I noticed this in my logwatch
--------------------- SSHD Begin ------------------------
**Unmatched Entries**
User root from d33.z1.infracom.it not allowed because not listed in
AllowUsers : 86 time(s)
but nothing appeared out of ossec.
any suggestions? This was on version 1.3, Ive now upgraded to 1.4
Looking through the auth.log
I see
Nov 23 08:32:56 thecla2 sshd[14850]: Invalid user staff from
202.106.62.52
Nov 23 08:32:59 thecla2 sshd[14858]: Invalid user sales from
202.106.62.52
Nov 23 08:33:02 thecla2 sshd[14866]: Invalid user recruit from
202.106.62.52
Nov 23 08:33:06 thecla2 sshd[14874]: User alias not allowed because
shell /sbin/nologin does not exist
Nov 23 08:33:09 thecla2 sshd[14882]: Invalid user office from
202.106.62.52
Nov 23 08:33:12 thecla2 sshd[14890]: Invalid user samba from
202.106.62.52
Nov 23 08:33:16 thecla2 sshd[14900]: Invalid user tomcat from
202.106.62.52
Nov 23 08:33:19 thecla2 sshd[14908]: Invalid user webadmin from
202.106.62.52
Nov 23 08:33:22 thecla2 sshd[14916]: Invalid user spam from
202.106.62.52
Nov 23 08:33:23 thecla2 sshd[14939]: refused connect
from ::ffff:202.106.62.52 (::ffff:202.106.62.52)
this one was detected but not the "User alias not allowed"
this a portion of the log for the missed one
Nov 21 21:48:40 thecla2 sshd[20612]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:48:42 thecla2 sshd[20616]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:48:43 thecla2 sshd[20622]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:48:45 thecla2 sshd[20628]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:48:49 thecla2 sshd[20638]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:48:51 thecla2 sshd[20642]: Invalid user admin from
82.193.15.51
Nov 21 21:48:53 thecla2 sshd[20648]: Invalid user admin from
82.193.15.51
Nov 21 21:48:54 thecla2 sshd[20654]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:02 thecla2 sshd[20660]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:04 thecla2 sshd[20676]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:05 thecla2 sshd[20682]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:07 thecla2 sshd[20686]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:09 thecla2 sshd[20692]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:10 thecla2 sshd[20698]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:12 thecla2 sshd[20702]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:13 thecla2 sshd[20708]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:16 thecla2 sshd[20712]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:17 thecla2 sshd[20718]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:19 thecla2 sshd[20724]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:20 thecla2 sshd[20728]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:22 thecla2 sshd[20734]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:23 thecla2 sshd[20738]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:25 thecla2 sshd[20744]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:29 thecla2 sshd[20754]: Invalid user admin from
82.193.15.51
Nov 21 21:49:31 thecla2 sshd[20758]: Invalid user miquelfi from
82.193.15.51
Nov 21 21:49:33 thecla2 sshd[20764]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:34 thecla2 sshd[20770]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:36 thecla2 sshd[20774]: Invalid user admin from
82.193.15.51
Nov 21 21:49:37 thecla2 sshd[20780]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:43 thecla2 sshd[20790]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:44 thecla2 sshd[20798]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:52 thecla2 sshd[20802]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:54 thecla2 sshd[20820]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:56 thecla2 sshd[20826]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:57 thecla2 sshd[20832]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:49:59 thecla2 sshd[20836]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:50:00 thecla2 sshd[20842]: Invalid user sadmin from
82.193.15.51
Nov 21 21:50:01 thecla2 CRON[20847]: (pam_unix) session opened for user
www-data by (uid=0)
Nov 21 21:50:01 thecla2 CRON[20847]: (pam_unix) session closed for user
www-data
Nov 21 21:50:02 thecla2 sshd[20846]: User root from d33.z1.infracom.it
not allowed because not listed in AllowUsers
Nov 21 21:50:04 thecla2 sshd[20854]: Invalid user mythtv from
82.193.15.51
Thanks as usual for a great product.
--
Regards Martin West
