> >> Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN > >> Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: > >> Attempted login by root on UNKNOWN > >> > >> I'm not sure who/what/where to start looking. Ideas? > Hey Darek,
Good to hear from NYI. :) > I believe that I've seen this before. If I remember correctly, the > UNKNOWN part happens because the connection was closed before sshd or > the system got info on the client's host. This is probably not very > accurate, but the overall result was that it was not cause for concern. > > The only thing that this shows is that ssh is open to anyone, so you > might want to close it with a firewall, or within /etc/ssh/sshd_config > with the AllowUsers directive. Also within that file, you probably > should have PermitRootLogin set to "no". > SSH is TCPWrapper'd, and only *1* machine in the entire datacenter can access it (Typical "jump box" configuration). > > Also look at the output of 'last' and 'last -f /var/log/wtmp.0 ... > wtmp.N' just to make sure root didn't log in. > Nope, root didn't. Its just really weird that all of a sudden it started @1:30 today and hasn't stopped since. Tuc/TBOH _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"