11

I have a server running Debian 6.0 with logcheck installed. Yesterday ago, I received this message:

Jan 19 19:15:10 hostname sshd[28397]: Authentication tried for root with correct key but not from a permitted host (host=4.red-2-140-77.dynamicip.rima-tde.net, ip=2.140.77.4).

I don't know who this is and I doubt he was there by accident.

Now, what should I do?

First thing I did was to disable ssh password authentication and switched to public/private key. I also check the authorized_keys file and saw only my public key

What next?

How can I know what the other guy did on my machine?

Sirex
  • 5,499
  • 2
  • 33
  • 54
Ben
  • 213
  • 1
  • 3

2 Answers2

13

I believe this is a bug That has been hanging around for far too long which is fixed in later versions (6.0p1).

It should be fairly easy to verify this by trying to connect to the system yourself from a host that would be restricted, using a different key and seeing what messages you get.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • 2
    I indeed tried with another machine, could not log in and received the same logcheck message. Guess it's the bug... – Ben Jan 20 '13 at 10:05
5

This might be a long-standing bug in OpenSSH which was only fixed in 6.0p1. In that case you can safely ignore it. However, if you want to be safe, the original answer (assuming you aren't affected by this bug) is:

Your ssh private keys have likely been compromised, since someone had a valid private key for logging into your root account. The fact that someone didn't log in from a permitted IP address saved you from further compromise. Nevertheless, this is a significant compromise; it suggests that your workstation (or other machine you typically work from) was compromised.

You should treat every workstation and server you touch as potentially compromised. Format and reinstall your workstation(s). Revoke/destroy all of your existing ssh keys and rekey everything. Change all passwords. Strongly consider wiping and reinstalling any servers on which you have access to log in with this key.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Thanks for your answer, what I find very strange is that there was no failed attempt before this successful connection. Usually, when someone is trying to connect as root on my server, I see several failed attempts. Here, the connection succeeded directly... and the root password is not qwerty: it is a generated password – Ben Jan 20 '13 at 07:58
  • 1
    If you're actually using `from` restrictions in your `authorized_keys` as shown in the links, then you are probably affected by this bug. But I would err on the side of caution... – Michael Hampton Jan 20 '13 at 08:00
  • 1
    Ben, the complexity of the root password is immaterial to this log entry, because the access was done by key. – MadHatter Jan 20 '13 at 08:04
  • mmmh... Password authentication was enabled so I thought the intruder found that password, not that he used private/public keys. How is that even possible? – Ben Jan 20 '13 at 09:03