6

For the last two days I've been seeing lots of lines in my /var/log/auth.log that look like:

sshd[xxxxx]: error: connect_to 0.gravatar.com port 80: failed
sshd[xxxxx]: error: connect_to 1.gravatar.com port 80: failed
sshd[xxxxx]: error: connect_to 2.gravatar.com port 80: failed

I don't think anything on my server uses gravatar, and even if it did I don't see why sshd should be involved. Further, the reports showed up "randomly" and there's been around 100 failed attempts for each gravatar address per day.

I've tried doing a bit of diagnostics myself, but I'm not an expert. I tried looking for scripts which use gravatar (with grep on my web directory) and haven't found anything (which is extra suspicious).

While digging I found two directories that I'm concerned about:

/tmp/.X11-unix
/tmp/.ICE-unix

I thought I disabled X11 on my server since I don't use it, and I have nothing to do with the IRC or anything else that I can imagine would be in .ICE-unix. There's nothing in either directory, but their very existence is suspicious to me (possibly due to my own ignorance).

I can't find any other evidence that I've been hacked, and I thought I ran a pretty tight ship, but I'm obviously concerned about this. I run a Debian server and I make sure every single package is updated every week. I'm new to this site and to investigating a hack, so I appreciate your patience and if there's anything I can do to help you help me, please let me know (I'll let you know that I've read tons of articles and tried as hard on my own as I could before asking here, because I value all of your time).

Beau
  • 163
  • 1
  • 5

1 Answers1

7

My guess is you (or someone else on your server) is doing SSH proxy tunneling and connecting to stackexchange or another site using gravitar, and for some reason those connections to gravatar were timing out. I do not think my home server is hacked and I see similar messages in my auth.log, but only on days when I was using the SSH proxy. The messages are on my_home_computer when I'm using a proxy from a different computer that was setup by ssh -fND localhost:12346 my_home_computer -- granted my entries are logging IP addresses like:

Mar  6 14:33:57 my_home_computer sshd[17500]: error: connect_to 173.192.82.196 port 80: failed.

My guess is these messages correspond to the lines in the side using the proxy that say:

channel 6: open failed: connect failed: Connection timed out
channel 4: open failed: connect failed: No route to host
channel 2: open failed: connect failed: Connection timed out

EDIT: Further testing, confirmed this suspicion. Starting the ssh tunnel with the verbose flag set (-v):

ssh -vfND localhost:12346 my_home_computer

and trying to connect to a bad IP address (10.11.12.13) that eventually times out, on the timeout (visible in the web browser with a "The connection has timed out" message), the output of the terminal that started the ssh tunnel will show:

channel 2: open failed: connect failed: Connection timed out
debug1: channel 2: free: direct-tcpip: listening port 12346 for 10.11.12.13 port 80, connect from 127.0.0.1 port 34199, nchannels 10

Meanwhile, watching the output of auth.log at the same time with sudo tail -f /var/log/auth.log the following log entry will pop up:

Apr  7 17:38:03 my_home_computer sshd[23789]: error: connect_to 10.11.12.13 port 80: failed.

TL;DR: Just harmless web browsing and ssh warning you that while browsing some HTTP requests timed out or had no route to host at various points in the day.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • What I relief! I (and others) do use SSH Proxy tunneling on my server. I bet (hope) you're right! – Beau Apr 07 '14 at 20:32
  • @Beau - Updated my answer with follow-up testing with verbose flag on the ssh tunnel while monitoring both the ssh client and ssh server's output in `auth.log`, and confirmed this suspicion. If you note the sshd was trying to `connect_to` on port 80 (well-known port for HTTP) which lead to this suspicion that it was something benign. – dr jimbob Apr 07 '14 at 21:48
  • I haven't been SSH Tunneling myself lately, so the reports are probably coming from another user, unless VPN might also cause those logs, because I have VPN'd lately. Do you know if there's a way to check to see if the reports are coming from a different SSH/VPN user? – Beau Apr 08 '14 at 19:28
  • @Beau, you can tell who is using ssh by doing `ps aux | grep sshd` (or use htop). They'll be two processes for every ssh connection on the server; one as root, and the other as the user account who logged in. Interactive sessions will have as the user something like `sshd: username@pts/13` (pointing to the terminal -- also try linux command `w` to see who is on the system). Non-interactive sessions will just say `sshd: username` for me, but if you note the PID (second column; for my session PID=1342) you will that PID show up in the auth.log: `sshd[1342]: error: connect_to 10.0.0.0`. – dr jimbob Apr 08 '14 at 19:56
  • Thanks. Since they're not logged in most of the time, is there any way I can check logs, rather than hoping to catch them when they're no? – Beau Apr 08 '14 at 20:19
  • I can't easily decipher it from ordinary SSH logs. You could set up a cron job to log this if you wanted, or you could bump up the verbosity level on sshd though. (E.g., edit /etc/ssh/sshd_config and change LOG_LEVEL from INFO to VERBOSE or DEBUG and restart sshd). – dr jimbob Apr 08 '14 at 20:58