# ssh login uid=0?

## mansonmuni

I'm looking at my log and it says I'm logging in as uid=0.  I thought that was the root uid.  I'm logging in as a regular user who's primary group is 'users'.  When I su, it shows my uid as 500, which is correct.  Why does it show uid=0 when I log in through ssh?  Is this normal?  

Also, my box is under constant attack, shortly after I open up services for ssh.  I notice that they are targeting various ports, but I thought ssh used port 22.  I'm very much a novice in networking, so could someone please explain to me why sshd is accepting connections on other ports.  Or is it?  It is allowing attackers to attempt logins, so I'm assuming that they would be allowed if they provided the correct info.  Is that correct, and if so, then why on the other ports if ssh is using port 22?

----------

## bunder

hello...

where does it say that you're logging in as uid 0?  you mean this?

 *Quote:*   

> Dec 10 22:23:12 shell sshd[23180]: pam_unix(sshd:session): session opened for user chris by (uid=0)

 

or perhaps this?

 *Quote:*   

> $ id
> 
> uid=1001(chris) gid=100(users) groups=10(wheel),16(cron),18(audio),19(cdrom),27(video),80(cdrw),85(usb),100(users),250(portage),1003(vmware),1005(wireshark)

 

both are fine.

as to your question about network attacks, you're probably getting the random traffic associated with plugging a host into the internet (but there are ssh bots who want to make you join their botnet).  ssh should only be using one port, and if you didn't change it, that should be tcp/22.  as for them being able to authenticate, yes, if they have the correct info they will log in.  there are ways around that, by using /etc/security/access.conf or key-based logins, or limiting access to the ssh port by firewall acl.

i hope this helps a little...   :Laughing: 

cheers

----------

## Hu

If you are concerned about the incoming connection requests, please post the output of netstat -npl.  This will show us what ports are listening and what processes own the listening sockets.  You may wish to obscure your IP address if it is shown in the output.  We only need to see the ports to diagnose whether you have inappropriate listeners.

Only root can list the owners of sockets owned by other users, so if you run it as your normal user, expect less complete output.  netstat will warn about this limitation.

----------

## mansonmuni

I don't know whether to be concerned or not.  I get an attempt every 5 minutes or so.  My passwords are strong, and they don't even come close to my resident user names, so it seems unlikely that they will have any success.  I have firewalled the system according to the home router howto, which allows incoming packets for ssh, but I notice the rule doesn't specify a port.  Should it?

Yes the output of 'tail /var/log/messages' is consistent with your recommendation, so I guess that's fine, even though I don't understand it.

Any recommendations would be appreciated.  I'm also wondering if posting this info is dangerous.

Here's my output from netstat -nlp

```

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

PID/Program name

tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN     5

110/dnsmasq

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     5

507/sshd

tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     5

692/cupsd

tcp        0      0 0.0.0.0:7741            0.0.0.0:*               LISTEN     5

882/lisa

tcp6       0      0 :::80                   :::*                    LISTEN     2

3858/apache2

tcp6       0      0 :::53                   :::*                    LISTEN     5

110/dnsmasq

tcp6       0      0 :::443                  :::*                    LISTEN     2

3858/apache2

udp        0      0 0.0.0.0:53              0.0.0.0:*                          5

110/dnsmasq

udp        0      0 0.0.0.0:7741            0.0.0.0:*                          5

882/lisa

udp        0      0 0.0.0.0:67              0.0.0.0:*                          5

110/dnsmasq

udp        0      0 0.0.0.0:68              0.0.0.0:*                          6

381/dhclient

udp        0      0 0.0.0.0:631             0.0.0.0:*                          5

692/cupsd

udp6       0      0 :::53                   :::*                               5

110/dnsmasq

raw   122520      0 0.0.0.0:1               0.0.0.0:*               7          5

882/lisa

Active UNIX domain sockets (only servers)

Proto RefCnt Flags       Type       State         I-Node PID/Program name    Pat

h

unix  2      [ ACC ]     STREAM     LISTENING     43785    21713/gpg-agent     /

tmp/gpg-57Gw60/S.gpg-agent

unix  2      [ ACC ]     STREAM     LISTENING     56201    26338/kdm           /

var/run/xdmctl/dmctl/socket

unix  2      [ ACC ]     STREAM     LISTENING     49494    23860/apache2       /

var/run/cgisock.23858

unix  2      [ ACC ]     STREAM     LISTENING     10120    5692/cupsd          /

var/run/cups/cups.sock

unix  2      [ ACC ]     STREAM     LISTENING     8574     4844/acpid          /

var/run/acpid.socket

unix  2      [ ACC ]     STREAM     LISTENING     9062     5171/hald           @

/var/run/hald/dbus-B0MIEKaEHp

unix  2      [ ACC ]     STREAM     LISTENING     8720     4954/dbus-daemon    /

var/run/dbus/system_bus_socket

unix  2      [ ACC ]     STREAM     LISTENING     9065     5171/hald           @

/var/run/hald/dbus-2tBGglk8vq

unix  2      [ ACC ]     STREAM     LISTENING     8439     4783/syslog-ng      /

dev/log

```

----------

## defenderBG

 *mansonmuni wrote:*   

> Also, my box is under constant attack, shortly after I open up services for ssh.  I notice that they are targeting various ports, but I thought ssh used port 22.

 

welcome to the internet. there are constantly bots who try to login to a system using common username/passwords.

 *mansonmuni wrote:*   

> I'm very much a novice in networking, so could someone please explain to me why sshd is accepting connections on other ports.  Or is it?  It is allowing attackers to attempt logins, so I'm assuming that they would be allowed if they provided the correct info.  Is that correct, and if so, then why on the other ports if ssh is using port 22?

 

there are other vulnerabilities, that can be used to compromise a host. so the bots are scanning your system so when they find a problem, they can hack you.

Which ports are beeing scanned? 80 (http), 23(ahhhhhh telnet.......), etc...

----------

## bunder

 *Quote:*   

> I have firewalled the system according to the home router howto, which allows incoming packets for ssh, but I notice the rule doesn't specify a port. 

 

source or destination?  the source port will always be random.  the destination port (on your side) will always be tcp/22, or your alternatively-chosen port.

cheers

----------

## krinn

emerge -s denyhosts fail2ban

and

echo "ALL: ALL" >> /etc/hosts.deny

echo "cupsd: LOCAL (yourlocalnetwork as 192.168.1.*)" >> /etc/hosts.allow (limit cupsd usage to your local network)

portmap: LOCAL 192.168.1.* except 192.168.1.10 (allow local network to use portmap, but not 192.168.1.10)

...

root is weak imo because the account is already known, but as bots suppose root have a strong password, they prefer try to find a valid user and find its password (with in mind of cause, a user might have a weak password).

On a big server, chance to find "cat" as root password are small (lol yes this might exist), but chances that in that server you'll find a user called "fred" with a password as weak as "cat" seems better.

----------

## bunder

fail2ban doesn't work anymore as most of these ssh/ftp bots are now using distributed methods, ala botnets.   :Rolling Eyes: 

----------

## outermeasure

Well, use public key authentication and stop allowing password authentication.  Then the only trouble those attacker can do using ssh is possibly (D)DoS'ing your machine by trying so hard at attempting password logins that won't be accepted...

----------

## cach0rr0

IMHO any host attempting an ssh login as root should be blocked 

the bot activity has been nuts as of late, so this is unfortunately something ive had to implement myself, and would suggest here as well.

----------

