Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Jul 2006 02:09:45 -0400 (EDT)
From:      "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net>
To:        darek@nyi.net (Darek M)
Cc:        freebsd-questions@freebsd.org
Subject:   Re: nologin: Attempted login by root on UNKNOWN
Message-ID:  <200607190609.k6J69jG8003863@himinbjorg.tucs-beachin-obx-house.com>
In-Reply-To: <44BD9E84.1030905@nyi.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> 
> Tuc at T-B-O-H.NET wrote:
> >>>> Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
> >>>> Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: 
> >>>> Attempted login by root on UNKNOWN
> >>>>
> >>>>      I'm not sure who/what/where to start looking.  Ideas?
> >>>>         
> > Hey Darek,
> >
> > 	Good to hear from NYI. :)
> 
> Heh, are you a customer, or just familiar with the company?
>
	NYIIX peer and 25B compatriot.
> 
> > 	SSH is TCPWrapper'd, and only *1* machine in the entire
> > datacenter can access it (Typical "jump box" configuration). 
> >   
> 
> http://lists.debian.org/debian-wnpp/2006/05/msg00092.html
>
	Confused a bit by this reference, but its been a long
day. 
>
> Does root have /bin/nologin for the shell?
>
	No.
>
> If it does, then the UNKNOWN 
> would refer to the terminal,  Just the way the 'nologin' binary is set 
> to log to syslog.  Basically means that someone tried to log in as root, 
> but before they could even provide a password, the nologin binary kicked 
> them off.  That's why the terminal type is set to UNKNOWN because it 
> hadn't been set yet.
>
	Are you sure? If I ssh to the machine as "tuc", then su to root
I see :

$ id
uid=1001(tuc) gid=1001(tuc) groups=1001(tuc), 0(wheel)
$ su - spamd
Password:
su: Sorry
$ su -
Password:
asgard# su - spamd
This account is currently not available.

asgard# grep nologin /var/log/spool
Jul 19 01:52:47 asgard nologin: Attempted login by tuc on /dev/ttyp0
Jul 19 01:52:47 asgard kernel: Jul 19 01:52:47 asgard nologin: Attempted login by tuc on /dev/ttyp0

	In my example, shouldn't it be saying "spamd" since thats who I 
tried to log on as?
> 
> You'll have to figure out how that person is getting access as 
> apparently they are reaching the box.
> 
	I'm just not seeing it. "netstat" isn't showing any TCP
connections out of the ordinary...

		Tuc

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607190609.k6J69jG8003863>