Original message at the bottom. I got several replies on how to deal with ssh, but we've already covered that ground in previous postings to the list. What I really wanted to know was the significance of that first log line. Nick Hindley and The Hatter both supplied the answer -- http://www.derkeiler.com/Mailing-Lists/securityfocus/Secure_Shell/2004-12/0007.html: The ssh client end first attempts to login with authentication method "none". That is not allowed and produces the "Failed none" entry in the logs. It also returns a list of what authentication methods are allowed. The client then uses one of those methods, e.g. keyboard-interactive. So, there aren't any additional security implications. It's still a brute force distributed ssh attack. Besides the summary I previously posted on how to deal with those, someone in our group just this morning forwarded this link -- http://lwn.net/Articles/357960/ , which covers a lot of the same ground, but is a nice accessible summary with some interesting discussion at the end. --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst <hoogendyk@bio.umass.edu> --------------- Erdvs 4 -------- Original Message -------- Subject: ongoing ssh attacks Date: Thu, 29 Oct 2009 13:02:27 -0400 From: Chris Hoogendyk <hoogendyk@bio.umass.edu> To: Sun Managers List <sunmanagers@sunmanagers.org> I've blocked upwards of 2000 IP addresses so far. New ones keep appearing. Any IP that attempts a root login is automatically considered bad. They get blocked as soon as they appear. That's in spite of the fact that root logins are simply not allowed based on sshd_config. However, I'm seeing entries in authlog that look like this: Oct 28 15:44:01 myserver sshd[17063]: Failed none for root from 125.87.1.243 port 53637 ssh2 Oct 28 15:44:02 myserver sshd[17063]: Failed keyboard-interactive for root from 125.87.1.243 port 53637 ssh2 I thought "Failed none" meant that someone had logged in without failure. But this shows a "Failed none" immediately followed by a "Failed keyboard-interactive". Can someone tell me what that means? Or what the implication is in terms of the attack and my system security? My /etc/ssh/sshd_config does have the setting "PermitRootLogin no". -- --------------- Chris Hoogendyk - O__ ---- Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center ~~~~~~~~~~ - University of Massachusetts, Amherst <hoogendyk@bio.umass.edu> --------------- Erdvs 4 _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Oct 29 14:47:47 2009
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:15 EST