Often when we see odd login attempts using root, it is a bot looking for insecure root accounts. Stick a linux box on the internet and in 5 minutes it will get scanned.
However, that's a loopback address. Do you have that IP still in your config? Do you have any other 127 addresses in your config? I suppose it could be spoofed, which is a cause for concern. You shouldn't be getting a ssh login attempt from a loopback address. Stephen ----- Original Message ----- From: "Andre Keller ( OTLG )" <[email protected]> To: "Enterasys Customer Mailing List" <[email protected]> Sent: Thursday, June 16, 2011 7:11:47 AM Subject: [enterasys] "root" login on N7 Hi there, does anyone know if this message should be cause for concern: CLI[6]User: root failed login from 127.128.0.4(ssh) We had this coming up on one of our N7 for a couple of times yesterday. The IP 127.128.0.4 is related to OSPF afaik which we don´t use at all anywhere. Also, we don´t have a "root" user on our N7s. Any input is appreciated! Cheers, i.A. André Keller Informationssysteme Lokaler Betrieb und Support Volkswagen Original Teile Logistik GmbH und Co. KG Vertriebszentrum Nord Am Stammgleis 6 22844 Norderstedt Tel.: +49 (40) 52200-3211 Fax: +49 40 52200-3209 <http://www.volkswagen-otlg.de> --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
