HPE Community
Operating System - OpenVMS
1827633 Members
3731 Online
109966 Solutions
New Discussion

Re: SSH logging question

 
SOLVED
Go to solution
Brian Reeves
New Member

‎07-06-2004 04:34 AM

‎07-06-2004 04:34 AM

SSH logging question

I have a question reguarding SSH logging. In the past with telnet whenever a user produced a failed login the audit file would show me what username tried to login. Now with SSH a failed login just shows up as TCPIP$SSH with a process name like TCPIP$SS_BG5198.

Is there anyway I can find out what username the failed login tried to use?
0 Kudos
Reply
11 REPLIES 11
John Gillings
Honored Contributor

‎07-06-2004 09:17 AM

‎07-06-2004 09:17 AM

Re: SSH logging question

Brian,
What versions are you running?

When I give a bad password for an attempted SSH login, I get a "remote interative login faulure" audit with provess name "SSH server 1651" and the target username. I also get a SYSUAF record modification, incrementing login failures.

Make sure you have auditing (and alarms?) enabled for AUTHORIZATION and LOGFAIL=ALL.

Also make sure you have the latest version of SSH.
A crucible of informative mistakes
Reply
Brian Reeves
New Member

‎07-06-2004 09:45 AM

‎07-06-2004 09:45 AM

Re: SSH logging question

John thank you very much for your reply. We are running OpenVMS 7.32 and the version of SSH that comes with the installation CD's.

Here is what our monitoring looks like
System security audits currently enabled for:

Audit: illformed
Logfailure: batch,dialup,local,remote,network,subprocess,detached

I am not sure exactly why audit: is showing up illformed.

I have also attached the text from a failed login.
0 Kudos
Reply
John Gillings
Honored Contributor

‎07-06-2004 11:28 AM

‎07-06-2004 11:28 AM

Re: SSH logging question

Brian,

I'm using an older version of SSH. It looks like they've changed the way audits work.

I'd suggest you enable a few more events:

$ SET AUDIT/ALARM/ENABLE=(authorization, -
breakin:all,login=all,logout=all)

Note that this will generate ALARMS to OPCOM terminals enabled for SECURITY. If you want messages written to the audit journal as well use:

$ SET AUDIT/AUDIT/ENABLE=

So, with those alarms enabled, please retry your login attempt, and catch the output of both the login itself, and any audit alarms that are generated.

You may not want to leave all those alarms enabled, or audit them all, but you may need to leave some of them turned on to get the exact information you want.

The "Audit: illformed:" means you will generate an audit message if the audit server receives an illformed request. This might indicate an attempt to confuse or crash the audit server, or it may be buggy software sending bad audit messages.
A crucible of informative mistakes
Reply
Eberhard Wacker
Valued Contributor

‎07-06-2004 11:12 PM

‎07-06-2004 11:12 PM

Solution

Re: SSH logging question

VMS V7.3-2, TCP/IP V5.4 Eco 1
no change of the way audits work

$ set audit/audit/enable=logfail=remote
--> login failures of set host and telnet
$ set audit/audit/enable=logfail=network
--> login failures of ssh
$ set audit/audit/enable=author
--> sysuaf modification of login fail count
Having set up this you get 2 audit entries containing all needed information: remote node, remote username, local username. PID/processname are the same in both event entries.

That's the only way to find out what username the failed login tried to use due to the way SSH is implemented on VMS.
Reply
Brian Reeves
New Member

‎07-07-2004 12:51 AM

‎07-07-2004 12:51 AM

Re: SSH logging question

I am not totally sure that I follow you.
logfail=remote,network were already enabled. I entered the "enable=author" command too.

However, I am only getting 1 audit entry on failures that I can see and it stills lists the username as tcpip$ssh, remote username as SSH_0A03044B, and the process name as TCPIP$SS_BG3204. I'm not exactly sure how I can use this information to find out the "real username".


0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎07-07-2004 02:16 AM

‎07-07-2004 02:16 AM

Re: SSH logging question

Brian,

I have ssh version 2.4.1 on VMS 7.3 and have exactly the same result as you have.

You can use accounting to find the remote username (using part of ssh_pid of the remote username).

Bad implementation ?

Do ssh "-V" to get your version.

Wim
Wim
0 Kudos
Reply
Brian Reeves
New Member

‎07-07-2004 02:45 AM

‎07-07-2004 02:45 AM

Re: SSH logging question

I am also running SSH 2.4.1. This time I ran an SSH session in debug mode just out of curiosity. There is one thing that is kind of disturbing, one of the lines in the debug is "Unable to open ssh2/identification" I am not sure if that is part of my problem or not.

I have attached the text from my debug run.
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎07-07-2004 02:59 AM

‎07-07-2004 02:59 AM

Re: SSH logging question

I would check the installation notes again.
You are missing some part.

http://h71000.www7.hp.com/openvms/products/ssh/ssh.pdf

I don't get the message but I played with the config at the time (and my memory fails for the details of it).

Wim
Wim
0 Kudos
Reply
John Gillings
Honored Contributor

‎07-07-2004 09:31 AM

‎07-07-2004 09:31 AM

Re: SSH logging question

Brian, Wim,

It sounds like something has changed between the version I'm running (old!) and your version. When you eventually log in successfully, are the failed logins counted in the login message "nn login failures since last successful login"?

If the Audit messages aren't giving enough information, please log a case against your service contract and request an elevation to engineering.
A crucible of informative mistakes
Reply
Eberhard Wacker
Valued Contributor

‎07-08-2004 08:49 PM

‎07-08-2004 08:49 PM

Re: SSH logging question

Brian, 2 events, first due to enable=auth, second due to enable=logfail

W8$
%%%%%%%%%%% OPCOM 7-JUL-2004 11:16:15.07 %%%%%%%%%%%
Message from user AUDIT$SERVER on MYNODE
Security alarm (SECURITY) and security audit (SECURITY) on MYNODE, system id: 15
20
Auditable event: System UAF record modification
Event time: 7-JUL-2004 11:16:15.07
PID: 00000142
Process name: TCPIP$SS_BG4560
Username: TCPIP$SSH
Process owner: [TCPIP$AUX,TCPIP$SSH]
Image name: DSA800:[SYS0.SYSCOMMON.][SYSEXE]TCPIP$SSH_SSHD2.EXE
Object class name: FILE
Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;1
User record: LOCALUSER
Flags: New: DEFCLI,bit_31
Original: DEFCLI,bit_31
Login failures: New: 19
Original: 18
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)

W8$
%%%%%%%%%%% OPCOM 7-JUL-2004 11:16:15.13 %%%%%%%%%%%
Message from user AUDIT$SERVER on MYNODE
Security alarm (SECURITY) and security audit (SECURITY) on MYNODE, system id: 15
20
Auditable event: Network login failure
Event time: 7-JUL-2004 11:16:15.13
PID: 00000142
Process name: TCPIP$SS_BG4560
Username: TCPIP$SSH
Remote node fullname: SSH_PASSWORD:DS012345.DOM.COMPANY.COM
Remote username: REMUSER
Status: %LOGIN-F-NOTVALID, user authorization failure

W8$

it's also ssh 2.4.1
Reply
Brian Reeves
New Member

‎07-09-2004 12:47 AM

‎07-09-2004 12:47 AM

Re: SSH logging question

That is pretty much the results that I get. I actually opened a case with HP so, it will be interesting to see what comes of it.

Thanks all for your help
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.