Access not granted for user '...'.

[nader]

Hi,

In Bubba 2, I can login as Admin and setup users, but I can not log into the web interface with the user credentials. It gives me this error message: "Access not granted for user 'me'.". I did reset the user password a few times, but still get the same message.

Please help,

- Nader

[Cheeseboy]

Hi Nader,

If you are familiar with the GNU/Linux command prompt, please have a look in /var/log/auth.log and see if you can find anything that might give a clue to what is wrong.

If you are not familiar with it, you can check the log using the web interface.
Log in as admin, then click the "Settings" header, then the "Logs sub-header, then change the dropdown control to "auth.log" and click the "Show" button.

Please don't paste the entire contents of the log file to the forum, be aware that it contains sensitive information that might expose your system to attacks.

Best regards,

Cheeseboy

[RandomUsername]

What are you clicking on to log in? If you're clicking on the cog in the top right that message is expected as only the admin account can access it. Normal users should click on the door icon (the left most of the icons on the top row) or one of the icons in the centre (mail, file browser etc).

[nader]

Hi,

I know how to SSHD into the server, but it's refusing remote connection now. I was able to log into web interface as admin and get this log (I thought I shouldn't be able to log in as admin remotely).

This is really making me worry. Here are parts of the auth.log. I changed my user name to [MyUsername] and my 2nd username to [My2ndUsername]. xyz.xyz.xyz.xyz (my remote IP address) is my remote IP address; I do not recognize the other addresses, there are many more.

Please help,

Thanks,

- Nader

Mar 27 11:20:02 MyServerName CRON[11026]: (pam_unix) session opened for user root by (uid=0)
Mar 27 11:20:08 MyServerName CRON[11025]: (pam_unix) session closed for user root

Mar 27 11:22:59 MyServerName sshd[11032]: Invalid user troot from 122.224.86.99
Mar 27 11:30:02 MyServerName sshd[11187]: refused connect from ::ffff:122.224.86.99 (::ffff:122.224.86.99)
Mar 28 04:04:37 MyServerName sshd[13064]: Address 200.62.142.142 maps to plazanet.magdalenaperu.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Mar 28 06:25:05 MyServerName su[13616]: (pam_unix) session opened for user nobody by (uid=0)
Mar 28 06:25:08 MyServerName CRON[13574]: (pam_unix) session closed for user root
Mar 28 06:25:15 MyServerName su[13616]: (pam_unix) session closed for user nobody

Mar 28 08:37:51 MyServerName sshd[14010]: refused connect from ::ffff:xyz.xyz.xyz.xyz (my remote IP address)

Mar 28 13:21:45 MyServerName sshd[14574]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.62 user=[MyUsername]

Mar 28 13:21:47 MyServerName sshd[14572]: error: PAM: Authentication failure for [MyUsername] from 192.168.10.xyz
Mar 28 13:21:55 MyServerName sshd[14572]: Accepted keyboard-interactive/pam for [MyUsername] from 192.168.10.xyz port 4788 ssh2
Mar 28 13:21:55 MyServerName sshd[14576]: (pam_unix) session opened for user [MyUsername] by (uid=0)
Mar 28 13:21:55 MyServerName sshd[14576]: subsystem request for sftp
Mar 28 13:27:06 MyServerName usermod[14595]: change user `[My2ndUsername]' password
Mar 28 13:27:06 MyServerName usermod[14601]: change user `[My2ndUsername]' shell from `/bin/bash' to `/bin/bash'

Mar 29 06:25:04 MyServerName su[16631]: (pam_unix) session opened for user nobody by (uid=0)
Mar 29 06:25:05 MyServerName su[16631]: (pam_unix) session closed for user nobody
Mar 29 06:25:05 MyServerName su[16633]: Successful su for nobody by root
Mar 29 06:25:05 MyServerName su[16633]: + ??? root:nobody

[nader]

By the way, I did change su password and it is long and complex. I had a router till last week and B2 was behind firewall; I switched it to Router + Firewall + Server since.

[nader]

What are you clicking on to log in? If you're clicking on the cog in the top right that message is expected as only the admin account can access it. Normal users should click on the door icon (the left most of the icons on the top row) or one of the icons in the centre (mail, file browser etc).

Thank you RandomUsername, that solved the login problem on the web interface, but still remote SSH access is denied and I'm worried about someone hacking into my system.

[Cheeseboy]

Hi again,

You shouldn't worry about these, they are just system tasks performing:

Code: Select all

Mar 27 11:20:02 MyServerName CRON[11026]: (pam_unix) session opened for user root by (uid=0)
Mar 27 11:20:08 MyServerName CRON[11025]: (pam_unix) session closed for user root

Now this looks like someone is actually trying to access your system.
Either yourself or someone else, but using the username "troot".
I guess it is a typo, and meant to be "root", which will not work. You can not login as root, you have to login as a proper non-admin user and then become root if you so desire:

Code: Select all

Mar 27 11:22:59 MyServerName sshd[11032]: Invalid user troot from 122.224.86.99
Mar 27 11:30:02 MyServerName sshd[11187]: refused connect from ::ffff:122.224.86.99 (::ffff:122.224.86.99)

This looks like perhaps the remote IP address is in the /etc/hosts.deny or something:

Code: Select all

Mar 28 08:37:51 MyServerName sshd[14010]: refused connect from ::ffff:xyz.xyz.xyz.xyz (my remote IP address)

This looks like a successful change of the account from the web interface:

Code: Select all

Mar 28 13:21:55 MyServerName sshd[14572]: Accepted keyboard-interactive/pam for [MyUsername] from 192.168.10.xyz port 4788 ssh2
Mar 28 13:21:55 MyServerName sshd[14576]: (pam_unix) session opened for user [MyUsername] by (uid=0)
Mar 28 13:21:55 MyServerName sshd[14576]: subsystem request for sftp
Mar 28 13:27:06 MyServerName usermod[14595]: change user `[My2ndUsername]' password
Mar 28 13:27:06 MyServerName usermod[14601]: change user `[My2ndUsername]' shell from `/bin/bash' to `/bin/bash'

The only thing I have not seen and that would worry me slightly is this:

Code: Select all

Mar 29 06:25:05 MyServerName su[16633]: + ??? root:nobody

Eh, actually, I have never seen it in the B3 log, but just found several each day from bubba2 logs.

Best regards,

Cheeseboy

EDIT:
Changed qoute tags to code tags, and added a few lines.
EDIT 2:
/etc/hosts.deny
bloody hell, my fingers must be drunk....

[Cheeseboy]

Might even be more complicated (but I doubt it):
http://www.freebsddiary.org/ssh_refused.php

[nader]

The only thing I have not seen and that would worry me slightly is this:

Code: Select all

Mar 29 06:25:05 MyServerName su[16633]: + ??? root:nobody

Eh, actually, I have never seen it in the B3 log, but just found several each day from bubba2 logs.

Hi,

What worries me is "su" in the log, I did not use it today or in the past few days; can the system automatically login as su?

About the troot, that's not the only unsuccessful usernames listed in the log, there are many more attempts with different usernames and from different IP addresses that I don't recognize.

I'll check /etc/hosts.deny once I'm home and can SSH.

Thanks,

- Nader

[Cheeseboy]

Hi again,

can the system automatically login as su?

No, but it can issue the "su" command to become root.
There might be a script using it. I find it interesting tough that I didn't find any such things in the B3 logs. It might be some cron script specific to the Bubba 2. If you are really concerned, try to figure out what the process is (I guess it is the pid number in the square brackets).

About the troot, that's not the only unsuccessful usernames listed in the log, there are many more attempts with different usernames and from different IP addresses that I don't recognize.

Ah. That is something you will have to get used to if your server is exposed to the internet.
I strongly recommend that you install denyhosts:

Code: Select all

# apt-get install denyhosts

It will periodically read auth.log and detect lines like the troot one above, and if the same IP address or host name appears several times (configurable) in failed sshd login attempts, it will add the IP address to /etc/hosts.deny.

Since I registered my domain a few years ago it has banned this many hosts (I have set up denyhosts to ban an IP after 3 attempts):

Code: Select all

$ wc -l /etc/hosts.deny
3526 /etc/hosts.deny

Come to think about it:
My remark about /etc/hosts.deny in my previous post is rubbish. If your remote IP was in /etc/hosts.deny you would not see anything about it in the log. The incoming packet would have been be dropped before it even got to the sshd...

Sorry about that,

Cheeseboy

[Binkem]

I tried installing denyhosts, but I get the following error message:

Starting DenyHosts: denyhosts.
Traceback (most recent call last):
File "/usr/bin/pycentral", line 1373, in ?
main()
File "/usr/bin/pycentral", line 1367, in main
rv = action.run(global_options)
File "/usr/bin/pycentral", line 889, in run
self.options.exclude, byte_compile_default=True)
File "/usr/bin/pycentral", line 672, in install
self.default_runtime.byte_compile(self.private_files,
AttributeError: 'NoneType' object has no attribute 'byte_compile'
dpkg: error processing denyhosts (--configure):
subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
denyhosts
E: Sub-process /usr/bin/dpkg returned an error code (1)

Any ideas?

[Cheeseboy]

Hi Martijn,

I have had it installed on my Bubba2 for years, but as it has not been exposed to the internet since I got my B3 and I'm no longer scrutinizing the Bubba2 log files, I'm not sure if it is actually still working.

I un-installed it on my Bubba2, and tried to reinstall to test it and I got this:

Code: Select all

~$ sudo apt-get install denyhosts
Reading package lists... Done
Building dependency tree... Done
Package denyhosts is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package denyhosts has no installation candidate

I have no idea why. But I just updated, and perhaps you haven't yet? Perhaps there is a compatibility issue with python and it was removed from the repository?

Cheers,

Niklas

[Binkem]

I installed this morning. I did enable the Etch archives so that it is possible to install Debian packages, perghaps you didn't?
It is probably a python problem. I installed Python 2.5 because that was nessecary to install SABNZBd and since then there have been some small Python problems with python not knowing what version it is using.

Martijn

[Cheeseboy]

I did enable the Etch archives so that it is possible to install Debian packages, perghaps you didn't?

Nope I did not. The Bubba2 has pretty much been untouched by me since October 2010.

There is obviously something wrong. I can't even install it. You get errors.
There must be others out there on the interwebs having faced it before...

[nader]

Hi, I still have problem with connecting to B2 through SSH from WAN; LAN works fine. When I use putty to connect, it comes back with this message: "server unexpectedly closed network connection".

Here is the part from auth.log (000.000.000.000 is my remote IP address):

Jun 24 09:32:09 bubba sshd[2263]: refused connect from ::ffff:000.000.000.000 (::ffff:000.000.000.000)

I just ran the update/upgrade both on web interface and command line. The software version is 2.0.5.

Thanks, - Nader