[SWLUG] Possible SSH Attack

Matthew Willsher matt at monki.org.uk
Thu Jul 14 22:17:16 UTC 2011 

On 14 July 2011 22:22, Jon Reynolds <maillist at jcrdevelopments.com> wrote:

>  Hi folks,
>
>  Am a bit naive when it comes to these things, but looking through just
>  the last few days of auth.log I see lots of this:
>  Jul 10 16:17:30 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=root
>  Jul 10 16:20:04 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=root
>  Jul 10 16:20:12 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=root
>  Jul 10 16:20:51 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=www-data
>  Jul 10 16:21:15 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=nobody
>  Jul 10 16:21:22 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=root
>  Jul 10 16:21:29 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=backup
>  Jul 10 16:22:35 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=news
>  Jul 10 16:22:48 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=games
>  Jul 10 16:23:01 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=mail
>  Jul 10 16:24:32 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=sshd
>  Jul 10 16:24:55 jcrdevelopments authdaemond: pam_unix(pop3:auth):
>  authentication failure; logname= uid=0 euid=0 tty= ruser= rh
>  ost=  user=bin
>

These are attacks logged by the Courier POP3 daemon using standard PAM auth
against the passwd/shadow password files. The attacker appears to be
attempting to gain access as a variety of system type accounts.


>  I am of course wondering if this is some sort of brute force attack,
>  where someone is trying to log in with any possible user name....
>

Most like an automated probe, possibly against a know weakness in Courier or
a typical misconfiguration. Note that authdaemond is running as root (uid=0
euid=0) so a weakness in it could lead to a complete system compromise.  If
POP3 is required, consider moving to a different authentication source that
doesn't require root level privileges.


>  Is there anything I can do? Should I be worried? I use ssh keys to
>  login, but I have left password auth on in case I loose the keys :)
>
>  ...maybe this is just normal?
>

Normal I'd say. Make sure you keep the software up to date and use
a separate username/password source. Consider moving to POP3 over SSL to
reduce to risk of password sniffing, and consider fail2ban or similar as
Carwyn suggested.
If the service is not required either disable it or firewall the port off on
Internet facing interface.

Hope this helps.

Regards,

Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/swlug/attachments/20110714/7584f644/attachment.html>

More information about the Swlug mailing list