Re: can't prevent root lockout under Tru64/C2 security

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 01/30/05 

Date: Sun, 30 Jan 2005 11:00:50 -0500

"msb" <mikebroderick@gmail.com> wrote in message
news:1107060891.860060.127320@f14g2000cwb.googlegroups.com...
>I have a couple Tru64 boxes (4.0f and 5.1b) both using C2 security
> that have been getting occasional root login attacks via SSH. These
> attacks (3000
> hits on root last time) cause the root account to get locked. I tried
> disabling root logins from SSH with "PerminRootLogins no" (in
> sshd_config) but I still see failed attempts logged in the auth db
> (u_numunsuclog for root user increments). I then also tried adding
> "DenyUsers root" to sshd_config which seems to work on the 4.0f system
> but not on
> 5.1b. I now do see an "invalid user" error in the auth.log on both
> systems but on the 5.1b system u_numunsuclog (in auth db) still
> increments.
>
> The Tru64 delivered ssh is not beig used, but rather a version of
> OpenSSH manually downloaded/built. (The 4.0f system has OpenSSH 3.1p1
> and the 5.1b system has 3.7.1p2.) The 5.1b system was just upgraded
> from 5.1a to 5.1b and the 4.0f system will be upgraded to 5.1b soon so
> the DenyUsers fix on 4.0f only doesn't help much.

Number 1: Tru64 support is basically dead as a doornail. I strongly urge you
to take the money for electricity used powering those older systems and
invest it in a modest modern Opteron box running a decent Linux distro.
There just aren't enough of these systems left alive to constitute an open
source community to keep them going.

Number 2: You're definitely due for OpenSSH updates, version 3.9p1 is out
and available.

> Anyone have any idea why adding these two settings to the sshd config
> does not stop the login attempt in sshd, before reaching the system
> auth db?

This, I don't know, but I do know from harsh experience that it's worth
staying near the leading edge on OpenSSH releases.

It should also be possible to implement a complete block of *all* remote
root logins, and force users to log in as themselves for tracking reasons
and do an "su" to become root. It doesn't solve the root block problem, but
it's usually a better way to handle remote log-ins for machines with
multiple root users.

Relevant Pages

  • Re: cant connect via ssh anymore
    ... Connecting as root works, but not as a normal user. ... > ssh checks the password but when ... > Connection to remote_box closed by remote host. ... Probably the root login scripts close tghe connexion, ...
    (comp.os.linux.setup)
  • Re: how to scp from one box to another with no root ssh?
    ... recent discussions on the list have pointed out that root login ... I have sshd setup to only allow ssh based on pre-existing keys (no ... tar file could be with mask 600 (so not ...
    (Debian-User)
  • Re: ssh to remote machine with user login problem
    ... you need to run the ssh command with -v argument and send us the output ... while you are trying to access the system as root and as user. ... And of course the lines from /var/log/auth for a root login and for a user ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: SSH attack
    ... > I looked at my logs and found that there was no successful root login. ... That accepts ssh connections at a rate of 1 per minute, ...
    (Debian-User)
  • cant prevent root lockout under Tru64/C2 security
    ... that have been getting occasional root login attacks via SSH. ...
    (comp.security.ssh)