Hi there...
I had a problem today and I was scared!
I received this email from CSF alert: (changed some info to XXX for security reasons on this post)
Subject: lfd on srvXX.XXXXX.com: SSH login alert for user root from 45.XXX.XXX.XXX (EE/Estonia/XXXX-vds-XXXXXX.pp.ua)
Time: Wed Feb 7 14:00:17 2024 -0300
IP: 45.XXX.XXX.XXX (EE/Estonia/XXXX-vds-XXXXXX.pp.ua)
Account: root
Method: password authentication
Log line:
Feb 7 14:00:15 srvXX sshd[18293]: Accepted password for root from 45.XXX.XXX.XXX port 47024 ssh2
BUT my /var/log/secure show only this lines:
Feb 7 14:00:20 srvXX sshd[18293]: Received disconnect from 45.XXX.XXX.XXX port 47024:11:
Feb 7 14:00:20 srvXX sshd[18293]: Disconnected from 45.XXX.XXX.XXX port 47024
Feb 7 14:00:20 srvXX sshd[18293]: pam_unix(sshd:session): session closed for user root
Other logs when I do login, shows like:
Feb 7 14:07:41 srvXX sshd[18651]: Accepted password for root from 187.XX.XX.XXX port 38198 ssh2
Feb 7 14:07:41 srvXX sshd[18651]: pam_unix(sshd:session): session opened for user root by (uid=0)
There is no log lines like Accepted password for this IP 45.XXX.XXX.XXX
Is CSF sending wrong alert emails?
I can't say for sure, but I was very scared when I received this email!
Take a look on email body, it says LOG LINE:
Feb 7 14:00:15 srv01 sshd[18293]: Accepted password for root from 45.XXX.XXX.XXX port 47024 ssh2
Doesn't have this line im my /var/log/secure
WTF? The user who logged in deleted line at 14:00:15 from the /var/log/secure or what?
I still scared!
Topic: sshd Accepted root password? False positive? Help! (Read 723 times)
