关于 ssh 用户登录日志的记录
2020年11月6日现象
HIDS 审计发现有某台设备存在被 ssh 爆破登录成功的记录,且远程 IP 为美国 IP ,怀疑被爆破登录。
10.122.11.115 weblogic 3 13:21:45 167.71.177.87 美国.
排查
登录到服务器上常规性检查,无论是负载(top),进程(ps -ef),还是监听连接(netstat),都没有异常的现象。
尝试使用 root 用户切换到 weblobic 账户,提示该用户不可用
[root@hostname log]# su weblogic
This account is currently not available.
再去看下 /etc/passwd 中用户权限,不可登录
[root@hostname log]# cat /etc/passwd | grep weblogic weblogic:x:1056:1057::/usr/home/weblogic:/sbin/nologin
这特么的咋登陆的呢
怀疑是误报,就去查看 HIDS 审计的那几个 ssh 登录日志(secure、messages、audit),audit 没有日志就暂时没有管,看 secure 和 messages 对应时间的日志
secure
Nov 3 13:21:45 hostname sshd[46071]: Accepted password for weblogic from 167.71.177.87 port 54376 ssh2
Nov 3 13:21:45 hostname sshd[46071]: pam_unix(sshd:session): session opened for user weblogic by (uid=0)
Nov 3 13:21:46 hostname sshd[46098]: Received disconnect from 167.71.177.87 port 54376:11: Normal Shutdown, Thank you for playing
Nov 3 13:21:46 hostname sshd[46098]: Disconnected from 167.71.177.87 port 54376
Nov 3 13:21:46 hostname sshd[46071]: pam_unix(sshd:session): session closed for user weblogic
messages
Nov 3 13:20:43 hostname systemd: Started PC/SC Smart Card Daemon.
Nov 3 13:20:43 hostname pcscd: 00000000 utils.c:53:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory
Nov 3 13:21:45 hostname systemd: Created slice user-1056.slice.
Nov 3 13:21:45 hostname systemd-logind: New session 479305 of user weblogic.
Nov 3 13:21:45 hostname systemd: Started Session 479305 of user weblogic.
Nov 3 13:21:46 hostname systemd-logind: Removed session 479305.
确实存在 Accepted 的记录,但是看着是建立 session 之后立即就清除了 session,为啥会有这个现象呢?
简单测试了一下,使用远程攻击连接 weblogic 账号,随意输入密码 123456,直接弹窗用户名密码错误,secure 中的日志内容为
Nov 4 14:07:43 hostname sshd[5082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=39.98.209.85 user=weblogic
Nov 4 14:07:44 hostname sshd[5082]: Failed password for weblogic from 39.98.209.85 port 24904 ssh2
Nov 4 14:08:29 hostname sshd[5082]: error: Received disconnect from 39.98.209.85 port 24904:13: The user canceled authentication. [preauth]
Nov 4 14:08:29 hostname sshd[5082]: Disconnected from 39.98.209.85 port 24904 [preauth]
并没有之前的记录,比较疑惑。。。
又用 weblogic/weblogic 密码试了试,发现和之前的现象不一样
Last failed login: Wed Nov 4 11:15:01 CST 2020 from 39.98.209.85 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Wed Nov 4 10:54:18 2020
This account is currently not available.
同时再去看 secure ,发现出现了之前的日志内容。
到此,问题确认是误报
总结
ssh 登录的时候如果密码是正确的,会建立一个会话 session,同时会在 secure 中存在 Accepted 记录;之后会确认用户是否存在登录权限,如果没有登录权限(/etc/passwd nologin),就会随即清除建立的 session 。
补充一个正常登录的 secure 日志,用于对比,登录成功的 secure 日志是没有后续 Received disconnect 及 Disconnected from 等日志。
Nov 4 14:23:05 hostname sshd[17312]: Accepted password for root from 39.98.209.85 port 5653 ssh2
Nov 4 14:23:05 hostname sshd[17312]: pam_unix(sshd:session): session opened for user root by (uid=0)