Queste voci di registro sono normali?

1

Ho notato un elevato utilizzo della CPU e ho notato che l'utente dinko aveva un elevato utilizzo della CPU con il processo sshd quando ho digitato top .

L'utente dinko era solo un utente casuale che ho creato e con un'applicazione Ruby in esecuzione.

Ho immediatamente eliminato quell'utente e riavviato il server. Ora va bene, ma mi chiedo se c'è qualcosa di sospetto in questo auth.log?

Feb 22 10:43:07 host1 su[11859]: Successful su for host1 by root
Feb 22 10:43:07 host1 su[11859]: + ??? root:host1
Feb 22 10:43:07 host1 su[11859]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:43:07 host1 su[11859]: pam_unix(su:session): session closed for user host1
Feb 22 10:44:01 host1 CRON[16191]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:44:01 host1 CRON[16191]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:44:53 host1 sshd[20291]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cm-84.209.49.43.getinternet.no  user=root
Feb 22 10:44:54 host1 sshd[20291]: Failed password for root from 84.209.49.43 port 53108 ssh2
Feb 22 10:45:01 host1 CRON[21063]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:45:01 host1 CRON[21064]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:45:01 host1 CRON[21064]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:45:01 host1 su[21144]: Successful su for postgres by root
Feb 22 10:45:01 host1 su[21144]: + ??? root:postgres
Feb 22 10:45:01 host1 su[21144]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:45:01 host1 su[21144]: pam_unix(su:session): session closed for user postgres
Feb 22 10:45:02 host1 CRON[21063]: pam_unix(cron:session): session closed for user root
Feb 22 10:45:04 host1 sshd[20291]: message repeated 5 times: [ Failed password for root from 84.209.49.43 port 53108 ssh2]
Feb 22 10:45:04 host1 sshd[20291]: error: maximum authentication attempts exceeded for root from 84.209.49.43 port 53108 ssh2 [preauth]
Feb 22 10:45:04 host1 sshd[20291]: Disconnecting: Too many authentication failures for root [preauth]
Feb 22 10:45:04 host1 sshd[20291]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=cm-84.209.49.43.getinternet.no  user=root
Feb 22 10:45:04 host1 sshd[20291]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 22 10:45:06 host1 sshd[16407]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:45:09 host1 sshd[16407]: Failed password for root from 116.31.116.49 port 26110 ssh2
Feb 22 10:45:13 host1 sshd[16407]: message repeated 2 times: [ Failed password for root from 116.31.116.49 port 26110 ssh2]
Feb 22 10:45:13 host1 sshd[16407]: Received disconnect from 116.31.116.49: 11:  [preauth]
Feb 22 10:45:13 host1 sshd[16407]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:46:01 host1 CRON[25863]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:46:01 host1 CRON[25863]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:46:35 host1 saslauthd[1891]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:46:35 host1 saslauthd[1891]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb 22 10:46:37 host1 saslauthd[1891]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:46:37 host1 saslauthd[1891]: do_auth         : auth failure: [[email protected]] [service=smtp] [realm=brilliantstonegroup.com] [mech=pam] [reason=PAM auth error]
Feb 22 10:47:01 host1 CRON[30582]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:47:01 host1 CRON[30582]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:47:38 host1 sshd[32484]: Received disconnect from 221.194.47.249: 11:  [preauth]
Feb 22 10:48:01 host1 CRON[3033]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:48:01 host1 CRON[3033]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:48:05 host1 su[3582]: Successful su for projectslcp by root
Feb 22 10:48:05 host1 su[3582]: + ??? root:projectslcp
Feb 22 10:48:05 host1 su[3582]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:48:05 host1 su[3582]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:48:06 host1 su[3588]: Successful su for host1 by root
Feb 22 10:48:06 host1 su[3588]: + ??? root:host1
Feb 22 10:48:06 host1 su[3588]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:48:06 host1 su[3588]: pam_unix(su:session): session closed for user host1
Feb 22 10:48:12 host1 saslauthd[1887]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:48:12 host1 saslauthd[1887]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb 22 10:48:14 host1 saslauthd[1887]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:48:14 host1 saslauthd[1887]: do_auth         : auth failure: [user=field] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Feb 22 10:49:01 host1 CRON[7956]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:49:01 host1 CRON[7956]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:50:01 host1 CRON[12776]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:50:01 host1 CRON[12777]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:50:01 host1 CRON[12777]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:50:01 host1 su[12875]: Successful su for postgres by root
Feb 22 10:50:01 host1 su[12875]: + ??? root:postgres
Feb 22 10:50:01 host1 su[12875]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:50:01 host1 su[12875]: pam_unix(su:session): session closed for user postgres
Feb 22 10:50:02 host1 CRON[12776]: pam_unix(cron:session): session closed for user root
Feb 22 10:51:01 host1 CRON[17639]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:51:01 host1 CRON[17639]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:52:01 host1 CRON[22451]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:52:01 host1 CRON[22451]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:53:01 host1 CRON[27310]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:53:01 host1 CRON[27310]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:53:07 host1 su[27944]: Successful su for projectslcp by root
Feb 22 10:53:07 host1 su[27944]: + ??? root:projectslcp
Feb 22 10:53:07 host1 su[27944]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:53:07 host1 su[27944]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:53:07 host1 su[27951]: Successful su for host1 by root
Feb 22 10:53:07 host1 su[27951]: + ??? root:host1
Feb 22 10:53:07 host1 su[27951]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:53:07 host1 su[27951]: pam_unix(su:session): session closed for user host1
Feb 22 10:53:40 host1 sshd[24692]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:53:42 host1 sshd[24692]: Failed password for root from 116.31.116.49 port 46022 ssh2
Feb 22 10:53:47 host1 sshd[24692]: message repeated 2 times: [ Failed password for root from 116.31.116.49 port 46022 ssh2]
Feb 22 10:53:47 host1 sshd[24692]: Received disconnect from 116.31.116.49: 11:  [preauth]
Feb 22 10:53:47 host1 sshd[24692]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:54:01 host1 CRON[32201]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:54:01 host1 CRON[32201]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:55:01 host1 CRON[4705]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:55:01 host1 CRON[4706]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:55:01 host1 CRON[4706]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:55:02 host1 su[4849]: Successful su for postgres by root
Feb 22 10:55:02 host1 su[4849]: + ??? root:postgres
Feb 22 10:55:02 host1 su[4849]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:55:02 host1 su[4849]: pam_unix(su:session): session closed for user postgres
Feb 22 10:55:02 host1 CRON[4705]: pam_unix(cron:session): session closed for user root
Feb 22 10:55:26 host1 saslauthd[1891]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:55:26 host1 saslauthd[1891]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb 22 10:55:28 host1 saslauthd[1891]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:55:28 host1 saslauthd[1891]: do_auth         : auth failure: [user=float] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Feb 22 10:56:01 host1 CRON[9538]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:56:01 host1 CRON[9538]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:57:01 host1 CRON[14359]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:57:01 host1 CRON[14359]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:58:01 host1 CRON[19161]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:58:01 host1 CRON[19161]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:58:06 host1 su[19730]: Successful su for projectslcp by root
Feb 22 10:58:06 host1 su[19730]: + ??? root:projectslcp
Feb 22 10:58:06 host1 su[19730]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:58:06 host1 su[19730]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:58:06 host1 su[19738]: Successful su for host1 by root
Feb 22 10:58:06 host1 su[19738]: + ??? root:host1
Feb 22 10:58:06 host1 su[19738]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:58:06 host1 su[19738]: pam_unix(su:session): session closed for user host1
Feb 22 10:59:01 host1 CRON[24154]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:59:01 host1 CRON[24154]: pam_unix(cron:session): session closed for user dinko
Feb 22 11:00:01 host1 CRON[28995]: pam_unix(cron:session): session opened for user root by (uid=0)
    
posta Aleksandar Pavić 23.02.2017 - 09:22
fonte

3 risposte

3

su e cron costituiscono il 73% del tuo log. E nessun successo della connessione ssh.

su messaggi significa solo eseguire cron job. E cron facendo solo cron job. Quindi, penso che siano normali. Se ritieni ancora che siano sospetti, controlla il cron job.

Vedi:

link

https://drive.google.com/file/d/0B7ATpknBcvVQZ2tOdmpERUFMeDQ/view?usp=sharing

    
risposta data 14.03.2017 - 11:16
fonte
1

Non vedo nulla che suggerisca un'interruzione, per ogni macchina connessa a Internet ci saranno voci come questa:

Feb 22 10:53:42 host1 sshd[24692]: Failed password for root from 116.31.116.49 port 46022 ssh2

Perché ci sono dei robot che cercano solo combinazioni predefinite di user + password.

Le voci simili a questa:

Feb 22 10:58:06 host1 su[19738]: Successful su for host1 by root

Accade ogni volta che si accede, che include il passaggio a un altro utente, in questo caso specifico l'utente "root" diventa l'utente "host1". Puoi leggere di più su questo tipo di voci in questa domanda su askubuntu .

Le tecniche di mitigazione che ho postato qui sono valide anche per rafforzare il server SSH

    
risposta data 23.02.2017 - 11:15
fonte
1

Gli eventi non CRON mostrano che stai vedendo alcuni tentativi di accesso a forza bruta (a SSH e sembra SMTP), ma l'altra attività sembra essere "buona" e molto probabilmente automatizzata / programmata.

La maggior parte delle attività su è da root a un account con privilegi minori (cioè postgres, host1) - questo non prova necessariamente nulla, ma sarebbe insolito che un utente malintenzionato ottenga root e quindi cerchi di usare meno privilegiati conti. Ma l'insolito non è la stessa cosa impossibile - sembra proprio un modo strano di andare se stai cercando di compromettere un host.

Potresti volere (come è stato suggerito da @Purefan) per rinforzare un po 'la tua configurazione (disabilitare i login di root, usare la chiave pubblica al posto di (o anche) le password), e potresti voler mettere alcune regole di auditd sul posto per cercare di fornire maggiori informazioni sulle attività che ti interessano. fail2ban può anche essere utile aggiungere al tuo server.

A prima vista, oltre a rafforzare la sicurezza del server, non penso di vedere nulla che meriti seria preoccupazione.

Detto questo - se hai la possibilità di ri-immaginare il tuo ospite, allora non vedrei motivo per non farlo, se non altro per cercare di guadagnare un po 'di tranquillità. Potrebbero esserci altri esempi di registro che mostrerebbero qualcosa di più riguardante (e in effetti, più riguardo a cose che possono essere accadute senza lasciare troppe tracce).

    
risposta data 14.03.2017 - 11:57
fonte

Leggi altre domande sui tag