1

I am getting these errors:

e Jan 15 15:05:00 APPLES sshd[32305]: User root from not allowed because not listed in AllowUsers

Jan 15 15:05:00 APPLES sshd[32305]: input_userauth_request: invalid user root [preauth]

Jan 15 15:05:00 APPLES sshd(pam_google_authenticator)[32307]: Failed to read "/root/.google_authenticator"

Jan 15 15:05:00 APPLES sshd[32305]: error: PAM: Cannot make/remove an entry for the specified session for illegal user root from

Jan 15 15:05:00 APPLES sshd[32305]: Failed keyboard-interactive/pam for invalid user root from port 53287 ssh2

Jan 15 15:05:11 APPLES sshd(pam_google_authenticator)[32305]: Failed to read "/root/.google_authenticator"

Jan 15 15:05:11 APPLES sshd[32305]: Failed password for invalid user root from port 53287 ssh2

Jan 15 15:05:11 APPLES sshd[32305]: Disconnecting: Too many authentication failures for root [preauth]

JFlow
  • 11
  • 4
  • Those error messages sound pretty straight forward. – ceejayoz Jan 15 '16 at 20:13
  • I am really only paying attention to the failed to read file for google... I was being brute forced last night, I woke up to my accounts locked up, and this in the log. they didn't get in and I blocked their ips.. is that a normal error to be treated as info? – JFlow Jan 15 '16 at 20:18
  • One could assume, no pass no code no permission; so; for it was unable to update? – JFlow Jan 15 '16 at 20:22
  • I wrote the answer but it fails from mobile. Wait for few minutes. I will use laptop – kgimpel Jan 15 '16 at 23:01

1 Answers1

-1

You have two ways:

  • The first one:

Remove google authentication

 sudo apt-get remove libpam-google-authenticator

in file /etc/pam.d/sshd remove

auth required pam_google_authenticator.so

in file /etc/ssh/sshd_config change to No 

ChallengeResponseAuthentication yes
  • Second way:

Reinstall google authentication

sudo apt-get install libpam-google-authenticator
google-authenticator

Follow instructions on the screen. You will need a mobile phone to read QR code (it will be generate to console) and install apk from market Google Authenticator. Use google-authenticator comand for current user or copy result to other users from /home/USERNAME/.google_authenticator

After changes do not remember to restart SSHD

/etc/init.d/ssh restart
kgimpel
  • 207
  • 1
  • 6
  • Well, yeah I have done that, intial install and for reinstall purposes; however my access is fine and I can get in normal. This is a hacker trying to get in; the error on file read makes me that he mayber was attacking that file? but failed? – JFlow Jan 17 '16 at 06:31
  • This will not help as the google authenticator is not in error but he is bruteforced. google authenticator helps in this case to make the attack more difficult. Deinstalling google authenticator weakens the system. – Uwe Plonus Feb 20 '17 at 13:15