Lately, my ssh login attempts to FBX has been resulting with “Permission Denied.” My password works (as I can login to Cockpit and Plinth) and I haven’t done anything unusual. My account is an admin account.
FBX Version: Debian GNU/Linux 12 (bookworm) and FreedomBox version 24.4. I’m on a Raspi 4B with image downloaded from freedombox.org.
When trying to logon with another admin account, everything works fine. To get thing back to normal I revert to a recent snapshot and problem seems solved, only to appear within the day again.
Using sudo journalctl | tail -200 | grep my_user I’m sharing the below output. I have a feeling either something is wrong with pam or sshd. Any help appreciated.
Feb 27 10:27:50 freedombox sshd[7790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abcd:1234:efgh::i55 user=my_user
Feb 27 10:27:50 freedombox sshd[7790]: Accepted password for my_user from abcd:1234:efgh::i55 port 60918 ssh2
Feb 27 10:27:50 freedombox sshd[7790]: pam_unix(sshd:session): session opened for user my_user(uid=10000) by (uid=0)
Feb 27 10:27:50 freedombox systemd-logind[546]: New session 19 of user my_user.
Feb 27 10:27:50 freedombox systemd[1]: Started session-19.scope - Session 19 of User my_user.
Feb 27 10:28:19 freedombox sudo[7998]: pam_unix(sudo:auth): authentication failure; logname=my_user uid=10000 euid=0 tty=/dev/pts/1 ruser=my_user rhost= user=my_user
Feb 27 10:28:19 freedombox sudo[7998]: my_user : TTY=pts/1 ; PWD=/home/my_user ; USER=root ; COMMAND=/usr/bin/journalctl
Feb 27 10:28:19 freedombox sudo[7998]: pam_unix(sudo:session): session opened for user root(uid=0) by my_user(uid=10000)
Feb 27 10:29:48 freedombox sudo[8015]: my_user : TTY=pts/1 ; PWD=/home/my_user ; USER=root ; COMMAND=/usr/bin/journalctl
Feb 27 10:29:48 freedombox sudo[8015]: pam_unix(sudo:session): session opened for user root(uid=0) by my_user(uid=10000)
No update… When the problem occurs, just reverting to a snapshot 1 or 2 hours before solves the issue… Then, it comes back again (not knowung when or why yet).
Yeah… I did look through but didnt find anything relevant.
To further try and see, I created a backup admin account and successfully logged in from there. Then, I switched to my user accound with sudo -i -u my_user and could log in. My sudo priveledges and all work; I just cant ssh into FBX.
A fresh new journal output as below. pam-abl definitely blocking me. Have a hunch its also related to ldap but am not sure…
Feb 28 08:17:44 freedombox sudo[43420]: root : TTY=pts/1 ; PWD=/home/my_user ; USER=my_user ; COMMAND=/bin/bash
Feb 28 08:17:44 freedombox sudo[43420]: pam_unix(sudo-i:session): session opened for user my_user(uid=10000) by backup_account(uid=0)
Feb 28 08:17:58 freedombox sudo[43427]: pam_unix(sudo:auth): authentication failure; logname=root uid=10000 euid=0 tty=/dev/pts/2 ruser=my_user rhost= user=my_user
Feb 28 08:17:58 freedombox sudo[43427]: my_user : TTY=pts/2 ; PWD=/home/my_user ; USER=root ; COMMAND=/usr/bin/ls
Feb 28 08:18:17 freedombox pam-abl[43439]: Blocking access from abcd:1234:efgh::i55 to service sshd, user my_user
Feb 28 08:18:17 freedombox sshd[43439]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abcd:1234:efgh::i55 user=my_user
Feb 28 08:18:19 freedombox sshd[43439]: Failed password for my_user from abcd:1234:efgh::i55 port 58720 ssh2
Feb 28 08:18:22 freedombox sshd[43439]: Connection closed by authenticating user my_user abcd:1234:efgh::i55 port 58720 [preauth]
Feb 28 08:18:27 freedombox sudo[43443]: my_user : TTY=pts/2 ; PWD=/home/my_user ; USER=root ; COMMAND=/usr/bin/journalctl
yes it is : ) i dont seem to have any db errors so, not much use unfortunately.
My user isnt in passwd or shadow or group (which should be how it’s supposed to be if im not mistaken - ldap?)
ownership and mod for unix_xheckpwd is 755 root:shadow
other ownerships look ok - can share a directory list if you wish.
Strangely, now I can log on (not sure if this is permenant). Despite the pam_unix(sshd:auth): authentication failure in the journal, I’m also getting a freedombox sshd[65244]: Accepted password for my_user I’m still wondering why the authentication failure…
isnt ldap the auth method used in fbx? thats what i thought it was - my mistake if im wrong.
anyhow, 2 days now and i can successfully login from ssh. i dont know why its working and why it broke in the first place… i have done nothing to correct anything and i am still seeing the authentication failure in the logs - but why, i have no clue…
my issue isnt persistent and my fbx is working at the moment though, im not closing the issue as i havent figured out what happened… if any ideas, feel free to comment…
isnt ldap the auth method used in fbx? thats what i thought it was - my mistake if im wrong.
It would make sense to have LDAP, since all these users for all the services would be easier to set up.
But hey, glad its working - kinda. Are the failure entries in time with your SSH access or perhaps are we looking at something else causing the logging?
I believe the failure entries are in time. I tried a sudo journalctl --since "19:02:30" --until "19:02:35" that corresponded to my login time. The output was as below. It looks like it’s just ssh access (not sure about the slapd)
P.S. dont mind hackers trying to brute force my postfix : )
Feb 29 19:02:31 freedombox postfix/smtpd[124315]: warning: unknown[45.129.14.179]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=azureuser
Feb 29 19:02:31 freedombox rspamd[85893]: <52fff7>; milter; rspamd_milter_process_command: got connection from 45.129.14.179:1580
Feb 29 19:02:31 freedombox rspamd[85893]: <52fff7>; proxy; proxy_milter_finish_handler: finished milter connection
Feb 29 19:02:31 freedombox postfix/smtpd[124315]: disconnect from unknown[45.129.14.179] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 29 19:02:32 freedombox update.php[124621]: PHP Warning: Undefined array key 8 in /usr/share/tt-rss/www/classes/pluginhost.php on line 143
Feb 29 19:02:32 freedombox update.php[124621]: PHP Warning: Undefined array key 50 in /usr/share/tt-rss/www/classes/pluginhost.php on line 147
Feb 29 19:02:32 freedombox update.php[124621]: PHP Warning: Undefined array key 1 in /usr/share/tt-rss/www/classes/pluginhost.php on line 143
Feb 29 19:02:32 freedombox update.php[124621]: PHP Warning: Undefined array key 50 in /usr/share/tt-rss/www/classes/pluginhost.php on line 147
Feb 29 19:02:32 freedombox php[124621]: [tt-rss] E_WARNING (2) (update.php:287) Undefined variable $op
Feb 29 19:02:32 freedombox php[124621]: [tt-rss] E_DEPRECATED (8192) (classes/debug.php:41) Function strftime() is deprecated
Feb 29 19:02:33 freedombox pam-abl[124048]: Blocking access from 45.129.14.128 to service dovecot, user training
Feb 29 19:02:33 freedombox auth[124048]: pam_unix(dovecot:auth): check pass; user unknown
Feb 29 19:02:33 freedombox auth[124048]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=training rhost=45.129.14.128
Feb 29 19:02:33 freedombox sshd[124614]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abcd:1234:efgh::i55 user=my_user
Feb 29 19:02:33 freedombox slapd[1223]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
Feb 29 19:02:33 freedombox sshd[124614]: Accepted password for my_user from abcd:1234:efgh::i55 port 50976 ssh2
Feb 29 19:02:33 freedombox sshd[124614]: pam_unix(sshd:session): session opened for user my_user(uid=10000) by (uid=0)
Feb 29 19:02:33 freedombox systemd-logind[547]: New session 665 of user my_user.
Feb 29 19:02:33 freedombox systemd[1]: Started session-665.scope - Session 665 of User my_user.
Feb 29 19:02:33 freedombox sshd[124614]: pam_env(sshd:session): deprecated reading of user environment enabled
Feb 29 19:02:33 freedombox fail2ban-server[675]: fail2ban.filter [675]: INFO [dovecot] Found 45.129.14.128 - 2024-02-29 19:02:33
My mail server’s being brute force attacked by the notorious UGFzc3dvcmQ6. One way or another, it’s discovered my username my_user. After 15 tries in logging in to postfix, I believe pam blacklists my user… Below I’m sharing logs for both instances.
I would post a new issue about using fail2ban with dovecot if that is not configured by FreedomBox today. If you want to try that yourself here is a link from dovecot with instructions. That is where I would start. https://doc.dovecot.org/configuration_manual/howto/fail2ban/
confirm whether fail2ban is working with dovecot now.
see if you have a dovecot file in /etc/fail2ban/filter.d. I believe you will.
see if you have a dovecot file in /etc/fail2ban.jail.d. I don’t, but also do not have dovecot installed.
the default jail configuration does not enable all jails.
If the dovecot jail is not enabled, you could try to enable that for some relief.
Fingers crossed for now but, it makes my think… even if my account is safe (not yet hacked) why am i getting locked out from ssh from time time. still looking but thank you!
Sounds tricky. Your link sounds to me like the ban applies only to the IP/Service combination, so I can’t explain the overlap with ssh either.
Looking further back in the thread you’re also getting login attempts on postfix/smptd which is not included in your fail2ban-client output. I wonder if fail2ban is not set up for that.
I recall seeing a post somewhat recently where a user had ssh connectivity problems which were related to an attack swamping their FreedomBox resources. Does your device have the capacity to defeat the intrusion attempt and provide your services simultaneously?
im not sure but as far as i can tell, once blocked by pam, the block applies to all configured services (inc. sshd). while blocked, sudo pam-abl throws my_user the below:
Blocked based on rule [*/sshd]
now, my FBX is connected to a router which does not accept ssh. the only way to ssh to my fbx is via vpn (or internally) and an admin account. while an ssh attempt doesnt seem possible, my journal also does not show any sign of ssh attempt (only dovecot/postfix). so why does pam block my user account based on an sshd rule?
ive had it confirmed that just filtering dovecot is sufficient and additionally filtering postfix wasnt found necessary. thats why it doesnt have a jail.
ive had no bottleneck, all my services are running just fine. i just cant login ssh when im blocked (which lasts for about 10 mins until my username is released again).
I think the diagnosis is that dovecot is being brute force attacked with my user name. This in turns gets pam_abl blocking my username so I cant access ssh.
Now normally, the only way I access ssh is from the internal network (or through ovpn - which is again internally). So, would anyone have any idea to have pam block my user as it sees fit except when used from a local ip?
Just to report that I see repeated attempt to access postfix and dovecot but with a username that is different every time, and for each username I have one attempt with postfix and one with dovecot.
Did you try configure an SSH key and see if access is also blocked that way?
If the backup account solution works, isn’t it good enough?