 myuser@mypc
then from mypc I can succesfully login to the remote pc. I have just une question. How can I list the ssh active connections and the forwarded ports ?
I've only got to
netstat -tunva
but this returns only (filtered)
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN
tcp 0 0 ::ffff:172.16.0.XXX:22 ::ffff:172.16.1.XXX:60744 ESTABLISHED
Now I know that the first is the tunnel end but how can I connect the two lines if I don't know the port number (ie: someone else estabilieshes another tunnel)
View 4 Replies
View Related
Mar 6, 2010
I'm trying to setup ssh access on my Fedora 12 laptop. I get the following error message in /var/log/secure when I try to login from another machine using ssh and the login is denied:
Code:
sshd[3025]: error: Could not get shadow information for <user>
sshd[3025]: Failed password for <user> from <ip> port <port> ssh2
If I do a 'setenforce 0' I can login and no error is logged.
View 10 Replies
View Related
Dec 19, 2010
When a user that has rsa public key set in ~/.ssh/authorized_keys file logs in via ssh an sshd process is started to handle the ssh session.Periodically we audit the authorized keys and remove them from the system and authorized_keys file. This means the next log in attempt will fail, which is fine.However we need to terminate current ssh sessions in progress that use the rsa key.I have not been able to determine a way to map sshd processes with authorized_keys entries.
View 11 Replies
View Related
Mar 28, 2010
Quote:
Code:
I've used these commands to generate my new keys and immediately got my sshd server running.
However, I now have the problem where the password is not being recognized and is repeatedly asked for.
View 2 Replies
View Related
Apr 28, 2011
Is there an ssh or sshd parameter that can be set to block out a user after a set number of attempts tp login ?
View 1 Replies
View Related
Aug 10, 2010
I have a problem with sshd daemon on a target linux system:The system has only one user (root) without password.The sshd_config looks like:
Code:
Port 22
Protocol 2
[code]...
View 8 Replies
View Related
Mar 18, 2010
I cannot find one single UFW event anywhere. I have researched this and see that others have trouble finding these logs too. I have looked in every /var/log there is and I can't find one event. I have UFW enabled, default deny and logging set to medium from a previous logging low(in hopes this would create more events to be seen). In terminal, UFW is shown as active. I have been using Ubuntu for more than a year now and I recall seeing UFW events with every session in some /var/logs in Ubuntu 9.04 - I'm running 9.10 now. I have also tried looking throughout the system files and have found nothing. Is UFW not working properly or could I just not be experiencing any firewall events(not likely)?
View 9 Replies
View Related
Apr 26, 2011
If anyone knows where does ZEIGEIST put its logs. Is it in my home folder, or is it somewhere else. I have my home folder enrypted and this is really not very secure if someone can see those logs...So. Does ZEITGEIST put logs in my HOME folder or not?
View 7 Replies
View Related
Jun 16, 2010
how to find USB enteries/ logs in linux
View 5 Replies
View Related
Apr 22, 2009
I have connected to my friends machine, for some reason . all the logs are wiped out . ?
CentOS .
There is nothing there? is this a unusual to Linux systems?
View 3 Replies
View Related
Apr 1, 2010
After reading a lot about networking and security I decided to check the security of my own ubuntu box. So I went installing Nmap and discovered that port 139 was "open". Since I 'd read how to use ufw I created a deny rule for port 139. After a second scan with Nmap it still said that port 139 was open as shown below.
[Code]...
View 9 Replies
View Related
Jul 27, 2010
I'm locking down my laptop. I know I can use a firewall to ensure nothing gets through that I didn't catch, and I certainly plan on using one, but in the meantime, I want to know what exactly is running on my system.
nmap localhost returns:
Code:
james@james-linux:~$ nmap localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-26 23:33 CDT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 994 closed ports
PORT STATE SERVICE
25/tcp open smtp
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
However, I know that localhost goes back to the loopback interface, 127.0.0.1. So, to see what was really open, I ran nmap 192.168.0.108, which is my laptop's IP at the moment.
Code:
james@james-linux:~$ nmap 192.168.0.108
Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-26 23:33 CDT
Interesting ports on 192.168.0.108:
Not shown: 996 closed ports
PORT STATE SERVICE
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Now if I understand correctly, I can attribute 139 and 445 to my Samba share. That I'm okay with. What I don't know is 111 and 2049. Does anyone know what these ports are, what's running on them, and how I could turn them off, supposing that they are a security risk?
View 9 Replies
View Related
Mar 18, 2011
I'm getting heat from the head networking office that ports 21, 110, and 143 are open. I can telnet to those ports from a remote machine (not localhost) and get a prompt. There does not seem to be anything listening on those ports according to netstat. I've tried using iptables to discard all traffic to a from those ports but I can still telnet to them. This is a lucid desktop machine.
View 4 Replies
View Related
Feb 4, 2010
I was just checking some of the generated logs from Samba.
Code:
Quote:
I've looked over my smb.conf and it doesn't look like I even have any printer sharing enabled.
Quote:
How PC1 was refused a connection when it looks like I don't have any printers being shared throught Samba?
This is just on a home LAN.
View 1 Replies
View Related
Jan 8, 2010
These files seem to contain browsing history:
~/.mozilla/firefox/xxxxx.default/cookies.sqlite ~/.mozilla/firefox/xxxxx.default/formhistory.sqlite ~/.mozilla/firefox/xxxxx.default/downloads.sqlite ~/.mozilla/firefox/xxxxx.default/places.sqlite ~/.mozilla/firefox/xxxxx.default/places.sqlite-journal
~/.mozilla/firefox/xxxxx.default/Cache/
Therefore I have cleared these files using an erasing program. I am wondering if there are other locations where such log files are stored for Internet browsing. I have looked in the /var/log directory and cannot see anything - for example doing a grep on http:// after browsing in Firefox does not reveal anything obvious.
View 6 Replies
View Related
