On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien Claassen wrote: > 8226 ? Ss 0:00 sshd: unknown [priv] > 8227 ? S 0:00 sshd: unknown [net]
> Just before that I only saw "sshd [accept]" and "sshd [net]". > Shutdown sshd and made new password and restarted sshd. Now it's the same. > Can I easily check where it's coming from and what it's doing. I don't see > anything besides those two lines. No other strange processes. Someone is trying a ssh login - usually from the former east block - and probably trying a list of user names and passwords. Do (as root) tail -50 /var/log/secure to see the show. It happens here all the time. As long as you don't have any easily guessed user/passwd combinations the danger is limited, and closing your network connection for a minute usually makes them go away. Configuring sshd to allow only dsa authentication is better of course. Last summer I watched one of them and whois told me this was coming from a Canadian university. Called their security, and it turned out this was a 'live' user (very often its done by malware doing its job without the system owner being aware) That one won't try it again I guess... Ciao, -- FA Laboratorio di Acustica ed Elettroacustica Parma, Italia O tu, che porte, correndo si ? E guerra e morte ! _______________________________________________ Linux-audio-dev mailing list [email protected] http://lists.linuxaudio.org/mailman/listinfo/linux-audio-dev
