Failed password for invalid user in /var/log/auth.log ?

drew-fustini-bborg · April 10, 2017, 10:33pm

Has anyone seen ssh warnings similar to this in /var/log/auth.log on
their BeagleBone?

pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=103.207.37.232
Failed password for invalid user support from 103.207.37.232 port 57227 ssh2
fatal: Read from socket failed: Connection reset by peer [preauth]
Did not receive identification string from 103.207.37.232
Address 123.31.31.90 maps to localhost, but this does not map back to
the address - POSSIBLE BREAK-IN ATTEMPT!
Invalid user support from 123.31.31.90
input_userauth_request: invalid user support [preauth]
pam_unix(sshd:auth): check pass; user unknown

A BeagleBone user is trying to determine if this is a problem:
https://forums.adafruit.com/viewtopic.php?f=49&t=115295&p=575972

I've not see this behavior. The BeagleBone on my internal network
running Debian 8.7 does accept accept ssh connections. I don't see
any activity like the above but my home router does not forward any
ports to the BeagleBone.

thanks,
drew

William_Hermans · April 11, 2017, 12:16am

If that person is trying to log in with root from one of the latest image, they’re going to get an error, which is possibly a PAM error. Robert changed the root account so one can not by default log in over ssh as root. It can be fixed, but it’s probably nto a good idea for anyone to “fix” this. Instead keep security in mind when logging into their board.

RobertCNelson · April 11, 2017, 12:30am

So the beagle with an address of 123.31.31.90, had a host trying to
connect, and it blocked it:

beagle:
http://ipaddress.is/123.31.31.90

host trying to connect:
http://ipaddress.is/103.207.37.232

This either occurred from two ways:

1: his upstream provider gave him a new ip address

2: he connected the Beagle directly to the web.

I'm going to guess #2, and his board is either a bot now, or probally
will be shortly..

aka, get a firewall, port forward, don't use port 22, etc...

Regards,

William_Hermans · April 11, 2017, 1:04am

In that case yeah I did not pay attention to the IPs. It may be best to disable ssh login passwd’s all together, and use ssh certificates / key login’s only Something like this: https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server

But depending on the users experience level with Llinux. It may be a bit over his / her head.

Brian_Yates · April 11, 2017, 3:15am

Mr. Nelson was correct on guess #2. And yes, it’s all a bit over my head, but I’m trying…thanks for the help.