I am running debian server and i have received a strange email warning about ssh login
It says, that user mail logged in using ssh from remote address:
Environment info: USER=mail SSH_CLIENT=22.214.171.124 40814 22 MAIL=/var/mail/mail HOME=/var/mail SSH_TTY=/dev/pts/7 LOGNAME=mail TERM=xterm PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games LANG=en_US.UTF-8 SHELL=/bin/sh KRB5CCNAME=FILE:/tmp/krb5cc_8 PWD=/var/mail SSH_CONNECTION=126.96.36.199 40814 my-ip-here 22
I looked in /etc/shadow and find out, that password for is not set
I found this lines for login in auth.log
n 3 02:57:09 gw sshd: pam_winbind(sshd:auth): getting password (0x00000388) Jun 3 02:57:09 gw sshd: pam_winbind(sshd:auth): pam_get_item returned a password Jun 3 02:57:09 gw sshd: pam_winbind(sshd:auth): user 'mail' granted access Jun 3 02:57:09 gw sshd: Accepted password for mail from 188.8.131.52 port 45194 ssh2 Jun 3 02:57:09 gw sshd: pam_unix(sshd:session): session opened for user mail by (uid=0) Jun 3 02:57:10 gw CRON: pam_unix(cron:session): session closed for user root
and lots of auth failures for this user. There is no lines with COMMAND string for this user.
Nothing was found with “rkhunter” and with “ps aux” process inspection, also there is no suspicious connections was found with “netstat” (as I can see)
UPD forgot to mention: logins was relatively short – 26 seconds longest one according to “wtmp” log
Can anyone tell me how it is possible and what else should be done?
Thanks in advance.
So, how it was done and why it was possible:
It was usual brute force attack (and i didn’t protect system from it), but there was several preconditions:
1) system joined to ad
2) winbind configured and running on the system
3) There is such username on linux pc and in AD, and there is normal shell in /etc/passwd (interesting, why Debian system users has got /bin/sh by default)
4) /etc/pam.d/ssh configured to use winbind password and ssh server configured to use PAM (they both configured in a such way by default)
As result any domain user can log in with his credentials if there is user with the same name on linux.