Security
cancel
Showing results for 
Search instead for 
Did you mean: 

cannot prevent root login under Tru64/C2 with sshd

Mike Broderick_1
Occasional Contributor

cannot prevent root login under Tru64/C2 with sshd

I have a couple Tru64 boxes (4.0f and 5.1b) both using C2 security that get occasional root login attacks via SSH. These attacks (3000
hits on root last time) cause the root account to get locked. I tried disabling root logins from SSH with "PerminRootLogins no" (in sshd_config) but I still see failed attempts logged in the auth db (u_numunsuclog for root user increments). I then tried adding "DenyUsers root" too which seems to work on the 4.0f system but not on 5.1b. I now do get an "invalid user" error in the auth.log in both but on 5.1b u_numunsuclog still increments.

The Tru64 delivered ssh is not being used, but rather a version of OpenSSH manually downloaded/built. (4.0f has OpenSSH 3.1p1 and 5.1b has 3.7.1p2) The 5.1b system was just upgraded from 5.1a to 5.1b.

Anyone have any idea why these sshd config params are not stopping the login in sshd and preventing it from hitting the auth db?

_Mike
4 REPLIES
Kris Smith
Advisor

Re: cannot prevent root login under Tru64/C2 with sshd

Hi Mike,

Take a look at this link. Is it possible that you have UsePAM enabled/set?

http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106916990118685&w=2


Good Luck.

Kris
Mike Broderick_1
Occasional Contributor

Re: cannot prevent root login under Tru64/C2 with sshd

Hi Kris,

Thanks for the pointer but I don't have UsePAM set in sshd_config on either system. Any other ideas? :-)

_Mike
Don Nutt
Advisor

Re: cannot prevent root login under Tru64/C2 with sshd

Mike,

I have the exact same Tru64 setups. 4.0f and 5.1b. OpenSSH in both cases are 3.8.1p1. C2 enabled and max login attempts at 100. I get hit pretty hard. This is where I am going.

portsentry-1.1
tcp_wrappers_7.6

either ipchains or iptables.

The only problem I still forsee is that I am going to allow port 22 access portsentry will not kick in until is sees a scan. Now this will catch most attacks, however I have been noticing more and more focused probes on 22 and no other ports.

I have one backdoor access, OpenVMS 7.3-2 with SSH on port 1022 and a TL90 connected to the console port of the Tru64 systems.

Don
Mike Broderick_1
Occasional Contributor

Re: cannot prevent root login under Tru64/C2 with sshd

From my posting of this issue to another forum, I was told that for security reasons, sshd now always calls the underlying auth mechanism first, then will optionally reject based on it's own config (PermintRootLogin no, DenyUsers, etc) afterwards. So it seems there is no way to prevent lockouts with sshd settings.

I'll have to look into firewalling to block unwanted access as Don suggested.

_Mike