Ssh

PAM 模組導致大量 SSH 會話

  • August 11, 2012

/var/log/auth.log跟踪時,我注意到使用者“foo”每分鐘(立即)輸入多個條目。auth.log我個人在跟踪(下面的日誌範例)時僅以使用者“root_bar”的身份打開了一個連接。如您所見,這個傳入的 SSH 連接沒有 IP 資訊。跟踪傳入 SSH 連接的 IP 地址的最佳方法是什麼?

Aug 10 14:30:04 ps2000 suexec: (pam_unix) session opened for user root_bar by (uid=999)
Aug 10 14:30:04 ps2000 suexec: (pam_unix) session closed for user root_bar
Aug 10 14:30:06 ps2000 suexec: (pam_unix) session opened for user root_bar by (uid=999)
Aug 10 14:30:06 ps2000 suexec: (pam_unix) session closed for user root_bar
Aug 10 14:30:08 ps2000 CRON[16879]: (pam_unix) session closed for user root_bar
Aug 10 14:30:14 ps2000 suexec: (pam_unix) session opened for user root_bar by (uid=999)
Aug 10 14:30:14 ps2000 suexec: (pam_unix) session closed for user root_bar
Aug 10 14:30:16 ps2000 suexec: (pam_unix) session opened for user root_bar by (uid=999)
Aug 10 14:30:16 ps2000 suexec: (pam_unix) session closed for user root_bar
Aug 10 14:30:27 ps2000 suexec: (pam_unix) session opened for user root_bar by (uid=999)
Aug 10 14:30:27 ps2000 suexec: (pam_unix) session closed for user root_bar
Aug 10 14:30:39 ps2000 suexec: (pam_unix) session opened for user root_bar by (uid=999)
Aug 10 14:30:39 ps2000 suexec: (pam_unix) session closed for user root_bar

免責聲明:伺服器名稱,出於安全原因,所有使用者資訊均已更改。

更正:下面的海報已經正確回答了“*跟踪傳入的 SSH 連接”的問題。*消息suexec (pam_unix) 會話不一定表示sshd@aseq 澄清的任何活動,由於我的無知,我將此作為 sshd 問題發布。由於原始問題及其答案很有幫助,因此我接受了最有幫助的答案。我認為追踪suexec: (pam_unix) session是一個單獨問題的候選者。

最後更新:我發現上面的消息確實與 sshd 有關。在 /etc/pam.d/common-auth 中進行一些調整後,我開始看到諸如

Aug 10 16:45:23 candy_bass sshd[427]: (pam_unix) session opened for user summer_flag by (uid=0)
Aug 10 16:45:23 candy_bass sshd[427]: PAM pam_parse: expecting return value; [...sucess=1 default=ignore]
Aug 10 16:45:23 candy_bass sshd[427]: PAM pam_parse: expecting return value; [...sucess=1 default=ignore]
Aug 10 16:45:23 candy_bass sshd[427]: Accepted publickey for summer_flag from xxx.zzz.yyy.abc port 35964 ssh2
Aug 10 16:45:23 candy_bass sshd[427]: (pam_unix) session opened for user summer_flag by (uid=0)
Aug 10 16:45:23 candy_bass pam_limits[427]: setrlimit limit #11 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
Aug 10 16:45:23 candy_bass pam_limits[427]: setrlimit limit #12 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
Aug 10 16:45:23 candy_bass sshd[427]: (pam_unix) session closed for user summer_flag

所以這sshd 相關,但是,因為這對於令牌認證供應商來說非常具體(出於隱私考慮,我沒有透露其名稱),我認為供應商可能會更好地解決這個問題。

這些日誌條目看起來如何?

預設情況下,ssh 伺服器應將 IP 地址記錄在 /var/log/auth.log 和其他日誌文件中,例如:

Aug 1 12:21:30 example.host sshd[1174]: Failed password for invalid user example from 192.0.2.1 port 9460 ssh2
Aug 1 12:21:32 example.host sshd[1176]: Invalid user root from 192.0.2.10

如果您詢問的日誌條目中沒有字元串“sshd”,我懷疑它們實際上來自 ssh 伺服器,您需要查看其他地方。查看主機名後面的字元串,它會告訴您哪個程序正在寫入日誌。

您還可以檢查 /etc/ssh/sshd_config 並查看日誌級別是否正確,squeeze 的預設值為:

# Logging
SyslogFacility AUTH
LogLevel INFO

也許增加詳細程度可能會揭示更多資訊。您添加到問題的日誌條目之前應該是上面粘貼的日誌條目。

引用自:https://serverfault.com/questions/416441