topic Re: SSH logging question in Operating System - OpenVMS

SSH logging question

Brian Reeves — Tue, 06 Jul 2004 11:34:07 GMT

I have a question reguarding SSH logging. In the past with telnet whenever a user produced a failed login the audit file would show me what username tried to login. Now with SSH a failed login just shows up as TCPIP$SSH with a process name like TCPIP$SS_BG5198.

Is there anyway I can find out what username the failed login tried to use?

Re: SSH logging question

John Gillings — Tue, 06 Jul 2004 16:17:53 GMT

Brian,
What versions are you running?

When I give a bad password for an attempted SSH login, I get a "remote interative login faulure" audit with provess name "SSH server 1651" and the target username. I also get a SYSUAF record modification, incrementing login failures.

Make sure you have auditing (and alarms?) enabled for AUTHORIZATION and LOGFAIL=ALL.

Also make sure you have the latest version of SSH.

Re: SSH logging question

Brian Reeves — Tue, 06 Jul 2004 16:45:47 GMT

John thank you very much for your reply. We are running OpenVMS 7.32 and the version of SSH that comes with the installation CD's.

Here is what our monitoring looks like
System security audits currently enabled for:

Audit: illformed
Logfailure: batch,dialup,local,remote,network,subprocess,detached

I am not sure exactly why audit: is showing up illformed.

I have also attached the text from a failed login.

Re: SSH logging question

John Gillings — Tue, 06 Jul 2004 18:28:47 GMT

Brian,

I'm using an older version of SSH. It looks like they've changed the way audits work.

I'd suggest you enable a few more events:

$ SET AUDIT/ALARM/ENABLE=(authorization, -
breakin:all,login=all,logout=all)

Note that this will generate ALARMS to OPCOM terminals enabled for SECURITY. If you want messages written to the audit journal as well use:

$ SET AUDIT/AUDIT/ENABLE=

So, with those alarms enabled, please retry your login attempt, and catch the output of both the login itself, and any audit alarms that are generated.

You may not want to leave all those alarms enabled, or audit them all, but you may need to leave some of them turned on to get the exact information you want.

The "Audit: illformed:" means you will generate an audit message if the audit server receives an illformed request. This might indicate an attempt to confuse or crash the audit server, or it may be buggy software sending bad audit messages.

Re: SSH logging question

Eberhard Wacker — Wed, 07 Jul 2004 06:12:29 GMT

VMS V7.3-2, TCP/IP V5.4 Eco 1
no change of the way audits work

$ set audit/audit/enable=logfail=remote
--> login failures of set host and telnet
$ set audit/audit/enable=logfail=network
--> login failures of ssh
$ set audit/audit/enable=author
--> sysuaf modification of login fail count
Having set up this you get 2 audit entries containing all needed information: remote node, remote username, local username. PID/processname are the same in both event entries.

That's the only way to find out what username the failed login tried to use due to the way SSH is implemented on VMS.

Re: SSH logging question

Brian Reeves — Wed, 07 Jul 2004 07:51:13 GMT

I am not totally sure that I follow you.
logfail=remote,network were already enabled. I entered the "enable=author" command too.

However, I am only getting 1 audit entry on failures that I can see and it stills lists the username as tcpip$ssh, remote username as SSH_0A03044B, and the process name as TCPIP$SS_BG3204. I'm not exactly sure how I can use this information to find out the "real username".

Re: SSH logging question

Wim Van den Wyngaert — Wed, 07 Jul 2004 09:16:37 GMT

Brian,

I have ssh version 2.4.1 on VMS 7.3 and have exactly the same result as you have.

You can use accounting to find the remote username (using part of ssh_pid of the remote username).

Bad implementation ?

Do ssh "-V" to get your version.

Wim

Re: SSH logging question

Brian Reeves — Wed, 07 Jul 2004 09:45:28 GMT

I am also running SSH 2.4.1. This time I ran an SSH session in debug mode just out of curiosity. There is one thing that is kind of disturbing, one of the lines in the debug is "Unable to open ssh2/identification" I am not sure if that is part of my problem or not.

I have attached the text from my debug run.

Re: SSH logging question

Wim Van den Wyngaert — Wed, 07 Jul 2004 09:59:47 GMT

I would check the installation notes again.
You are missing some part.

http://h71000.www7.hp.com/openvms/products/ssh/ssh.pdf

I don't get the message but I played with the config at the time (and my memory fails for the details of it).

Wim

Re: SSH logging question

John Gillings — Wed, 07 Jul 2004 16:31:28 GMT

Brian, Wim,

It sounds like something has changed between the version I'm running (old!) and your version. When you eventually log in successfully, are the failed logins counted in the login message "nn login failures since last successful login"?

If the Audit messages aren't giving enough information, please log a case against your service contract and request an elevation to engineering.

Re: SSH logging question

Eberhard Wacker — Fri, 09 Jul 2004 03:49:36 GMT

Brian, 2 events, first due to enable=auth, second due to enable=logfail

W8$
%%%%%%%%%%% OPCOM 7-JUL-2004 11:16:15.07 %%%%%%%%%%%
Message from user AUDIT$SERVER on MYNODE
Security alarm (SECURITY) and security audit (SECURITY) on MYNODE, system id: 15
20
Auditable event: System UAF record modification
Event time: 7-JUL-2004 11:16:15.07
PID: 00000142
Process name: TCPIP$SS_BG4560
Username: TCPIP$SSH
Process owner: [TCPIP$AUX,TCPIP$SSH]
Image name: DSA800:[SYS0.SYSCOMMON.][SYSEXE]TCPIP$SSH_SSHD2.EXE
Object class name: FILE
Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;1
User record: LOCALUSER
Flags: New: DEFCLI,bit_31
Original: DEFCLI,bit_31
Login failures: New: 19
Original: 18
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)

W8$
%%%%%%%%%%% OPCOM 7-JUL-2004 11:16:15.13 %%%%%%%%%%%
Message from user AUDIT$SERVER on MYNODE
Security alarm (SECURITY) and security audit (SECURITY) on MYNODE, system id: 15
20
Auditable event: Network login failure
Event time: 7-JUL-2004 11:16:15.13
PID: 00000142
Process name: TCPIP$SS_BG4560
Username: TCPIP$SSH
Remote node fullname: SSH_PASSWORD:DS012345.DOM.COMPANY.COM
Remote username: REMUSER
Status: %LOGIN-F-NOTVALID, user authorization failure

W8$

it's also ssh 2.4.1

Re: SSH logging question

Brian Reeves — Fri, 09 Jul 2004 07:47:23 GMT

That is pretty much the results that I get. I actually opened a case with HP so, it will be interesting to see what comes of it.

Thanks all for your help