nologin: Attempted login by root on UNKNOWN
Tuc at T-B-O-H.NET
ml at t-b-o-h.net
Wed Jul 19 06:09:48 UTC 2006
>
> Tuc at T-B-O-H.NET wrote:
> >>>> Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
> >>>> Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin:
> >>>> Attempted login by root on UNKNOWN
> >>>>
> >>>> I'm not sure who/what/where to start looking. Ideas?
> >>>>
> > Hey Darek,
> >
> > Good to hear from NYI. :)
>
> Heh, are you a customer, or just familiar with the company?
>
NYIIX peer and 25B compatriot.
>
> > SSH is TCPWrapper'd, and only *1* machine in the entire
> > datacenter can access it (Typical "jump box" configuration).
> >
>
> http://lists.debian.org/debian-wnpp/2006/05/msg00092.html
>
Confused a bit by this reference, but its been a long
day.
>
> Does root have /bin/nologin for the shell?
>
No.
>
> If it does, then the UNKNOWN
> would refer to the terminal, Just the way the 'nologin' binary is set
> to log to syslog. Basically means that someone tried to log in as root,
> but before they could even provide a password, the nologin binary kicked
> them off. That's why the terminal type is set to UNKNOWN because it
> hadn't been set yet.
>
Are you sure? If I ssh to the machine as "tuc", then su to root
I see :
$ id
uid=1001(tuc) gid=1001(tuc) groups=1001(tuc), 0(wheel)
$ su - spamd
Password:
su: Sorry
$ su -
Password:
asgard# su - spamd
This account is currently not available.
asgard# grep nologin /var/log/spool
Jul 19 01:52:47 asgard nologin: Attempted login by tuc on /dev/ttyp0
Jul 19 01:52:47 asgard kernel: Jul 19 01:52:47 asgard nologin: Attempted login by tuc on /dev/ttyp0
In my example, shouldn't it be saying "spamd" since thats who I
tried to log on as?
>
> You'll have to figure out how that person is getting access as
> apparently they are reaching the box.
>
I'm just not seeing it. "netstat" isn't showing any TCP
connections out of the ordinary...
Tuc
More information about the freebsd-questions
mailing list