For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jozef_Hamar's avatar
Jozef_Hamar
Icon for Altostratus rankAltostratus
Jan 27, 2015

LTM time discrepancy in logs during terminated SSH connection attempt

Hi guys,

I am running BIG-IP Virtual Edition 11.6.0. Today, while troubleshooting completely different issue, I noticed following in the logs:

[root@hostname:Active:Standalone] log  tail -f ltm
Jan 27 21:44:30 hostname info sshd[13792]: Accepted publickey for root from 10.100.0.1 port 48930 ssh2
Jan 27 21:45:25 hostname info sshd[13792]: Received disconnect from 10.100.0.1: 11: disconnected by user
Jan 27 12:56:27 hostname info sshd[14220]: Connection closed by 10.0.20.2
Jan 27 21:56:36 hostname err sshd[14221]: error: PAM: User not known to the underlying authentication module for jozef from 10.0.20.2
Jan 27 12:56:42 hostname info sshd[14224]: Connection closed by 10.0.20.2
Jan 27 21:56:57 hostname info sshd[14227]: Accepted keyboard-interactive/pam for root from 10.0.20.2 port 45904 ssh2
Jan 27 21:57:04 hostname info sshd[14227]: Received disconnect from 10.0.20.2: 11: disconnected by user
Jan 27 12:59:57 hostname info sshd[14269]: Connection closed by 10.0.20.2

Note the time column. It happens only if I try to open a SSH connection, but then Ctrl-C it in the password prompt:

jojoii@linux:~$ ssh user@10.100.0.20
Password: 
^C
jojoii@linux:~$

Did not noticed similar behavior in any other case. Am I missing something here, please? Or is this some minor bug? Can somebody try to simulate this, please?

Thanks in advance.

Jozef

application delivery
BIG-IP Access Policy Manager (APM)
deployment
LTM
security

4 Replies

  • NikhilB's avatar
    NikhilB
    Icon for Employee rankEmployee
    Jan 28, 2015

    Do you have ntp servers configured on the LTM?

     

    Can you run the command and print the output fronm "ntpq -pn" ?

     

  • Jozef_Hamar's avatar
    Jozef_Hamar
    Icon for Altostratus rankAltostratus
    Jan 28, 2015

    Yes I do. I'm using debian public NTP servers.

    [root@hostname:Active:Standalone] config  ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+213.160.185.89  5.9.80.114       3 u  874 1024  335   14.958    0.574   8.851
-91.212.112.71   194.160.23.2     2 u  901 1024  377    4.116   50.223   8.492
+62.168.65.36    10.0.0.1         3 u  735 1024  377    2.502    3.223   3.673
*93.184.71.155   194.160.23.2     2 u  719 1024  377    2.446   -1.976   4.695

    The system time is fine.

    Jozef

    • NikhilB's avatar
      NikhilB
      Icon for Employee rankEmployee
      Jan 28, 2015
      Is only ssh being affected by this? what do the logs on other services state? What does "/var/log/audit" show?
  • Jozef_Hamar's avatar
    Jozef_Hamar
    Icon for Altostratus rankAltostratus
    Jan 28, 2015

    Yes, seems SSH is the only service. It's a testing machine used for my cert preparation, so not really heavily used, but did not find it anywhere else. The audit log has no record of those interrupted SSH sessions. Only regular ones, which have been established.

     

    Jozef