Hi Uwe,
On Fri, Aug 21, 2009 at 01:54:06PM +0800, Uwe Dippel wrote:
Ryan Flannery wrote:
On Fri, Aug 21, 2009 at 1:19 AM, Uwe Dippeludip...@uniten.edu.my wrote:
Recently, I noticed an ssh user on one of my machines, who never logged on,
is not visible with 'last', seems to have no
Hi,
On Fri, Aug 21, 2009 at 6:54 AM, Uwe Dippeludip...@uniten.edu.my wrote:
Yes. Like
Accepted password for isuser from XXX.XX.XX.XX port 61802 ssh2
To be clear, the user exists, and logged on the last time three days ago as
far as 'last' is concerned.
This sounds very fishy. I would start
On Fri, Aug 21, 2009 at 7:19 AM, Uwe Dippel udip...@uniten.edu.my wrote:
Recently, I noticed an ssh user on one of my machines, who never logged on,
is not visible with 'last', seems to have no terminal active, and is back
immediately after a reboot.
Hmm.
root 13415 0.0 0.9 3280 2420
Paul de Weerd wrote:
Hi Uwe,
Yes. Like
Accepted password for isuser from XXX.XX.XX.XX port 61802 ssh2
And this XXX.XX.XX.XX is the address of a machine you know ?
Yes
The user
is a well known user to you,
Yes
some system account perhaps ?
No
To be clear, the user
Edd Barrett wrote:
Hi,
On Fri, Aug 21, 2009 at 6:54 AM, Uwe Dippeludip...@uniten.edu.my wrote:
Yes. Like
Accepted password for isuser from XXX.XX.XX.XX port 61802 ssh2
To be clear, the user exists, and logged on the last time three days ago as
far as 'last' is concerned.
This sounds
Iqigo Ortiz de Urbina wrote:
As its not clear to me if isuser is a user you trust, created or
needed for your services,
'Trusted', created by myself, needs a local account.
I would say your machine might have been compromised. What kind of
traffic is isuser generating?
Difficult to find
On Fri, Aug 21, 2009 at 06:00:10PM +0800, Uwe Dippel wrote:
Paul de Weerd wrote:
Hi Uwe,
Yes. Like
Accepted password for isuser from XXX.XX.XX.XX port 61802 ssh2
And this XXX.XX.XX.XX is the address of a machine you know ?
Yes
Is it under your control ? Can you see what is
Paul de Weerd wrote:
tcpdump(8) will tell you a lot, I suppose ;) I guess the best way to
make sure the account is not compromised is talking to your user and
asking him if he can explain what is going on. Again, my current guess
is TCP forwarding, but it could be a lot of other things too.
On Fri, Aug 21, 2009 at 07:51:57PM +0800, Uwe Dippel wrote:
Paul de Weerd wrote:
tcpdump(8) will tell you a lot, I suppose ;) I guess the best way to
make sure the account is not compromised is talking to your user and
asking him if he can explain what is going on. Again, my current guess
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Uwe Dippel wrote:
I can't as of now (weekend).
But I can see it reoccurring, kind of:
Aug 21 18:31:25 mybox sshd[31888]: Accepted password for isuser from
XXX.XX.XX.XX port 57519 ssh2
in authlog, reflected pretty well by
isuser ttyp0
Robert C Wittig wrote:
Have you considered adding a PF rule that would drop all incoming
login requests from this specific user?
Yes. But it won't work, because there is a NAT-address-rewrite in
between that changes the source address. Also, that user has plenty of
machines to log on to.
Paul de Weerd wrote:
You could check for the presence of forwarded TCP sessions with fstat,
an exmaple looks like this :
weerdsshd 29016 11* internet stream tcp 0x40009ab33d0 127.0.0.1:44410
-- 127.0.0.1:3128
If you open an ssh session to a remote machine with a forwarded port,
On Fri, Aug 21, 2009 at 10:34:05PM +0800, Uwe Dippel wrote:
Paul de Weerd wrote:
You could check for the presence of forwarded TCP sessions with fstat,
an exmaple looks like this :
weerdsshd 29016 11* internet stream tcp 0x40009ab33d0
127.0.0.1:44410 -- 127.0.0.1:3128
If you
On Fri, Aug 21, 2009 at 7:34 AM, Uwe Dippeludip...@uniten.edu.my wrote:
Now I am pretty sure that this is what we see here.
It also makes sense, since all those users sit on a tightly controlled LAN;
while that machine is 'further out'. So that restricted services can be
accessed through some
On Fri, Aug 21, 2009 at 10:34:05PM +0800, Uwe Dippel wrote:
Now I am pretty sure that this is what we see here.
It also makes sense, since all those users sit on a tightly controlled
LAN; while that machine is 'further out'. So that restricted services
can be accessed through some
On 2009-08-21, Cian Brennan cian.bren...@redbrick.dcu.ie wrote:
Turn off ssh forwarding? set AllowTcpForwarding to no, in your sshd_config.
you can do this in a Match section too if you need to allow it for
some users.
Of course, with a bit of effort and some netcat, the user will probably
Stuart Henderson wrote:
On 2009-08-21, Cian Brennan cian.bren...@redbrick.dcu.ie wrote:
Turn off ssh forwarding? set AllowTcpForwarding to no, in your sshd_config.
you can do this in a Match section too if you need to allow it for
some users.
Of course, with a bit of effort and some
On Fri, 21 Aug 2009 16:55 +0200, Paul de Weerd we...@weirdnet.nl
wrote:
On Fri, Aug 21, 2009 at 10:34:05PM +0800, Uwe Dippel wrote:
Now I am pretty sure that this is what we see here.
It also makes sense, since all those users sit on a tightly controlled
LAN; while that machine is
Johan Beisser wrote:
Read the man page for ssh_config(5) and sshd_config(5), and look at
restricting what your users can do.
Specifically: AllowTcpForwarding, PermitOpen and PermitTunnel,
combined with Match.
Thanks everyone for a great number of enlightening and helpful replies
to my
Recently, I noticed an ssh user on one of my machines, who never logged
on, is not visible with 'last', seems to have no terminal active, and is
back immediately after a reboot.
Hmm.
root 13415 0.0 0.9 3280 2420 ?? Ss12:04PM0:00.08 sshd:
isuser
isuser 702 0.0 0.7 3280
On Fri, Aug 21, 2009 at 1:19 AM, Uwe Dippeludip...@uniten.edu.my wrote:
Recently, I noticed an ssh user on one of my machines, who never logged on,
is not visible with 'last', seems to have no terminal active, and is back
immediately after a reboot.
Hmm.
root 13415 0.0 0.9 3280 2420
Ryan Flannery wrote:
On Fri, Aug 21, 2009 at 1:19 AM, Uwe Dippeludip...@uniten.edu.my wrote:
Recently, I noticed an ssh user on one of my machines, who never logged on,
is not visible with 'last', seems to have no terminal active, and is back
immediately after a reboot.
Hmm.
root 13415
22 matches
Mail list logo
