nologin: Attempted login by root on UNKNOWN
Tuc at T-B-O-H.NET
ml at t-b-o-h.net
Wed Jul 19 02:34:58 UTC 2006
> >> Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
> >> Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin:
> >> Attempted login by root on UNKNOWN
> >>
> >> I'm not sure who/what/where to start looking. Ideas?
>
Hey Darek,
Good to hear from NYI. :)
> I believe that I've seen this before. If I remember correctly, the
> UNKNOWN part happens because the connection was closed before sshd or
> the system got info on the client's host. This is probably not very
> accurate, but the overall result was that it was not cause for concern.
>
> The only thing that this shows is that ssh is open to anyone, so you
> might want to close it with a firewall, or within /etc/ssh/sshd_config
> with the AllowUsers directive. Also within that file, you probably
> should have PermitRootLogin set to "no".
>
SSH is TCPWrapper'd, and only *1* machine in the entire
datacenter can access it (Typical "jump box" configuration).
>
> Also look at the output of 'last' and 'last -f /var/log/wtmp.0 ...
> wtmp.N' just to make sure root didn't log in.
>
Nope, root didn't.
Its just really weird that all of a sudden it started @1:30
today and hasn't stopped since.
Tuc/TBOH
More information about the freebsd-questions
mailing list