ConfigServer Community Forum

Hi there -

My servers are setup to only allow ssh by root. These alerts work fine with actual root logins but I've also gotten a couple of alerts with no evidence of an actual ssh/root login -

lfd on server.servername.com​: SSH login alert for user root from 62.212.154​.143 (NL/Nether​lands/www.​digiinfo.n​l)

When I parse /var/log/secure for this IP, there are no log entries. When I parse /var/log/secure for "Accepted" to view successful logins, I see nothing other than my own successful root ssh logins and nothing that doesn't belong.

What would be causing the false positives? Which log does CSF parse for ssh login alerts and what specific string is it alerting on?

Thanks.

Mike

Is there someplace else I should be posting or submitting this inquiry?

I don't know, but you really should not be allowing root to ssh in. You should have a different username (one that is slightly less brute-forceable) for SSH access, then you can su once you get to a console. It's called the wheel group technique. If root logins are disabled by SSH, then an attacker has to know both a valid username and your password, which is a harder combination to get.

Some would say that's security through obscurity but I liken it to changing ssh port numbers. As long as you still have a good lock, there's nothing wrong with making it harder to find the door.

Once someone has root, they could conceivably find a way to completely cover their tracks. I'm not saying that's what's happened here, but that's what crosses my mind. Anyway, I'm guessing it would be the LFD component that is alerting on the logins, so you might want to poke around those scripts and you'll probably figure out when/how it is alerting.

I've seen these false positives trigger before. There is no way this was a legit root login. I logged in immediately and there was no other user logged in.

With regard to disallowing "root" for obscurity - I've got the strongest password around, so if I let the entire world know that they could try to login as root, how exactly are they getting in without otherwise having sniffed or stolen all credentials?