Koozali.org formerly Contribs.org

Unauthorized SSH connections

Unauthorized SSH connections
« on: July 31, 2018, 08:30:08 PM »
I have received an email from sme9admin that i have excessive SSH connections.
The email shows (attached) that the connections were Established.

My question is, how were they able to Establish a connection since I have Clear Passwords disabled?

Is there something else I need to do (besides disabling clear passwords)  to prevent unauthorized SSh connections?
SME user and community member since 2005.
Want to install Wordpress in iBay of SME Server?
See my step-by-step How-To wiki here:
http://wiki.contribs.org/Wordpress_Multisite

Offline warren

  • *
  • 277
Re: Unauthorized SSH connections
« Reply #1 on: August 01, 2018, 11:13:22 AM »
SSH Public-Private Keys
https://wiki.contribs.org/SSH_Public-Private_Keys

But you've got bigger problems if they have established a connection. I would immediately change all passwords and start checking all logs for signs of compromise.

Offline ReetP

  • *
  • 2,486
Re: Unauthorized SSH connections
« Reply #2 on: August 01, 2018, 11:51:05 AM »
Please paste:

Code: [Select]
config show sshd
Definitely sure you only use ssh keys and not passwords ? Could the keys have been compromised at all?

Take a look at:

/var/log/secure
/var/log/sshd/current

What can you see in there?

It may be that they establish a connection that then gets failed (I think that is what happens) but the logs will tell you.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,694
    • Firewall Services, la sécurité des réseaux
Re: Unauthorized SSH connections
« Reply #3 on: August 01, 2018, 12:13:47 PM »
I have received an email from sme9admin that i have excessive SSH connections.
The email shows (attached) that the connections were Established.

sme9admin counts connections at the TCP level. When someone tries to auth against your SSH service, even if the auth failed, the TCP connection itself is established, and accounted by sme9admin. You shouldn't worry too much about that. Check in /var/log/sshd/current that no connection were successful and be done with it :-)
C'est la fin du monde !!! :lol:

Re: Unauthorized SSH connections
« Reply #4 on: August 02, 2018, 12:35:57 AM »
... we want to talk about when an email arrives every 5 minutes from the installation?!?! :D
Smeserver.it -  Soluzioni e supporto su Sme server in Italia

Offline ReetP

  • *
  • 2,486
Re: Unauthorized SSH connections
« Reply #5 on: August 02, 2018, 01:40:48 AM »
... we want to talk about when an email arrives every 5 minutes from the installation?!?! :D

Que?

Go on then... if it is relevant here.

If it is an issue then raise a bug?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Unauthorized SSH connections
« Reply #6 on: August 02, 2018, 04:21:32 AM »
sme9admin counts connections at the TCP level...

And if it does that, it is just wasting your time.

If you don't want ssh TCP connections, don't enable it, or keep it private.

If you have ssh enabled, care about authentication failures, not about TCP connections. But the real threat is authentication successes, not failures ....

Offline JohnG

Re: Unauthorized SSH connections
« Reply #7 on: August 02, 2018, 04:35:21 PM »
Any chance those connections are from legit processes (like affa) that uses ssh pub/priv keys?

Re: Unauthorized SSH connections
« Reply #8 on: August 03, 2018, 12:45:52 AM »
Thank you all for a quick response

.... Check in /var/log/sshd/current that no connection were successful and be done with it :-)

You are correct, no connections were successful.

Quote from: Daniel B. on Yesterday at 03:13:47 AM

    sme9admin counts connections at the TCP level...

And if it does that, it is just wasting your time.
Agreed, if no connectins were actually completed, that notice is just wasting our time
SME user and community member since 2005.
Want to install Wordpress in iBay of SME Server?
See my step-by-step How-To wiki here:
http://wiki.contribs.org/Wordpress_Multisite

Offline Jean-Philippe Pialasse

  • *
  • 1,480
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Unauthorized SSH connections
« Reply #9 on: August 15, 2018, 10:04:35 PM »
Charlie and Daniel are right, this process check for TCP state, not actual successful connection to the service.

Some bots could establish the connection and keep it for minutes without even trying to login. Hence this is false positives.
The contrib need some refresh...