Ticket #790 (new maintenance)

Opened 2 years ago

Last modified 2 years ago

Annesley locked out of puffin

Reported by: chris Owned by: chris
Priority: blocker Milestone: Maintenance
Component: Live server Keywords:
Cc: annesley, ed Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.4

Description

Email from lfd:

Time:     Tue Sep 23 13:47:01 2014 +0100
IP:       XX.XX.XX.XX (HU/Hungary/XXXXXX.catv.pool.telekom.hu)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block

Log entries:

Sep 23 13:46:28 puffin sshd[6056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=tn.ftp
Sep 23 13:46:30 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:33 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:56 puffin sshd[6409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=anewholm
Sep 23 13:46:58 puffin sshd[6409]: Failed password for anewholm from XX.XX.XX.XX port 54328 ssh2

Change History

comment:1 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.0 to 0.25

5 ssh password login failures in 300 seconds caused CSF / LDF to useiptables to block Annesley's IP address on PuffinServer.

This is what we have in the logs, first a successful connection to SFTP using publickey authentication:

Sep 23 13:45:46 puffin sshd[5112]: Accepted publickey for tn.ftp from XX.XX.XX.XX port 54326 ssh2
Sep 23 13:45:46 puffin sshd[5112]: pam_unix(sshd:session): session opened for user tn.ftp by (uid=0)
Sep 23 13:45:46 puffin sshd[5185]: subsystem request for sftp by user tn.ftp
Sep 23 13:45:46 puffin sshd[5112]: pam_unix(sshd:session): session closed for user tn.ftp

Then around 50 seconds later failed attempts to login using a password:

Sep 23 13:46:28 puffin sshd[6056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=tn.ftp
Sep 23 13:46:30 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:33 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:33 puffin sshd[6056]: Disconnecting: Too many authentication failures for tn.ftp [preauth]
Sep 23 13:46:33 puffin sshd[6056]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=tn.ftp
Sep 23 13:46:56 puffin sshd[6409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=anewholm
Sep 23 13:46:58 puffin sshd[6409]: Failed password for anewholm from XX.XX.XX.XX port 54328 ssh2

Following the notes at wiki:PuffinServer#Falsepositives I have unblocked Annesley's current IP address:

csf -g XX.XX.XX.XX

  Chain            num   pkts bytes target     prot opt in     out     source               destination         
  
  DENYIN           100    126  5544 DROP       all  --  !lo    *       XX.XX.XX.XX       0.0.0.0/0
  
  DENYOUT          100      0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            XX.XX.XX.XX
  
  csf.deny: XX.XX.XX.XX # lfd: (sshd) Failed SSH login from XX.XX.XX.XX (HU/Hungary/XXXXXX.catv.pool.telekom.hu): 5 in the last 300 secs - Tue Sep 23 13:47:01 2014

csf -dr XX.XX.XX.XX
  
  Removing rule...
  DROP  all opt -- in !lo out *  XX.XX.XX.XX  -> 0.0.0.0/0  
  LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> XX.XX.XX.XX  
Version 0, edited 2 years ago by chris (next)

comment:2 follow-up: ↓ 3 Changed 2 years ago by annesley

it's my Dolphin file explorer failing again.
could we place the un-encrypted public key on puffin also?

comment:3 in reply to: ↑ 2 Changed 2 years ago by chris

  • Cc ed added
  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 0.25 to 0.4

Replying to annesley:

it's my Dolphin file explorer failing again.

It works for me -- I just installed Dolphin and can connect to servers without out a problem using a passphrase protected ssh key and ssh-agent -- I think you simply need to start using ssh-agent:

could we place the un-encrypted public key on puffin also?

I'm not sure that is a good idea since it's the production server.

comment:4 Changed 2 years ago by annesley

yep, i agree. just trying my luck ;)

i have to sort out my Dolphin issues. Dolphin does seem to connect ok initially. it's after a few directory navigations that things seem to suddenly go Pete Tong.

just setup ssh-agent. seems good. handled the passphrase for me. that now means that my laptop has password-less access to Parrot of course which kinda defeats the purpose...

thanks :)

Note: See TracTickets for help on using tickets.