0

Seeing lots of invalid user entries in /var/log/auth.log, sh
Moderators: adafruit_support_bill, adafruit

Please be positive and constructive with your questions and comments.

Seeing lots of invalid user entries in /var/log/auth.log, sh

by bebo on Mon Apr 10, 2017 8:26 am

Here's a sample of my /var/log/auth.log file:
Apr 9 15:32:49 arm sshd[3149]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.207.37.53
Apr 9 15:32:52 arm sshd[3149]: Failed password for invalid user support from 103.207.37.53 port 60558 ssh2
Apr 9 15:32:54 arm sshd[3153]: Did not receive identification string from 123.31.31.90
Apr 9 15:33:11 arm sshd[3154]: Invalid user support from 103.207.37.232
Apr 9 15:33:11 arm sshd[3154]: input_userauth_request: invalid user support [preauth]
Apr 9 15:33:11 arm sshd[3154]: pam_unix(sshd:auth): check pass; user unknown
Apr 9 15:33:11 arm sshd[3154]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.207.37.232
Apr 9 15:33:13 arm sshd[3154]: Failed password for invalid user support from 103.207.37.232 port 57227 ssh2
Apr 9 15:33:13 arm sshd[3154]: fatal: Read from socket failed: Connection reset by peer [preauth]
Apr 9 15:33:15 arm sshd[3160]: Did not receive identification string from 103.207.37.232
Apr 9 15:34:55 arm sshd[3161]: Address 123.31.31.90 maps to localhost, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 9 15:34:55 arm sshd[3161]: Invalid user support from 123.31.31.90
Apr 9 15:34:55 arm sshd[3161]: input_userauth_request: invalid user support [preauth]
Apr 9 15:34:55 arm sshd[3161]: pam_unix(sshd:auth): check pass; user unknown

Is this something that needs to be dealt with? or is it just normal activity?

bebo
 
Posts: 92
Joined: Tue Mar 29, 2011 8:22 am

Re: Seeing lots of invalid user entries in /var/log/auth.log

by drewfustini on Mon Apr 10, 2017 5:50 pm

I've not see that before. For reference, here is my BeagleBone on my internal network running Debian 8.7. It does accept ssh connections but there should be no way for the public Internet to access as my home router does not forward ports to it.
root@beaglebone:~# cat /var/log/auth.log
Apr 9 06:25:09 beaglebone CRON[9790]: pam_unix(cron:session): session closed for user root
Apr 9 06:47:01 beaglebone CRON[10050]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 9 06:47:06 beaglebone CRON[10050]: pam_unix(cron:session): session closed for user root
Apr 9 07:17:01 beaglebone CRON[10060]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 9 07:17:01 beaglebone CRON[10060]: pam_unix(cron:session): session closed for user root
Apr 9 08:17:01 beaglebone CRON[10073]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 9 08:17:01 beaglebone CRON[10073]: pam_unix(cron:session): session closed for user root
Apr 9 09:17:01 beaglebone CRON[10085]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 9 09:17:01 beaglebone CRON[10085]: pam_unix(cron:session): session closed for user root
Apr 9 10:17:01 beaglebone CRON[10094]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 9 10:17:01 beaglebone CRON[10094]: pam_unix(cron:session): session closed for user root
Apr 9 11:17:02 beaglebone CRON[10103]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 9 11:17:02 beaglebone CRON[10103]: pam_unix(cron:session): session closed for user root
Apr 9 12:17:01 beaglebone CRON[10112]: pam_unix(cron:session): session opened for user root by (uid=0)
<snip>


I've asked on the beagleboard.org mailing list if anyone has seen that warning.

drewfustini
 
Posts: 944
Joined: Sat Dec 26, 2015 1:19 pm

Re: Seeing lots of invalid user entries in /var/log/auth.log

by erco on Tue Apr 11, 2017 3:25 pm

Hmm, is your machine on the open internet, or behind a firewall port forwarding SSH to your machine?

If so, yes that's normal, or well, it's "normal" for crackers to constantly be twisting doorknobs on machines exposed to the net. Machines on the open net are bound to have this kind of thing going on all day, every day. Use complex passwords for all accounts that are allowed for SSH, and try to limit the usernames that are allowed to ssh in via the sshd.conf file.

If your machine is behind a firewall, however, and you don't expect there to be ssh connections from the internet, and don't recognize those IPs (103.207.37.232, 123.31.31.90), then it sounds like there's a hole through your firewall, as connection attempts from those IPs are actively being attempted. Look for holes like VPNs or tunnels or some such.

erco
 
Posts: 1
Joined: Tue Apr 11, 2017 3:08 pm

Re: Seeing lots of invalid user entries in /var/log/auth.log

by bebo on Wed Apr 12, 2017 9:01 am

Thanks for the insight. Yes, the machine was exposed over port 22 and 80, as I was testing the dynamic DNS I had set up. I have a firewall set up on the router, and use ssh keys to login, and after a few grep searches of the log, I didn't see anything that said "password Accepted" except for me. I am a welder/fabricator working on a sculpture that requires an Internet connection, so this world of Linux and APIs has me confused and bewildered, but I am making progress

bebo
 
Posts: 92
Joined: Tue Mar 29, 2011 8:22 am

Re: Seeing lots of invalid user entries in /var/log/auth.log

by drewfustini on Thu Apr 13, 2017 3:22 am

Ah ok, yes, that activity in the logs would make sense for a device exposed to the the Internet. As erco mentioned above, it is important to make sure that the there are complex passwords for the user accounts on your BeagleBone. By default, there will be a root user account and a debian user account.

Historically, the BeagleBone images have left the system in a pretty insecure state. This was to make the out of box experience easy. However, it was assumed that the BeagleBone would only be connected to an internal network and not exposed to the Internet.

Robert C. Nelson finally changed the Debian images earlier this year to improve security a little bit. It is still important to change the password of the debian user account from the default password to something complex

drewfustini
 
Posts: 944
Joined: Sat Dec 26, 2015 1:19 pm

Please be positive and constructive with your questions and comments.