From owner-freebsd-questions@FreeBSD.ORG  Fri Feb 12 19:48:31 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A986B106566B
	for <freebsd-questions@freebsd.org>;
	Fri, 12 Feb 2010 19:48:31 +0000 (UTC)
	(envelope-from dino_vliet@yahoo.com)
Received: from web51106.mail.re2.yahoo.com (web51106.mail.re2.yahoo.com
	[206.190.38.148])
	by mx1.freebsd.org (Postfix) with SMTP id 644208FC17
	for <freebsd-questions@freebsd.org>;
	Fri, 12 Feb 2010 19:48:31 +0000 (UTC)
Received: (qmail 91993 invoked by uid 60001); 12 Feb 2010 19:48:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
	t=1266004110; bh=mbyXsjJnMrCgsWLkMV05H3ItrMDJtgV/iUqLhmKPN+0=;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
	b=1NoNIuw+vaMP92bxZmQBaOuWlXUJWO+zZumVFK4DUQ3yrcrN7ICcJqw3RG2PAhWtyg7YS5dRXqCzA9DwkVR2SRVDovwBI+oY56unaOyWX/Rq2FmystW0lK35vi6KptbRKNijYP5S73lwhIAX+GYbVofH7NA31FTTvvXLB2zRw/E=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
	b=Wrup4scOCbwCND7yGlL3/nyKFV+49dDmNsKhANnTA5emYbb5LWOTzjefPu0BVQ+97KpHndabL3iUzkfMWM5618wpM3rOn9yJZxHqD8Tm5uBoPflcFn6vzexBjNGq/9G9NUx02OC8GZITJ1r98eJQuY4rnxIbFgpPeTSgvLF3WdU=;
Message-ID: <319226.90868.qm@web51106.mail.re2.yahoo.com>
X-YMail-OSG: CeXQd6oVM1lcf08c8Eye0uP._dlK1JsRxMxEKxlHOS4hDSE1Ahf.7j88TQPm.4mFsTXBAGNg4Hj1QHsB1.a6rXm1M7_yU97qQkp7R1AsWsBBk6P8hMB1rTGFYOEZM0cj13wMf0uqhhGStKmrirWzqXFilBchb.UA7hcA4_wsldmabri9sqkxlw.sSEmO46Ubpzen03qR97yXYbu.fytY7XYRhh5YRAsUVj6ftmfsqA.S2rbXFh7Z3TD.yerwCRF48WFoQI9QM4diSFNAWees6e.ApJ8IYTb24WVYPJ7fySulcJhZBFFJAOEhHSFnRl4bo7uuvGbkpJ9oeyTFTY0ejseox4ZXAnAdQ8vfXUlQmtHSwfpYJYjkRxlE1TZFRPj8_PM-
Received: from [85.144.145.49] by web51106.mail.re2.yahoo.com via HTTP;
	Fri, 12 Feb 2010 11:48:30 PST
X-Mailer: YahooMailClassic/9.1.10 YahooMailWebService/0.8.100.260964
Date: Fri, 12 Feb 2010 11:48:30 -0800 (PST)
From: Dino Vliet <dino_vliet@yahoo.com>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: sshd: did this one get a password prompt?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2010 19:48:31 -0000

Hi freebsd people,
My sshd_config file doesn' t have root listed in the AllowUsers directive.S=
o everytime I see entries like the following in my logs:
Feb 12 01:23:54 dual sshd[11016]: User root from 208.75.83.30 not allowed b=
ecause not listed in AllowUsers
Feb 12 04:07:43 dual sshd[11775]: Did not receive identification string fro=
m 218.65.110.180
Feb 12 04:11:05 dual sshd[11790]: User root from 218.65.110.180 not allowed=
 because not listed in AllowUsers

That looks " normal"
However,today I saw the following entries in my log:
Did not receive identification string from 202.98.244.20
Feb 12 14:06:12 dual sshd[12837]: User root from 202.98.244.20 not allowed =
because not listed in AllowUsers
Feb 12 14:06:13 dual sshd[12837]: error: PAM: authentication error for ille=
gal user root from 202.98.244.20
Feb 12 14:06:13 dual sshd[12837]: Failed keyboard-interactive/pam for inval=
id user root from 202.98.244.20 port 34209 ssh2
Feb 12 14:06:14 dual sshd[12837]: error: PAM: authentication error for ille=
gal user root from 202.98.244.20
Feb 12 14:06:14 dual sshd[12837]: Failed keyboard-interactive/pam for inval=
id user root from 202.98.244.20 port 34209 ssh2
Feb 12 14:06:18 dual sshd[12841]: User root from 202.98.244.20 not allowed =
because not listed in AllowUsers
Feb 12 14:06:19 dual sshd[12841]: error: PAM: authentication error for ille=
gal user root from 202.98.244.20
Feb 12 14:06:19 dual sshd[12841]: Failed keyboard-interactive/pam for inval=
id user root from 202.98.244.20 port 34245 ssh2
Feb 12 14:06:20 dual sshd[12841]: error: PAM: authentication error for ille=
gal user root from 202.98.244.20
Feb 12 14:06:20 dual sshd[12841]: Failed keyboard-interactive/pam for inval=
id user root from 202.98.244.20 port 34245 ssh2


That " scared" =A0me because I didn' t think a root session would get a pas=
sword prompt, because of the fact that I have configured my sshd_config fil=
e where AllowUsers doesn' t contain root!
The other thing that "scared" me was that I have this section in my pf file=
 for ssh traffic:(max-src-conn 3, max-src-conn-rate 2/30, overload <brutefo=
rce> flush global)
It seems to me that this 202.98.244 violated that long ago but still it las=
ted a few times before this address was added to the bruteforce table.
What do you think?
Thanks in advanced.
=0A=0A=0A