Transition Technology: Ticket #790: Annesley locked out of puffin

hours, totalhours changed

chris — Tue, 23 Sep 2014 14:17:39 GMT

hours changed from 0.0 to 0.25
totalhours changed from 0.0 to 0.25

5 ssh password login failures in 300 seconds caused CSF / LDF to use iptables to block Annesley's IP address on PuffinServer.

This is what we have in the logs, first a successful connection to SFTP using publickey authentication:

Sep 23 13:45:46 puffin sshd[5112]: Accepted publickey for tn.ftp from XX.XX.XX.XX port 54326 ssh2
Sep 23 13:45:46 puffin sshd[5112]: pam_unix(sshd:session): session opened for user tn.ftp by (uid=0)
Sep 23 13:45:46 puffin sshd[5185]: subsystem request for sftp by user tn.ftp
Sep 23 13:45:46 puffin sshd[5112]: pam_unix(sshd:session): session closed for user tn.ftp

Then around 50 seconds later failed attempts to login using a password:

Sep 23 13:46:28 puffin sshd[6056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=tn.ftp
Sep 23 13:46:30 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:33 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:33 puffin sshd[6056]: Disconnecting: Too many authentication failures for tn.ftp [preauth]
Sep 23 13:46:33 puffin sshd[6056]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=tn.ftp
Sep 23 13:46:56 puffin sshd[6409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=anewholm
Sep 23 13:46:58 puffin sshd[6409]: Failed password for anewholm from XX.XX.XX.XX port 54328 ssh2

Following the notes at wiki:PuffinServer#Falsepositives I have unblocked Annesley's current IP address:

csf -g XX.XX.XX.XX
  Chain            num   pkts bytes target     prot opt in     out     source               destination
  DENYIN           100    126  5544 DROP       all  --  !lo    *       XX.XX.XX.XX       0.0.0.0/0
  DENYOUT          100      0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            XX.XX.XX.XX
  csf.deny: XX.XX.XX.XX # lfd: (sshd) Failed SSH login from XX.XX.XX.XX (HU/Hungary/XXXXXX.catv.pool.telekom.hu): 5 in the last 300 secs - Tue Sep 23 13:47:01 2014
csf -dr XX.XX.XX.XX
  Removing rule...
  DROP  all opt -- in !lo out *  XX.XX.XX.XX  -> 0.0.0.0/0
  LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> XX.XX.XX.XX

annesley — Wed, 24 Sep 2014 10:39:14 GMT

it's my Dolphin file explorer failing again. could we place the un-encrypted public key on puffin also?

cc, hours, totalhours changed

chris — Wed, 24 Sep 2014 11:14:52 GMT

cc ed added
hours changed from 0.0 to 0.15
totalhours changed from 0.25 to 0.4

Replying to annesley:

it's my Dolphin file explorer failing again.

It works for me -- I just installed Dolphin and can connect to servers without out a problem using a passphrase protected ssh key and ssh-agent -- I think you simply need to start using ssh-agent:

http://mah.everybody.org/docs/ssh

could we place the un-encrypted public key on puffin also?

I'm not sure that is a good idea since it's the production server.

annesley — Wed, 24 Sep 2014 13:51:58 GMT

yep, i agree. just trying my luck ;)

i have to sort out my Dolphin issues. Dolphin does seem to connect ok initially. it's after a few directory navigations that things seem to suddenly go Pete Tong.

just setup ssh-agent. seems good. handled the passphrase for me. that now means that my laptop has password-less access to Parrot of course which kinda defeats the purpose...

thanks :)