From owner-freebsd-questions@FreeBSD.ORG Wed Jul 19 02:34:58 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C22916A4DD for ; Wed, 19 Jul 2006 02:34:58 +0000 (UTC) (envelope-from ml@t-b-o-h.net) Received: from vjofn.tucs-beachin-obx-house.com (vjofn.tucs-beachin-obx-house.com [204.107.90.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB0E043D4C for ; Wed, 19 Jul 2006 02:34:57 +0000 (GMT) (envelope-from ml@t-b-o-h.net) Received: from himinbjorg.tucs-beachin-obx-house.com (c-69-249-95-97.hsd1.nj.comcast.net [69.249.95.97]) (authenticated bits=0) by vjofn.tucs-beachin-obx-house.com (8.12.9/8.12.9) with ESMTP id k6J2Yu18057490; Tue, 18 Jul 2006 22:34:56 -0400 (EDT) Received: from himinbjorg.tucs-beachin-obx-house.com (localhost.tucs-beachin-obx-house.com [127.0.0.1]) by himinbjorg.tucs-beachin-obx-house.com (8.13.6/8.13.6) with ESMTP id k6J2YtYJ004987; Tue, 18 Jul 2006 22:34:55 -0400 (EDT) (envelope-from ml@t-b-o-h.net) Received: (from tbohml@localhost) by himinbjorg.tucs-beachin-obx-house.com (8.13.6/8.13.6/Submit) id k6J2YtN0004985; Tue, 18 Jul 2006 22:34:55 -0400 (EDT) (envelope-from tbohml) From: "Tuc at T-B-O-H.NET" Message-Id: <200607190234.k6J2YtN0004985@himinbjorg.tucs-beachin-obx-house.com> To: darek@nyi.net (Darek M) Date: Tue, 18 Jul 2006 22:34:55 -0400 (EDT) In-Reply-To: <44BD822B.4030207@nyi.net> X-Mailer: ELM [version 2.5 PL8] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: nologin: Attempted login by root on UNKNOWN X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 02:34:58 -0000 > >> Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN > >> Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: > >> Attempted login by root on UNKNOWN > >> > >> I'm not sure who/what/where to start looking. Ideas? > Hey Darek, Good to hear from NYI. :) > I believe that I've seen this before. If I remember correctly, the > UNKNOWN part happens because the connection was closed before sshd or > the system got info on the client's host. This is probably not very > accurate, but the overall result was that it was not cause for concern. > > The only thing that this shows is that ssh is open to anyone, so you > might want to close it with a firewall, or within /etc/ssh/sshd_config > with the AllowUsers directive. Also within that file, you probably > should have PermitRootLogin set to "no". > SSH is TCPWrapper'd, and only *1* machine in the entire datacenter can access it (Typical "jump box" configuration). > > Also look at the output of 'last' and 'last -f /var/log/wtmp.0 ... > wtmp.N' just to make sure root didn't log in. > Nope, root didn't. Its just really weird that all of a sudden it started @1:30 today and hasn't stopped since. Tuc/TBOH