Author Topic: sshd Accepted root password? False positive? Help!  (Read 751 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
sshd Accepted root password? False positive? Help!
« on: February 07, 2024, 05:54:43 PM »
Hi there...

I had a problem today and I was scared!

I received this email from CSF alert: (changed some info to XXX for security reasons on this post)
Code: [Select]
Subject: lfd on srvXX.XXXXX.com: SSH login alert for user root from 45.XXX.XXX.XXX (EE/Estonia/XXXX-vds-XXXXXX.pp.ua)

Time:    Wed Feb  7 14:00:17 2024 -0300
IP:      45.XXX.XXX.XXX (EE/Estonia/XXXX-vds-XXXXXX.pp.ua)
Account: root
Method:  password authentication

Log line:

Feb  7 14:00:15 srvXX sshd[18293]: Accepted password for root from 45.XXX.XXX.XXX port 47024 ssh2

BUT my /var/log/secure show only this lines:
Code: [Select]
Feb  7 14:00:20 srvXX sshd[18293]: Received disconnect from 45.XXX.XXX.XXX port 47024:11:
Feb  7 14:00:20 srvXX sshd[18293]: Disconnected from 45.XXX.XXX.XXX port 47024
Feb  7 14:00:20 srvXX sshd[18293]: pam_unix(sshd:session): session closed for user root

Other logs when I do login, shows like:
Code: [Select]
Feb  7 14:07:41 srvXX sshd[18651]: Accepted password for root from 187.XX.XX.XXX port 38198 ssh2
Feb  7 14:07:41 srvXX sshd[18651]: pam_unix(sshd:session): session opened for user root by (uid=0)

There is no log lines like Accepted password for this IP 45.XXX.XXX.XXX

Is CSF sending wrong alert emails?

I can't say for sure, but I was very scared when I received this email!

Take a look on email body, it says LOG LINE:
Feb  7 14:00:15 srv01 sshd[18293]: Accepted password for root from 45.XXX.XXX.XXX port 47024 ssh2

Doesn't have this line im my /var/log/secure

WTF? The user who logged in deleted line at 14:00:15 from the /var/log/secure or what?
I still scared!