# Understanding periodic's "daily security run output"



## molofishy (Oct 10, 2016)

I receive scheduled emails from periodic with the subject line "daily security run output". I cannot find documentation to help interpret each section of the email, e.g. "checking negative group permissions", "checking for uids of 0"(root and toor are listed). Most important to me however, is to understand the details of each entry under "hostname login failures" (which of these should catch my eye more than the other?). E.g. what is the exact meaning of, and distinction between the following (I guess specifically in terms of how the attacker attempted to access the server): 


```
]Oct  9 01:06:00 hostname sshd[44813]: error: PAM: authentication error for server1 from 66.66.66.666
```
Then there's this whole block from one IP address (I'm seeing a lot of these blocks that are logged within one second). I'm looking for specific (but not necessarily detailed) information for each line (for e.g. what's the difference between "Postponed keyboard-interactive" and "Failed keyboard-interactive").

```
Oct  9 03:49:42 hostname sshd[45520]: Invalid user admin from 77.777.777.777
Oct  9 03:49:42 hostname sshd[45520]: input_userauth_request: invalid user admin [preauth]
Oct  9 03:49:42 hostname sshd[45520]: Postponed keyboard-interactive for invalid user admin from 77.777.777.777 port 54195 ssh2 [preauth]
Oct  9 03:49:42 hostname sshd[45520]: error: PAM: authentication error for illegal user admin from ec2-54-148-255-249.us-west-2.compute.amazonaws.com
Oct  9 03:49:42 hostname sshd[45520]: Failed keyboard-interactive/pam for invalid user admin from 77.777.777.777 port 54195 ssh2
```
Then someone's trying to login as root? How is this possible given that I have 

```
PermitRootLogin no
```
 in /etc/ssh/sshd_config

```
Oct  9 04:54:05 pangasius sshd[45676]: error: PAM: authentication error for root from 88.888.888.888
```
There are a few other possibilities that I have not listed here. Also, there is a lot more of this login-/failed-login-type information in /var/log/auth.log. How are those entires filtered to be part of the periodic emails?

Easiest might be to point me to some documentation / webpage with this info (if such a thing exists). I run sshguard if that's helpful to know...


----------



## SirDice (Oct 10, 2016)

molofishy said:


> Then someone's trying to login as root?


Yes. You're on the receiving end of a brute-force attack, welcome to the internet.


> How is this possible given that I have
> 
> ```
> PermitRootLogin no
> ...


That won't stop them from _trying_. They'll never succeed though, because you turned off root logins (as you should). Whatever settings you use locally will never prevent someone on the outside from having a go at it. It'll only prevent it actually succeeding.


----------



## fossette (Oct 16, 2016)

Maybe the root authentication error shouldn't be issued when PermitRootLogin no is used.  It seems pointless to me.

Dominique  <- just thinking out loud


----------



## SirDice (Oct 17, 2016)

From the outside it will always show the same username/password cycle. If there where any changes in that somebody might be able to figure out how your system is configured. Even if they're trying to login with a non-existent user you'd still see a password prompt. This is to prevent attackers from finding which accounts exist and which don't.


----------



## FzZzT (Feb 8, 2017)

fossette said:


> Maybe the root authentication error shouldn't be issued when PermitRootLogin no is used.  It seems pointless to me.



Not at all, there is some useful information in there: the time at which the client attempted login and the IP address of the client. Implicitly, the fact that the client attempted to log in using an unauthorized account. All of these are useful for, at least, blocking IP addresses at the firewall, potentially for a range of hosts.


----------

