Date: Tue, 18 Jul 2006 22:52:52 -0400 From: Darek M <darek@nyi.net> To: "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net> Cc: freebsd-questions@freebsd.org Subject: Re: nologin: Attempted login by root on UNKNOWN Message-ID: <44BD9E84.1030905@nyi.net> In-Reply-To: <200607190234.k6J2YtN0004985@himinbjorg.tucs-beachin-obx-house.com> References: <200607190234.k6J2YtN0004985@himinbjorg.tucs-beachin-obx-house.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tuc at T-B-O-H.NET wrote: >>>> Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN >>>> Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: >>>> Attempted login by root on UNKNOWN >>>> >>>> I'm not sure who/what/where to start looking. Ideas? >>>> > Hey Darek, > > Good to hear from NYI. :) > Heh, are you a customer, or just familiar with the company? > SSH is TCPWrapper'd, and only *1* machine in the entire > datacenter can access it (Typical "jump box" configuration). > http://lists.debian.org/debian-wnpp/2006/05/msg00092.html Does root have /bin/nologin for the shell? If it does, then the UNKNOWN would refer to the terminal, Just the way the 'nologin' binary is set to log to syslog. Basically means that someone tried to log in as root, but before they could even provide a password, the nologin binary kicked them off. That's why the terminal type is set to UNKNOWN because it hadn't been set yet. You'll have to figure out how that person is getting access as apparently they are reaching the box. - Darek
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BD9E84.1030905>