Date: Tue, 28 Nov 2000 12:53:14 +0200 From: Peter Pentchev <roam@orbitel.bg> To: Richard Ward <mh@neonsky.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: *login Message-ID: <20001128125314.A9810@ringworld.oblivion.bg> In-Reply-To: <000b01c0588d$0138b320$0101a8c0@pavilion>; from mh@neonsky.net on Mon, Nov 27, 2000 at 11:13:38AM -0500 References: <028e01c0586d$fb1c7680$0101a8c0@pavilion> <20001127144953.C420@ringworld.oblivion.bg> <000b01c0588d$0138b320$0101a8c0@pavilion>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 27, 2000 at 11:13:38AM -0500, Richard Ward wrote: > I saw the login running with the -h option for long periods of times on > numerous ip addresses, but not with "high risk" host names (dialup, aol, > etc) None of which I can recognize as a regular user's host name, maybe > someone who is trying to login with telnet/ssh unsuccessfully? If you are seeing something like (from an ps axwww | fgrep login) root 10261 0.0 1.0 1044 612 p0 Ss+ 12:50PM 0:00.01 login -h pool52-tch-1.Sofia.0rbitel.net -p then yes, this is a still unauthenticated incoming connection, spawned by either telnetd or sshd (if compiled with the --with-login option to finish incoming connections with login(1)). This is truly normal, and may only be worked around by 1. using tcp-wrappers, or 2. using a firewall :) G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001128125314.A9810>