PDA

View Full Version : "SSH login alert for user" - user login, why while he has no rights, Shell disabled



Fli
03-10-2015, 11:23 AM
Config Server Firewall may report SSH logins to a server via email to server administrator

Email subject: "SSH login alert for user USERNAMEHERE from IPHERE" and in the content is "Method: keyboard-interactive/pam authentication"

so what to do? best to check SSH/authentication logs which are located usually in /var/log/secure

(tail -n 50 /var/log/secure)

One may see something like:


Mar 10 10:43:28 hostname sshd[1633]: pam_unix(sshd:session): session closed for user bfzagjtm
Mar 10 10:43:53 hostname sshd[6789]: Accepted keyboard-interactive/pam for USERNAME from IPHERE port 50383 ssh2
Mar 10 10:43:53 hostname sshd[6789]: pam_unix(sshd:session): session opened for user USERNAME by (uid=0)
Mar 10 10:43:53 hostname sshd[6822]: subsystem request for sftp
Mar 10 10:44:55 hostname sshd[6789]: pam_unix(sshd:session): session closed for user bfzagjtm
Mar 10 10:46:00 hostname sshd[8189]: Accepted keyboard-interactive/pam for USERNAME from IPHERE port 46570 ssh2
Mar 10 10:46:00 hostname sshd[8189]: pam_unix(sshd:session): session opened for user USERNAME by (uid=0)
Mar 10 10:46:01 hostname sshd[8210]: subsystem request for sftp
Mar 10 10:47:03 hostname sshd[8189]: pam_unix(sshd:session): session closed for user bfzagjtm


Check rights for that user, rights are maybe in /etc/passwd

(cat /etc/passwd | grep USERNAME)

One may see something like:


USERNAME:x:849:858::/home/USERNAME:/usr/local/cpanel/bin/noshell

someone said that noshell allows user to login but dont allow doing anything, log out him and that one can change it to "nologin"

(usermod -s /sbin/nologin bfzagjtm)

than result of (cat /etc/passwd | grep USERNAME) would be:


USERNAME:x:849:858::/home/USERNAME:/sbin/nologin