From owner-freebsd-stable@FreeBSD.ORG Tue Nov 19 08:15:15 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C7B78F71 for ; Tue, 19 Nov 2013 08:15:15 +0000 (UTC) Received: from www.mimar.rs (www.mimar.rs [193.53.106.101]) by mx1.freebsd.org (Postfix) with ESMTP id 817912BA6 for ; Tue, 19 Nov 2013 08:15:15 +0000 (UTC) Received: from tazar.mimar.rs (localhost [127.0.0.1]) by www.mimar.rs (Postfix) with ESMTP id 6034AB9040 for ; Tue, 19 Nov 2013 09:15:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mimar.rs; h= content-transfer-encoding:content-type:content-type:mime-version :x-mailer:organization:message-id:subject:subject:from:from:date :date:received:received; s=mimar-0901; t=1384848900; x= 1386663301; bh=ed4q2Fzd95MD1aSJDUEMnX8m6RZJLUAEyFMo5kr4oKg=; b=A hBFOj0g9OFvm62cUT/q3EKhE8iwRCLTJEGjDNZK1oPelquOrec/mdDJz6meo4ReS +CS/TJwwjvYxObRR1G/9Y9H7MRNJ49kOgZchB/A6yO/E0F+6vcxkbPilCgVYDWQt 6hMK52/LFzpFUyN85dhZn7SDSl3b8oSFNhE/0kC/70= X-Virus-Scanned: amavisd-new at mimar.rs Received: from www.mimar.rs ([127.0.0.1]) by tazar.mimar.rs (tazar.mimar.rs [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Br3r1GNHtBwr for ; Tue, 19 Nov 2013 09:15:00 +0100 (CET) Received: from kaa (nat.kappastar.com [193.53.106.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: marko.cupac@mimar.rs) by www.mimar.rs (Postfix) with ESMTPSA id 295B9B9022 for ; Tue, 19 Nov 2013 09:14:59 +0100 (CET) Date: Tue, 19 Nov 2013 09:14:59 +0100 From: Marko =?UTF-8?B?Q3VwYcSH?= To: freebsd-stable@freebsd.org Subject: login failures Message-Id: <20131119091459.3084ad63d079615a0ce31d18@mimar.rs> Organization: Mimar X-Mailer: Sylpheed 3.4.0beta5 (GTK+ 2.24.20; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Nov 2013 08:15:15 -0000 I am getting a-mail with security run output from one of my 9.2-RELEASE servers whose primary role is mysql server: sql1.kappastar.com login failures: Nov 18 02:11:09 sql1 sshd[58619]: Invalid user this-is-not-an-attack from 188.95.234.6 Nov 18 02:11:17 sql1 sshd[58621]: Invalid user this-is-not-an-attack from 188.95.234.6 Nov 18 04:54:10 sql1 sshd [59190]: reverse mapping checking getaddrinfo for 189.26.255.11.static.gvt.net.br [189.26.255.11] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 04:54:10 sql1 sshd[59190]: Invalid user info from 189.26.255.11 Nov 18 21:18:05 sql1 sshd[60883]: reverse mapping checking getaddrinfo for 210.213.119.53.pldt.net [210.213.119.53] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:09 sql1 sshd[60885]: reverse mapping checking getaddrinfo for 210.213.119.53.pldt.net [210.213.119.53] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:16 sql1 sshd[60887]: reverse mapping checking getaddrinfo for 210.213.119.53.pldt.net [210.213.119.53] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 23:05:39 sql1 sshd[61075]: Invalid user ____ from 208.83.31.22 However, I do not see anything in auth.log. Also, this should not happen at all as this host is in DMZ behind the firewall which does not allow ssh connections to it. How should I start troubleshooting this? --=20 Marko Cupa=C4=87