can't prevent root lockout under Tru64/C2 security

• Previous message: rob.ballou_at_gmail.com: "Re: Chroot SSH error"
• Next in thread: Nico Kadel-Garcia: "Re: can't prevent root lockout under Tru64/C2 security"
• Reply: Nico Kadel-Garcia: "Re: can't prevent root lockout under Tru64/C2 security"
• Reply: Darren Tucker: "Re: can't prevent root lockout under Tru64/C2 security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 29 Jan 2005 21:01:58 -0800

I have a couple Tru64 boxes (4.0f and 5.1b) both using C2 security
that have been getting occasional root login attacks via SSH. These
attacks (3000
hits on root last time) cause the root account to get locked. I tried
disabling root logins from SSH with "PerminRootLogins no" (in
sshd_config) but I still see failed attempts logged in the auth db
(u_numunsuclog for root user increments). I then also tried adding
"DenyUsers root" to sshd_config which seems to work on the 4.0f system
but not on
5.1b. I now do see an "invalid user" error in the auth.log on both
systems but on the 5.1b system u_numunsuclog (in auth db) still
increments.

The Tru64 delivered ssh is not beig used, but rather a version of
OpenSSH manually downloaded/built. (The 4.0f system has OpenSSH 3.1p1
and the 5.1b system has 3.7.1p2.) The 5.1b system was just upgraded
from 5.1a to 5.1b and the 4.0f system will be upgraded to 5.1b soon so
the DenyUsers fix on 4.0f only doesn't help much.

Anyone have any idea why adding these two settings to the sshd config
does not stop the login attempt in sshd, before reaching the system
auth db?

                                                       Mike

• Previous message: rob.ballou_at_gmail.com: "Re: Chroot SSH error"
• Next in thread: Nico Kadel-Garcia: "Re: can't prevent root lockout under Tru64/C2 security"
• Reply: Nico Kadel-Garcia: "Re: can't prevent root lockout under Tru64/C2 security"
• Reply: Darren Tucker: "Re: can't prevent root lockout under Tru64/C2 security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Linux hacked ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ... (Security-Basics) Re: Linux hacked ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ... (Security-Basics) Re: X11Forwarding, ssh -X, and /bin/su ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ... (comp.security.ssh) RE: Linux hacked ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ... (Security-Basics) RE: Linux hacked ... Was any of the sites running a php nuke or another portal or system that is vuln ... been able to use that with a locla root exploit to gain root on the machine. ... > hack the box, pull the drive and save it. ... > Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... (Security-Basics)