Need help figuring out potential security issue

[dtemp]

The following has been going on for about 2 months.

Some days at 3am, I get an email from my FreeNAS box telling me about some failed SSH logins. It's from an IP address on my network that nothing uses as far as I know (it's outside the DHCP range, and I have nothing statically assigned there). On a separate server, I run a cron job every minute to log instances of when that IP address either pings or has an ARP resolution, and after running a month, that has never logged an entry.

It's making me wonder if my network has been intruded upon. Is there a log of successful SSH connections?

 

[dlavigne]

Is there a log of successful SSH connections?

/var/log/auth.log

 

[dtemp]

Thanks. So it looks like I'm getting security messages regarding logins from a YEAR AGO!!

So the top of the auth.log file shows my logins from April 2014 when I first set up this server. Towards the end of the file are more recent entries, including the login from a minute earlier to read the file. There are no year numbers in the file, but you can tell that new logins are towards the end.

I get the following line in an email this morning:

FreeNAS.local login failures:
Jul 13 12:14:16 FreeNAS sshd[52782]: Failed password for root from 192.168.1.50 port 52271 ssh2

Looking at auth.log, there is a valid login at Jul 13 12:14:19 when I typed the password correctly... towards the top of the file, a year ago. I didn't touch my server yesterday so there are no valid logins yesterday.

Is this a problem anyone else is having, getting security messages a year or more old because there are no years in the auth log? Does anyone think I'm wrong and that this really happened yesterday?

 

[DrKK]

Dumb question here. You don't happen to have an open network wireless access point....do you?

 

[Rilo Ravestein]

Don't worry. It's only the @RussianMafia

 

[dtemp]

Dumb question here. You don't happen to have an open network wireless access point....do you?

Definitely not.

Has anyone else heard of year-old security messages getting emailed?

 

[DrKK]

Yeah, I've not heard of this. I feel like this is the kind of thing I would have heard of if it were widespread. I don't have any ideas.

When you receive these emails, is it always the same date/time of the alleged bad pw login?

Also, your sig says you are not on 9.3. Do you have a reason for not upgrading?

 

[dtemp]

Also, your sig says you are not on 9.3. Do you have a reason for not upgrading?

Just an abundance of caution. I know it's possible that 9.3.x fixes the issue.

The issue seems to be that the alerting system sends you reports of bad logins based on the month and day, not the year. So if I typed my password wrong on 7/15/14 or 7/15/15 (today), I'd get an email tomorrow morning.

I'm getting emails about a bad login at, say, Jul 13 12:14:16, and I'll look at auth.log and find a successful login Jul 13 12:14:19 last year. So I typed the password wrong, and typed it correctly three seconds later, but last year. This is the pattern for several emails I've gotten. Seems like too much of a coincidence.

 

[depasseg]

The log files rollover, so it would be unusual for a single file to contain over a years worth of log data. That being said, it is strange that the year isn't included in the timestamp.

 

[dtemp]

The log files rollover, so it would be unusual for a single file to contain over a years worth of log data.

I guess I don't log in very often! There's only maybe a couple hundred lines in the file. I'm at work so I can't do a linecount at the moment. I also think it's weird that years aren't in auth.log. I know I first installed this server with 9.2.1.5, then upgraded to 9.2.1.9.

 

[rogerh]

I guess I don't log in very often! There's only maybe a couple hundred lines in the file. I'm at work so I can't do a linecount at the moment. I also think it's weird that years aren't in auth.log. I know I first installed this server with 9.2.1.5, then upgraded to 9.2.1.9.

This has been solved in a FreeNAS 9.3 update by rotating logs at least yearly. See bug number 8532. Not logging the year seems to be a FreeBSD feature.

 

[dtemp]

See bug number 8532.

The bug. Hah that's exactly what I'm experiencing.

Well I guess this issue is resolved then. I probably don't have a network intrusion, and I should upgrade to 9.3.

 

[DrKK]

It seems obvious now, in hindsight, that this was the problem.

Good catch, guys.