ttyv for local only?

Andrew Johns ajohns at firstpointglobal.com
Tue Jun 29 17:57:46 PDT 2004 

Is your syslogd allowing remote access from the 'net?  In light of the
fact that no one should be able to physically stand at the console, it
sounds as though someone is sending spurious entries to it... or else your
box has been compromised and they're using other methods for fun, although
why they would do this if it's already compromised is a good question...

HTH
dm


> console none                            unknown off secure
> ttyv0   "/usr/libexec/getty Pc"         cons25  on  secure
> # Virtual terminals
> ttyv1   "/usr/libexec/getty Pc"         cons25  on  secure
> ttyv2   "/usr/libexec/getty Pc"         cons25  on  secure
> ttyv3   "/usr/libexec/getty Pc"         cons25  on  secure
> ttyv4   "/usr/libexec/getty Pc"         cons25  on  secure
> ttyv5   "/usr/libexec/getty Pc"         cons25  on  secure
> ttyv6   "/usr/libexec/getty Pc"         cons25  on  secure
> ttyv7   "/usr/libexec/getty Pc"         cons25  on  secure
> ttyv8   "/usr/X11R6/bin/xdm -nodaemon"  xterm   off secure
> ---
>
> I don't really see a problem here.  My mystery logins are actually still
> continuing.  I'm going to see if I can code a mousetrap to find out who is
> doing it.  I did a fresh source compile of world from the latest cvsup for
> 5.2.1 REL, and ran mergemaster to look for differing startup scripts...
>
> No luck yet.  I wrote down the byte-sizes of sockstat, ps, and getty on a
> piece of paper.  I'm going to watch them over the next couple of days.
>
> On Mon, 28 Jun 2004, Igor Roshchin wrote:
>
>> You might want to check your /etc/ttys file,
>> if it still shows ttyv* as for the console logins or for network logins.
>>
>> Igor
>>
>>
>> Igor Roshchin
>> System Administrator
>> KomKon Sites
>>
>>
>> > From igor at giganda.komkon.org Mon Jun 28 18:19:49 2004
>> > Date: Mon, 28 Jun 2004 14:13:25 -0700 (PDT)
>> > From: Dave <mudman at metafocus.net>
>> > To: Neo-Vortex <root at Neo-Vortex.Ath.Cx>
>> > Cc: freebsd-security at freebsd.org
>> > Subject: Re: ttyv for local only?
>> >
>> >
>> >
>> > Hmm, I think I am in some kind of trouble.  I have been getting login
>> > errors on ttyv that definitely couldn't be me.  The only other person
>> who
>> > lives with me is my wife, and it isn't her either.
>> >
>> > qmail, popa3d, etc..   I am even getting them on my ftp too.
>> >
>> > If someone had root access, they should be able to know what I am
>> running
>> > on my system rather than trying these idiotic logins.  In fact, they
>> could
>> > telnet to my mail port and look for the Sendmail greeting to know that
>> I
>> > don't run qmail, or portping 125 to see if I am running any kind of
>> POP3
>> > server.  A piece of me feels it is just some internet sweeper that
>> > mindlessly tries logging in or ftping to certain things, and moves to
>> the
>> > next IP address.  I am also wondering if it is just a syslogd thing
>> that
>> > the login failures were simply reported on ttyv2 rather than actually
>> > happening there, but then why not ttyv0, which is the 'main' thing it
>> > prints to?
>> >
>> > I recently just backed up my system so I'm not feeling that bad
>> but....
>> > but...  how?  There is no sense in making the same mistake twice.  I
>> could
>> > run cvsup, compile a fresh binary of sockstat and ps to see if
>> anything is
>> > running...
>> >
>> > I'll consider turning snp off and recompiling my kernel.  But that
>> would
>> > just get rid of the messages, not help me get to the heart of it.
>> >
>> >
>> > On Sun, 27 Jun 2004, Neo-Vortex wrote:
>> >
>> > > Hmmm, ttyv* is for local console's only (normally anyway) and ttyp*
>> is for
>> > > remote (ssh, screen, telnet, etc), are you sure some idiot didnt try
>> to
>> > > logon as qmaild in the third console when you wernt looking?
>> > >
>> > > On Sat, 26 Jun 2004, Dave wrote:
>> > >
>> > > >
>> > > > I get this in my security postings.
>> > > >
>> > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2
>> > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON
>> ttyv2, qmaild
>> > > >
>> > > > As it turns out, I'm not running qmail :)  And if I did, it would
>> > > > definitely have a nologin shell.  But that's beside the point-
>> > > >
>> > > > I have had a perception that ttyv was for local/console logins,
>> and that
>> > > > just "tty" was for remote logins.
>> > > >
>> > > > Is my understanding wrong here?
>> > > >
>> > > >
>> > > > _______________________________________________
>> > > > freebsd-security at freebsd.org mailing list
>> > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> > > > To unsubscribe, send any mail to
>> "freebsd-security-unsubscribe at freebsd.org"
>> > > >
>> > >
>> > _______________________________________________
>> > freebsd-security at freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> > To unsubscribe, send any mail to
>> "freebsd-security-unsubscribe at freebsd.org"
>> >
>>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list