sshd: did this one get a password prompt?

Dino Vliet dino_vliet at yahoo.com
Fri Feb 12 19:48:31 UTC 2010 

Hi freebsd people,
My sshd_config file doesn' t have root listed in the AllowUsers directive.So everytime I see entries like the following in my logs:
Feb 12 01:23:54 dual sshd[11016]: User root from 208.75.83.30 not allowed because not listed in AllowUsers
Feb 12 04:07:43 dual sshd[11775]: Did not receive identification string from 218.65.110.180
Feb 12 04:11:05 dual sshd[11790]: User root from 218.65.110.180 not allowed because not listed in AllowUsers

That looks " normal"
However,today I saw the following entries in my log:
Did not receive identification string from 202.98.244.20
Feb 12 14:06:12 dual sshd[12837]: User root from 202.98.244.20 not allowed because not listed in AllowUsers
Feb 12 14:06:13 dual sshd[12837]: error: PAM: authentication error for illegal user root from 202.98.244.20
Feb 12 14:06:13 dual sshd[12837]: Failed keyboard-interactive/pam for invalid user root from 202.98.244.20 port 34209 ssh2
Feb 12 14:06:14 dual sshd[12837]: error: PAM: authentication error for illegal user root from 202.98.244.20
Feb 12 14:06:14 dual sshd[12837]: Failed keyboard-interactive/pam for invalid user root from 202.98.244.20 port 34209 ssh2
Feb 12 14:06:18 dual sshd[12841]: User root from 202.98.244.20 not allowed because not listed in AllowUsers
Feb 12 14:06:19 dual sshd[12841]: error: PAM: authentication error for illegal user root from 202.98.244.20
Feb 12 14:06:19 dual sshd[12841]: Failed keyboard-interactive/pam for invalid user root from 202.98.244.20 port 34245 ssh2
Feb 12 14:06:20 dual sshd[12841]: error: PAM: authentication error for illegal user root from 202.98.244.20
Feb 12 14:06:20 dual sshd[12841]: Failed keyboard-interactive/pam for invalid user root from 202.98.244.20 port 34245 ssh2


That " scared"  me because I didn' t think a root session would get a password prompt, because of the fact that I have configured my sshd_config file where AllowUsers doesn' t contain root!
The other thing that "scared" me was that I have this section in my pf file for ssh traffic:(max-src-conn 3, max-src-conn-rate 2/30, overload <bruteforce> flush global)
It seems to me that this 202.98.244 violated that long ago but still it lasted a few times before this address was added to the bruteforce table.
What do you think?
Thanks in advanced.

More information about the freebsd-questions mailing list