Koozali.org formerly Contribs.org

Contribs.org Forums => SME Server 9.x => Topic started by: calisun on July 31, 2018, 08:30:08 PM

Title: Unauthorized SSH connections
Post by: calisun on July 31, 2018, 08:30:08 PM
I have received an email from sme9admin that i have excessive SSH connections.
The email shows (attached) that the connections were Established.

My question is, how were they able to Establish a connection since I have Clear Passwords disabled?

Is there something else I need to do (besides disabling clear passwords)  to prevent unauthorized SSh connections?
Title: Re: Unauthorized SSH connections
Post by: warren on August 01, 2018, 11:13:22 AM
SSH Public-Private Keys
https://wiki.contribs.org/SSH_Public-Private_Keys (https://wiki.contribs.org/SSH_Public-Private_Keys)

But you've got bigger problems if they have established a connection. I would immediately change all passwords and start checking all logs for signs of compromise.
Title: Re: Unauthorized SSH connections
Post by: ReetP on August 01, 2018, 11:51:05 AM
Please paste:

Code: [Select]
config show sshd
Definitely sure you only use ssh keys and not passwords ? Could the keys have been compromised at all?

Take a look at:

/var/log/secure
/var/log/sshd/current

What can you see in there?

It may be that they establish a connection that then gets failed (I think that is what happens) but the logs will tell you.
Title: Re: Unauthorized SSH connections
Post by: Daniel B. on August 01, 2018, 12:13:47 PM
I have received an email from sme9admin that i have excessive SSH connections.
The email shows (attached) that the connections were Established.

sme9admin counts connections at the TCP level. When someone tries to auth against your SSH service, even if the auth failed, the TCP connection itself is established, and accounted by sme9admin. You shouldn't worry too much about that. Check in /var/log/sshd/current that no connection were successful and be done with it :-)
Title: Re: Unauthorized SSH connections
Post by: Fumetto on August 02, 2018, 12:35:57 AM
... we want to talk about when an email arrives every 5 minutes from the installation?!?! :D
Title: Re: Unauthorized SSH connections
Post by: ReetP on August 02, 2018, 01:40:48 AM
... we want to talk about when an email arrives every 5 minutes from the installation?!?! :D

Que?

Go on then... if it is relevant here.

If it is an issue then raise a bug?
Title: Re: Unauthorized SSH connections
Post by: CharlieBrady on August 02, 2018, 04:21:32 AM
sme9admin counts connections at the TCP level...

And if it does that, it is just wasting your time.

If you don't want ssh TCP connections, don't enable it, or keep it private.

If you have ssh enabled, care about authentication failures, not about TCP connections. But the real threat is authentication successes, not failures ....
Title: Re: Unauthorized SSH connections
Post by: JohnG on August 02, 2018, 04:35:21 PM
Any chance those connections are from legit processes (like affa) that uses ssh pub/priv keys?
Title: Re: Unauthorized SSH connections
Post by: calisun on August 03, 2018, 12:45:52 AM
Thank you all for a quick response

.... Check in /var/log/sshd/current that no connection were successful and be done with it :-)

You are correct, no connections were successful.

Quote from: Daniel B. on Yesterday at 03:13:47 AM

    sme9admin counts connections at the TCP level...

And if it does that, it is just wasting your time.
Agreed, if no connectins were actually completed, that notice is just wasting our time
Title: Re: Unauthorized SSH connections
Post by: Jean-Philippe Pialasse on August 15, 2018, 10:04:35 PM
Charlie and Daniel are right, this process check for TCP state, not actual successful connection to the service.

Some bots could establish the connection and keep it for minutes without even trying to login. Hence this is false positives.
The contrib need some refresh...