From owner-freebsd-security@FreeBSD.ORG Mon Jun 28 21:00:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EAC616A4CE for ; Mon, 28 Jun 2004 21:00:50 +0000 (GMT) Received: from metafocus.net (cbshost-12-155-142-123.sbcox.net [12.155.142.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FFCB43D48 for ; Mon, 28 Jun 2004 21:00:50 +0000 (GMT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.12.10/8.12.10) with ESMTP id i5SLDPFN008267; Mon, 28 Jun 2004 14:13:25 -0700 (PDT) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost)i5SLDPAX008264; Mon, 28 Jun 2004 14:13:25 -0700 (PDT) (envelope-from mudman@metafocus.net) Date: Mon, 28 Jun 2004 14:13:25 -0700 (PDT) From: Dave To: Neo-Vortex In-Reply-To: <20040627111832.D59990@Neo-Vortex.Ath.Cx> Message-ID: <20040628140305.F8244@metafocus.net> References: <20040626131219.T1249@metafocus.net> <20040627111832.D59990@Neo-Vortex.Ath.Cx> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2004 21:00:50 -0000 Hmm, I think I am in some kind of trouble. I have been getting login errors on ttyv that definitely couldn't be me. The only other person who lives with me is my wife, and it isn't her either. qmail, popa3d, etc.. I am even getting them on my ftp too. If someone had root access, they should be able to know what I am running on my system rather than trying these idiotic logins. In fact, they could telnet to my mail port and look for the Sendmail greeting to know that I don't run qmail, or portping 125 to see if I am running any kind of POP3 server. A piece of me feels it is just some internet sweeper that mindlessly tries logging in or ftping to certain things, and moves to the next IP address. I am also wondering if it is just a syslogd thing that the login failures were simply reported on ttyv2 rather than actually happening there, but then why not ttyv0, which is the 'main' thing it prints to? I recently just backed up my system so I'm not feeling that bad but.... but... how? There is no sense in making the same mistake twice. I could run cvsup, compile a fresh binary of sockstat and ps to see if anything is running... I'll consider turning snp off and recompiling my kernel. But that would just get rid of the messages, not help me get to the heart of it. On Sun, 27 Jun 2004, Neo-Vortex wrote: > Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* is for > remote (ssh, screen, telnet, etc), are you sure some idiot didnt try to > logon as qmaild in the third console when you wernt looking? > > On Sat, 26 Jun 2004, Dave wrote: > > > > > I get this in my security postings. > > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2, qmaild > > > > As it turns out, I'm not running qmail :) And if I did, it would > > definitely have a nologin shell. But that's beside the point- > > > > I have had a perception that ttyv was for local/console logins, and that > > just "tty" was for remote logins. > > > > Is my understanding wrong here? > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > >