From owner-freebsd-security Tue Nov 28 2:53:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool52-tch-1.Sofia.0rbitel.net [212.95.170.52]) by hub.freebsd.org (Postfix) with SMTP id D984837B400 for ; Tue, 28 Nov 2000 02:53:52 -0800 (PST) Received: (qmail 10284 invoked by uid 1000); 28 Nov 2000 10:53:15 -0000 Date: Tue, 28 Nov 2000 12:53:14 +0200 From: Peter Pentchev To: Richard Ward Cc: freebsd-security@FreeBSD.ORG Subject: Re: *login Message-ID: <20001128125314.A9810@ringworld.oblivion.bg> Mail-Followup-To: Richard Ward , freebsd-security@FreeBSD.ORG References: <028e01c0586d$fb1c7680$0101a8c0@pavilion> <20001127144953.C420@ringworld.oblivion.bg> <000b01c0588d$0138b320$0101a8c0@pavilion> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000b01c0588d$0138b320$0101a8c0@pavilion>; from mh@neonsky.net on Mon, Nov 27, 2000 at 11:13:38AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 11:13:38AM -0500, Richard Ward wrote: > I saw the login running with the -h option for long periods of times on > numerous ip addresses, but not with "high risk" host names (dialup, aol, > etc) None of which I can recognize as a regular user's host name, maybe > someone who is trying to login with telnet/ssh unsuccessfully? If you are seeing something like (from an ps axwww | fgrep login) root 10261 0.0 1.0 1044 612 p0 Ss+ 12:50PM 0:00.01 login -h pool52-tch-1.Sofia.0rbitel.net -p then yes, this is a still unauthenticated incoming connection, spawned by either telnetd or sshd (if compiled with the --with-login option to finish incoming connections with login(1)). This is truly normal, and may only be worked around by 1. using tcp-wrappers, or 2. using a firewall :) G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message