Date: Tue, 18 Jul 2006 20:51:55 -0400 From: Darek M <darek@nyi.net> To: Tuc at T-B-O-H <ml@t-b-o-h.net> Cc: freebsd-questions@freebsd.org Subject: Re: nologin: Attempted login by root on UNKNOWN Message-ID: <44BD822B.4030207@nyi.net> In-Reply-To: <20060718195841.B54217@fledge.watson.org> References: <200607182256.k6IMuleF051373@vjofn.tucs-beachin-obx-house.com> <20060718195841.B54217@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
doug wrote: > On Tue, 18 Jul 2006, Tuc at T-B-O-H wrote: > >> Hi, >> >> All of a sudden today I'm getting : >> >> nologin: Attempted login by root on UNKNOWN >> >> >> on a server... Its happening QUITE a bit : >> >> Jul 18 13:16:01 asgard nologin: Attempted login by root on UNKNOWN >> Jul 18 13:16:01 asgard kernel: Jul 18 13:16:01 asgard nologin: >> Attempted login b >> y root on UNKNOWN >> Jul 18 13:18:23 asgard nologin: Attempted login by root on UNKNOWN >> Jul 18 13:18:23 asgard kernel: Jul 18 13:18:23 asgard nologin: >> Attempted login b >> y root on UNKNOWN >> Jul 18 13:19:25 asgard nologin: Attempted login by root on UNKNOWN >> Jul 18 13:19:25 asgard kernel: Jul 18 13:19:25 asgard nologin: >> Attempted login b >> y root on UNKNOWN >> Jul 18 13:19:25 asgard nologin: Attempted login by root on UNKNOWN >> Jul 18 13:21:27 asgard kernel: Jul 18 13:19:25 asgard nologin: >> Attempted login b >> y root on UNKNOWN >> Jul 18 13:30:56 asgard nologin: Attempted login by root on UNKNOWN >> Jul 18 13:30:56 asgard nologin: Attempted login by root on UNKNOWN >> Jul 18 13:55:11 asgard nologin: Attempted login by root on UNKNOWN >> Jul 18 13:55:11 asgard kernel: Jul 18 13:55:11 asgard nologin: >> Attempted login b >> y root on UNKNOWN >> Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN >> Jul 18 14:08:47 asgard kernel: Jul 18 14:08:47 asgard nologin: >> Attempted login b >> y root on UNKNOWN >> Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN >> Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: >> Attempted login b >> y root on UNKNOWN >> >> I'm not sure who/what/where to start looking. Ideas? I believe that I've seen this before. If I remember correctly, the UNKNOWN part happens because the connection was closed before sshd or the system got info on the client's host. This is probably not very accurate, but the overall result was that it was not cause for concern. The only thing that this shows is that ssh is open to anyone, so you might want to close it with a firewall, or within /etc/ssh/sshd_config with the AllowUsers directive. Also within that file, you probably should have PermitRootLogin set to "no". Also look at the output of 'last' and 'last -f /var/log/wtmp.0 ... wtmp.N' just to make sure root didn't log in. - Darek
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BD822B.4030207>