From owner-freebsd-questions@FreeBSD.ORG Wed Sep 12 17:55:23 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A60716A417 for ; Wed, 12 Sep 2007 17:55:23 +0000 (UTC) (envelope-from piloyder@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id D779213C48E for ; Wed, 12 Sep 2007 17:55:22 +0000 (UTC) (envelope-from piloyder@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so248725nfb for ; Wed, 12 Sep 2007 10:55:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=CUU2OpqNv/NXxcxkA2AsyYsagiE4iJZZKRu66TCfw3w=; b=Hymp0tbV2js1ITXdq2uBwF+w6KQPpnmaWXfQjAvfs6l6BmmyQaONqJN8bToqY3AOrKqcGXO2vrAjvM8Awlsyky29NWhJTUiunqTF4GpMqwiA4Gf/LhrS42oWmhbDV3DwcwgF5WW6j/5oiP8F1XpkaRKFKIAA6mYQ3wYcvQndsY8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Oq3cdgjx7ZljtqyvMmPZ4pVHCeFQekLmBnJ+STXztaRLfeSvEa600gVFdr/TusiRAJ+I8uElv9gOzr0otV7vvIXyUX7tB9v8SbFnnEwgpvbrZT+gyzttEVf7DhHDpsqY0ipl0WWndDeX36VGAes3kaPVUrViCQlx1Tc56m6cjss= Received: by 10.86.68.16 with SMTP id q16mr1289355fga.1189618193374; Wed, 12 Sep 2007 10:29:53 -0700 (PDT) Received: by 10.86.62.15 with HTTP; Wed, 12 Sep 2007 10:29:52 -0700 (PDT) Message-ID: <325305250709121029u32245bf7pb125aee666a1f25c@mail.gmail.com> Date: Wed, 12 Sep 2007 21:29:52 +0400 From: Denis To: "Aldisa Admin" In-Reply-To: <46E7E651.4010708@aldisa.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <46E7E651.4010708@aldisa.ca> Cc: freebsd-questions@freebsd.org Subject: Re: Problem with logs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2007 17:55:23 -0000 I had such problem with FreeBSD 4.7, and finally discovered that this records were for the last year. My auth.log was pretty small and contain records for more than one year. And daily security included records for the last year. May this could be applied to you? Best regards, Denis. On 9/12/07, Aldisa Admin wrote: > Hello All, > > I am having trouble understanding what is going on and how to solve the problem: > > For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output: > > [hostname].ca login failures: > Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0 > > [hostname].ca login failures: > Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0 > > > I got worried because both these instances are times when I am positive that I am not accessing the system. I am the only user of the system. I use ssh to access the system. Root access is disabled in sshd. I log in using my username (abid) and SU to root when necessary. > > So I went to check the auth.log, and here is the concerned section: > > Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2 > Aug 31 17:01:40 server su: abid to root on /dev/ttyp0 > Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2 > Aug 31 18:43:01 server su: abid to root on /dev/ttyp0 > Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2 > Aug 31 22:58:32 server su: abid to root on /dev/ttyp0 > Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2 > Sep 9 13:41:00 server su: abid to root on /dev/ttyp0 > Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2 > Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2 > Sep 10 09:04:47 server su: abid to root on /dev/ttyp0 > Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2 > Sep 11 11:37:15 server su: abid to root on /dev/ttyp0 > Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2 > Sep 12 08:41:53 server su: abid to root on /dev/ttyp0 > > > As you can see, there is no matching incidence in the auth.log. How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username. > > Some other facts: > > The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP ranges. The only other opening is a VPN connection between the routers at my office (where the server is) and my home. The subnet in the office is 192.168.1 and at home is 192.168.2 > > I changed the password on my account after the Sep 8 occurrence. > > It seems to me that somebody is hacking in, but I can't figure out how and from where. > > ANY AND ALL HELP WILL BE APPRECIATED. > > Abid > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >