Date: Wed, 19 Jul 2006 02:09:45 -0400 (EDT) From: "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net> To: darek@nyi.net (Darek M) Cc: freebsd-questions@freebsd.org Subject: Re: nologin: Attempted login by root on UNKNOWN Message-ID: <200607190609.k6J69jG8003863@himinbjorg.tucs-beachin-obx-house.com> In-Reply-To: <44BD9E84.1030905@nyi.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Tuc at T-B-O-H.NET wrote: > >>>> Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN > >>>> Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: > >>>> Attempted login by root on UNKNOWN > >>>> > >>>> I'm not sure who/what/where to start looking. Ideas? > >>>> > > Hey Darek, > > > > Good to hear from NYI. :) > > Heh, are you a customer, or just familiar with the company? > NYIIX peer and 25B compatriot. > > > SSH is TCPWrapper'd, and only *1* machine in the entire > > datacenter can access it (Typical "jump box" configuration). > > > > http://lists.debian.org/debian-wnpp/2006/05/msg00092.html > Confused a bit by this reference, but its been a long day. > > Does root have /bin/nologin for the shell? > No. > > If it does, then the UNKNOWN > would refer to the terminal, Just the way the 'nologin' binary is set > to log to syslog. Basically means that someone tried to log in as root, > but before they could even provide a password, the nologin binary kicked > them off. That's why the terminal type is set to UNKNOWN because it > hadn't been set yet. > Are you sure? If I ssh to the machine as "tuc", then su to root I see : $ id uid=1001(tuc) gid=1001(tuc) groups=1001(tuc), 0(wheel) $ su - spamd Password: su: Sorry $ su - Password: asgard# su - spamd This account is currently not available. asgard# grep nologin /var/log/spool Jul 19 01:52:47 asgard nologin: Attempted login by tuc on /dev/ttyp0 Jul 19 01:52:47 asgard kernel: Jul 19 01:52:47 asgard nologin: Attempted login by tuc on /dev/ttyp0 In my example, shouldn't it be saying "spamd" since thats who I tried to log on as? > > You'll have to figure out how that person is getting access as > apparently they are reaching the box. > I'm just not seeing it. "netstat" isn't showing any TCP connections out of the ordinary... Tuc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607190609.k6J69jG8003863>