From owner-freebsd-questions@FreeBSD.ORG  Wed Jul 19 02:52:56 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F151F16A4DD
	for <freebsd-questions@freebsd.org>;
	Wed, 19 Jul 2006 02:52:56 +0000 (UTC) (envelope-from darek@nyi.net)
Received: from m.kolocation.com (m.nyi.net [66.111.12.250])
	by mx1.FreeBSD.org (Postfix) with SMTP id 6BF5C43D46
	for <freebsd-questions@freebsd.org>;
	Wed, 19 Jul 2006 02:52:56 +0000 (GMT) (envelope-from darek@nyi.net)
Received: (qmail 56879 invoked by uid 89); 19 Jul 2006 02:52:53 -0000
Received: from unknown (HELO ?192.168.0.50?) (24.184.49.86)
	by 0 with SMTP; 19 Jul 2006 02:52:53 -0000
Message-ID: <44BD9E84.1030905@nyi.net>
Date: Tue, 18 Jul 2006 22:52:52 -0400
From: Darek M <darek@nyi.net>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net>
References: <200607190234.k6J2YtN0004985@himinbjorg.tucs-beachin-obx-house.com>
In-Reply-To: <200607190234.k6J2YtN0004985@himinbjorg.tucs-beachin-obx-house.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: nologin: Attempted login by root on UNKNOWN
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2006 02:52:57 -0000

Tuc at T-B-O-H.NET wrote:
>>>> Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
>>>> Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: 
>>>> Attempted login by root on UNKNOWN
>>>>
>>>>      I'm not sure who/what/where to start looking.  Ideas?
>>>>         
> Hey Darek,
>
> 	Good to hear from NYI. :)
>   

Heh, are you a customer, or just familiar with the company?

> 	SSH is TCPWrapper'd, and only *1* machine in the entire
> datacenter can access it (Typical "jump box" configuration). 
>   

http://lists.debian.org/debian-wnpp/2006/05/msg00092.html

Does root have /bin/nologin for the shell?  If it does, then the UNKNOWN 
would refer to the terminal,  Just the way the 'nologin' binary is set 
to log to syslog.  Basically means that someone tried to log in as root, 
but before they could even provide a password, the nologin binary kicked 
them off.  That's why the terminal type is set to UNKNOWN because it 
hadn't been set yet.

You'll have to figure out how that person is getting access as 
apparently they are reaching the box.

- Darek