Date: Fri, 12 Feb 2010 11:48:30 -0800 (PST) From: Dino Vliet <dino_vliet@yahoo.com> To: freebsd-questions@freebsd.org Subject: sshd: did this one get a password prompt? Message-ID: <319226.90868.qm@web51106.mail.re2.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hi freebsd people, My sshd_config file doesn' t have root listed in the AllowUsers directive.S= o everytime I see entries like the following in my logs: Feb 12 01:23:54 dual sshd[11016]: User root from 208.75.83.30 not allowed b= ecause not listed in AllowUsers Feb 12 04:07:43 dual sshd[11775]: Did not receive identification string fro= m 218.65.110.180 Feb 12 04:11:05 dual sshd[11790]: User root from 218.65.110.180 not allowed= because not listed in AllowUsers That looks " normal" However,today I saw the following entries in my log: Did not receive identification string from 202.98.244.20 Feb 12 14:06:12 dual sshd[12837]: User root from 202.98.244.20 not allowed = because not listed in AllowUsers Feb 12 14:06:13 dual sshd[12837]: error: PAM: authentication error for ille= gal user root from 202.98.244.20 Feb 12 14:06:13 dual sshd[12837]: Failed keyboard-interactive/pam for inval= id user root from 202.98.244.20 port 34209 ssh2 Feb 12 14:06:14 dual sshd[12837]: error: PAM: authentication error for ille= gal user root from 202.98.244.20 Feb 12 14:06:14 dual sshd[12837]: Failed keyboard-interactive/pam for inval= id user root from 202.98.244.20 port 34209 ssh2 Feb 12 14:06:18 dual sshd[12841]: User root from 202.98.244.20 not allowed = because not listed in AllowUsers Feb 12 14:06:19 dual sshd[12841]: error: PAM: authentication error for ille= gal user root from 202.98.244.20 Feb 12 14:06:19 dual sshd[12841]: Failed keyboard-interactive/pam for inval= id user root from 202.98.244.20 port 34245 ssh2 Feb 12 14:06:20 dual sshd[12841]: error: PAM: authentication error for ille= gal user root from 202.98.244.20 Feb 12 14:06:20 dual sshd[12841]: Failed keyboard-interactive/pam for inval= id user root from 202.98.244.20 port 34245 ssh2 That " scared" =A0me because I didn' t think a root session would get a pas= sword prompt, because of the fact that I have configured my sshd_config fil= e where AllowUsers doesn' t contain root! The other thing that "scared" me was that I have this section in my pf file= for ssh traffic:(max-src-conn 3, max-src-conn-rate 2/30, overload <brutefo= rce> flush global) It seems to me that this 202.98.244 violated that long ago but still it las= ted a few times before this address was added to the bruteforce table. What do you think? Thanks in advanced. =0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?319226.90868.qm>