I’m scanning bunch of servers by the mask (like 192.168.0.0/16) and getting a report. On the column “Auth” some servers has a mark of successful ssh authentication, some hasn’t, but not a mark of unsuccessful auth (I saw this mark before, so there are 3 states of auth status: yes, no and nothing).
I’ve checked /var/log/auth.log on my servers, and they looks similar, I see that scanner was connected by ssh.
So why the difference in auth status?
So, nobody know? Anyone?
“Yes” or “no” should be shown in the “Auth” column of the scan, if it is correctly configured to include SSH authentication and if SSH is available on the target host.
You will need to check the scan results for details. First, when viewing the report, update the filter and include “Log” level results. Then, for each host for which you have confirmed that a SSH server is running and reachable, check for the following results:
- Services (on port 22/tcp)
- SSH Authorization Check
- SSH Login Successful For Authenticated Checks
- SSH Login Failed For Authenticated Checks
If these are not included for the hosts in question, double check whether SSH is actually available for these hosts, check whether a non-standard port is configured for SSH and not included in the scan config, check whether a firewall or other network infrastructure is interfering with the scan and check whether errors are shown in either the scan report or the system log.
3 Likes
We checked “Log” level results for servers without SSH confirmation.
- Services (on port 22/tcp) - included
- SSH Authorization Check - no
- SSH Login Successful For Authenticated Checks - no
- SSH Login Failed For Authenticated Checks - no
SSH is available, port is standard (22), firewall isn’t interfering.
Here is a part of /var/log/auth.log on the server:
Feb 29 13:12:55 myhost sshd[2527881]: Accepted publickey for greenbone from 10.0.0.22 port 34197 ssh2: ED25519 #############################
Feb 29 13:12:55 myhost sshd[2527881]: pam_unix(sshd:session): session opened for user greenbone(uid=996) by (uid=0)
Feb 29 13:12:55 myhost systemd-logind[646]: New session 6776 of user greenbone.
Feb 29 13:12:55 myhost sshd[2527959]: Received disconnect from 10.0.0.22 port 34197:11: Bye Bye
Feb 29 13:12:55 myhost sshd[2527959]: Disconnected from user greenbone 10.0.0.22 port 34197
Feb 29 13:12:55 myhost sshd[2527881]: pam_unix(sshd:session): session closed for user greenbone
Feb 29 13:12:55 myhost systemd-logind[646]: Session 6776 logged out. Waiting for processes to exit.
Feb 29 13:12:55 myhost systemd-logind[646]: Removed session 6776.