From owner-freebsd-security@FreeBSD.ORG Wed Jun 30 00:37:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C5DA16A4CE for ; Wed, 30 Jun 2004 00:37:52 +0000 (GMT) Received: from metafocus.net (cbshost-12-155-142-123.sbcox.net [12.155.142.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF19043D1F for ; Wed, 30 Jun 2004 00:37:51 +0000 (GMT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.12.10/8.12.10) with ESMTP id i5U0oMFN047405; Tue, 29 Jun 2004 17:50:22 -0700 (PDT) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost)i5U0oL1L047402; Tue, 29 Jun 2004 17:50:22 -0700 (PDT) (envelope-from mudman@metafocus.net) Date: Tue, 29 Jun 2004 17:50:21 -0700 (PDT) From: Dave To: Igor Roshchin In-Reply-To: <200406282221.i5SMLMA06797@giganda.komkon.org> Message-ID: <20040629174641.N47396@metafocus.net> References: <200406282221.i5SMLMA06797@giganda.komkon.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 00:37:52 -0000 console none unknown off secure ttyv0 "/usr/libexec/getty Pc" cons25 on secure # Virtual terminals ttyv1 "/usr/libexec/getty Pc" cons25 on secure ttyv2 "/usr/libexec/getty Pc" cons25 on secure ttyv3 "/usr/libexec/getty Pc" cons25 on secure ttyv4 "/usr/libexec/getty Pc" cons25 on secure ttyv5 "/usr/libexec/getty Pc" cons25 on secure ttyv6 "/usr/libexec/getty Pc" cons25 on secure ttyv7 "/usr/libexec/getty Pc" cons25 on secure ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure --- I don't really see a problem here. My mystery logins are actually still continuing. I'm going to see if I can code a mousetrap to find out who is doing it. I did a fresh source compile of world from the latest cvsup for 5.2.1 REL, and ran mergemaster to look for differing startup scripts... No luck yet. I wrote down the byte-sizes of sockstat, ps, and getty on a piece of paper. I'm going to watch them over the next couple of days. On Mon, 28 Jun 2004, Igor Roshchin wrote: > You might want to check your /etc/ttys file, > if it still shows ttyv* as for the console logins or for network logins. > > Igor > > > Igor Roshchin > System Administrator > KomKon Sites > > > > From igor@giganda.komkon.org Mon Jun 28 18:19:49 2004 > > Date: Mon, 28 Jun 2004 14:13:25 -0700 (PDT) > > From: Dave > > To: Neo-Vortex > > Cc: freebsd-security@freebsd.org > > Subject: Re: ttyv for local only? > > > > > > > > Hmm, I think I am in some kind of trouble. I have been getting login > > errors on ttyv that definitely couldn't be me. The only other person who > > lives with me is my wife, and it isn't her either. > > > > qmail, popa3d, etc.. I am even getting them on my ftp too. > > > > If someone had root access, they should be able to know what I am running > > on my system rather than trying these idiotic logins. In fact, they could > > telnet to my mail port and look for the Sendmail greeting to know that I > > don't run qmail, or portping 125 to see if I am running any kind of POP3 > > server. A piece of me feels it is just some internet sweeper that > > mindlessly tries logging in or ftping to certain things, and moves to the > > next IP address. I am also wondering if it is just a syslogd thing that > > the login failures were simply reported on ttyv2 rather than actually > > happening there, but then why not ttyv0, which is the 'main' thing it > > prints to? > > > > I recently just backed up my system so I'm not feeling that bad but.... > > but... how? There is no sense in making the same mistake twice. I could > > run cvsup, compile a fresh binary of sockstat and ps to see if anything is > > running... > > > > I'll consider turning snp off and recompiling my kernel. But that would > > just get rid of the messages, not help me get to the heart of it. > > > > > > On Sun, 27 Jun 2004, Neo-Vortex wrote: > > > > > Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* is for > > > remote (ssh, screen, telnet, etc), are you sure some idiot didnt try to > > > logon as qmaild in the third console when you wernt looking? > > > > > > On Sat, 26 Jun 2004, Dave wrote: > > > > > > > > > > > I get this in my security postings. > > > > > > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 > > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2, qmaild > > > > > > > > As it turns out, I'm not running qmail :) And if I did, it would > > > > definitely have a nologin shell. But that's beside the point- > > > > > > > > I have had a perception that ttyv was for local/console logins, and that > > > > just "tty" was for remote logins. > > > > > > > > Is my understanding wrong here? > > > > > > > > > > > > _______________________________________________ > > > > freebsd-security@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > >