« M2Crypto SVN and Bugzilla | Main | Web Of Trust »

01 August 2004

Security Logging

[Security] 

Sometime in July, reports of low intensity net-wide SSH scanning began to surface: The scanner attempts to login to accounts 'guest' and 'test' once each, using the account name as the password, then moves on. In a few cases where the login was successful (meaning an account such as 'test' with password 'test' was accepting remote login on the target machine (!)), the attacker was observed to have installed a rootkit and/or the scanner itself to probe yet more machines.

While talking about this, people have been posting snippets from their logs. Here is a sample: 

Jul 27 19:06:00 ZZZ sshd[31336]: Illegal user test from xx.xx.xx.xx
Jul 27 19:06:03 ZZZ sshd[31336]: Failed password for illegal user test from xx.xx.xx.xx port 37193 ssh2
Jul 27 19:06:04 ZZZ sshd[31338]: Illegal user guest from xx.xx.xx.xx
Jul 27 19:06:06 ZZZ sshd[31338]: Failed password for illegal user guest from xx.xx.xx.xx port 37400 ssh2

Another example: 

Jul 16 02:06:30 ZZZ sshd[13407]: Illegal user test from xx.xx.xx.xx
Jul 16 02:06:30 ZZZ sshd[13407]: error: Could not get shadow information for NOUSER
Jul 16 02:06:30 ZZZ sshd[13407]: Failed password for illegal user test from xx.xx.xx.xx port 51881 ssh2

Here's one more: 

Jul 19 14:42:03 ZZZ sshd[30903]: input_userauth_request: illegal user guest
Jul 19 14:42:03 ZZZ sshd[30903]: Failed password for illegal user guest  from xx.xx.xx.xx port 40525 ssh2
Jul 19 14:42:03 ZZZ sshd[30903]: Received disconnect from xx.xx.xx.xx: 11: Bye Bye

I looked at a colocated machine of mine: 

Jul 31 16:43:43 ZZZ sshd[38288]: Illegal user test from xx.xx.xx.xx
Jul 31 16:43:45 ZZZ sshd[38290]: Illegal user guest from xx.xx.xx.xx

That's all? Do I have an implementation with an attitude? I tried logging in interactively, to get more of a response: 

Aug  1 16:08:08 ZZZ sshd[40594]: Illegal user test from xx.xx.xx.xx
Aug  1 16:08:11 ZZZ sshd[40594]: Failed unknown for illegal user test from xx.xx.xx.xx port 2795 ssh2

The log messages are all somewhat different from each other.

Now I don't think there are that many SSH2 server implementations in wide deployment and I imagine OpenSSH is the market leader. OpenSSH is developed primarily on OpenBSD. From the OpenSSH blurb, "[o]ne team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. [...] The other team then takes the clean version and makes it portable [...]" The portable version is incorporated into the other BSDs and various Linuxen. These days, it is also available as packaged installers on Solaris, AIX, Cygwin, etc.

Ok, maybe people play with logging levels, which show up in the log message details. Or maybe there is more than one scanner implementation and they elicit different response from the probed servers. Or maybe, in incorporating OpenSSH (portable), developers of other OSes have modified log messages to inject, ah, distinctive flavours...


Posted by ngps at 17:00 | Comments (2) | Trackbacks (0)
Comments
Re: Security Logging

OpenBSD people methodically program in C in a safer way. They are very conscious of the dangers of C.
Certain exploits that occurred with OpenSSH did not affect OpenBSD's implementation.
I guess it is possible people have tweaked the original code and changed it for the worse, since the overwhelming majority of Linuxen do not adopt safer practices when coding in C.

Posted by: a reader at August 29,2004 00:36
Re: Security Logging

I looked into this a little bit more since writing this. I think some of the log messages come from PAM. This leads to a couple more questions: Does OpenBSD's OpenSSH use PAM? Is there just one implementation of PAM used by everyone?

Posted by: Ng Pheng Siong at August 29,2004 15:12
Trackbacks
Please send trackback to:http://sandbox.rulemaker.net/ngps/87/tbping
There is no trackback.