Security Incidents mailing list archives
Re: OpenSSH anomaly
From: Tavis Paquette <tavis.lists () galaxytelecom net>
Date: Mon, 23 Feb 2004 05:25:10 -0800
Benjamin Franz wrote:
I've encountered behaviour similar to this in an unrelated configuration, it involved the use of PAM and the pam-limits.so module with it you can limit (among other things) the maximum amount of concurrent logins for a specific accountI'm running a RedHat Enterprise 3 ES server that has been running fairly reliably for a month. This morning we could not remotely login to the server via SSH because openssh would terminate the connection immediately (no delay) after apparently successfully logging in - without giving a prompt. We are current on patches up to Feb 1 with the exception of the kernel which is RHES 2.4.21-4.0.1.ELsmp. A console reboot succeeded in restoring connectivity. We couldn't find any footprints in any log or any suspicious file activity. No record of the failed logins (we attempted using both pubkey and password) were in the logs. The openssh version is RedHat's 3.6.1p2-18. Has anyone else seen something similiar?
This is how openssh behaves when the limit has been reached, the assumption here is that the password has been entered correctly.
--- reticent@cynosure| ssh admin () 192 168 xxx xxx Password: Connection to 192.168.xxx.xxx closed by remote host. Connection to 192.168.xxx.xxx closed. ---You may want to look at your pam configuration for sshd if indeed your system uses PAM (i'm not a redhat user so i cannot provide references to config file locations)
tavis --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_incidents_040219 ----------------------------------------------------------------------------
Current thread:
- OpenSSH anomaly Benjamin Franz (Feb 22)
- Re: OpenSSH anomaly Paul Schmehl (Feb 22)
- Re: OpenSSH anomaly Benjamin Franz (Feb 22)
- Re: OpenSSH anomaly Mike Hoskins (Feb 22)
- Re: OpenSSH anomaly Will Tipton (Feb 23)
- Re: OpenSSH anomaly Benjamin Franz (Feb 23)
- Re: OpenSSH anomaly Honza Vlach (Feb 23)
- Re: OpenSSH anomaly Tavis Paquette (Feb 23)
- <Possible follow-ups>
- FW: OpenSSH anomaly AJ Cochenour (Feb 23)
- RE: OpenSSH anomaly GUSAIN,SUBODH (HP-Canada,ex1) (Feb 24)
- Re: OpenSSH anomaly Paul Schmehl (Feb 22)