Re: nologin: Attempted login by root on UNKNOWN

2006-07-19 Thread Tuc at T-B-O-H.NET
 
 Tuc at T-B-O-H.NET wrote:
  Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
  Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: 
  Attempted login by root on UNKNOWN
 
   I'm not sure who/what/where to start looking.  Ideas?
  
  Hey Darek,
 
  Good to hear from NYI. :)
 
 Heh, are you a customer, or just familiar with the company?

NYIIX peer and 25B compatriot.
 
  SSH is TCPWrapper'd, and only *1* machine in the entire
  datacenter can access it (Typical jump box configuration). 

 
 http://lists.debian.org/debian-wnpp/2006/05/msg00092.html

Confused a bit by this reference, but its been a long
day. 

 Does root have /bin/nologin for the shell?

No.

 If it does, then the UNKNOWN 
 would refer to the terminal,  Just the way the 'nologin' binary is set 
 to log to syslog.  Basically means that someone tried to log in as root, 
 but before they could even provide a password, the nologin binary kicked 
 them off.  That's why the terminal type is set to UNKNOWN because it 
 hadn't been set yet.

Are you sure? If I ssh to the machine as tuc, then su to root
I see :

$ id
uid=1001(tuc) gid=1001(tuc) groups=1001(tuc), 0(wheel)
$ su - spamd
Password:
su: Sorry
$ su -
Password:
asgard# su - spamd
This account is currently not available.

asgard# grep nologin /var/log/spool
Jul 19 01:52:47 asgard nologin: Attempted login by tuc on /dev/ttyp0
Jul 19 01:52:47 asgard kernel: Jul 19 01:52:47 asgard nologin: Attempted login 
by tuc on /dev/ttyp0

In my example, shouldn't it be saying spamd since thats who I 
tried to log on as?
 
 You'll have to figure out how that person is getting access as 
 apparently they are reaching the box.
 
I'm just not seeing it. netstat isn't showing any TCP
connections out of the ordinary...

Tuc
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: nologin: Attempted login by root on UNKNOWN

2006-07-19 Thread Alex Zbyslaw

Tuc at T-B-O-H.NET wrote:


Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN
 

Something running *as* root is trying to su to an account which has 
/bin/nologin as a shell


e.g. # su avahi

cartman nologin: Attempted login by alex on /dev/ttyp7

avahi:*:558:558:Avahi Daemon User:/nonexistent:/sbin/nologin


If it were running detached from a terminal (in the background; started 
from an rc script) then it would have no terminal to report, hence UNKNOWN.


Tracking down what, is another matter.  ps uagx and kill processes one 
by one until the message stops!  Or try ktracing suspects for a less 
drastic approach.


--Alex


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: nologin: Attempted login by root on UNKNOWN

2006-07-19 Thread Tuc at T-B-O-H.NET
 
 Tuc at T-B-O-H.NET wrote:
 
 Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN
   
 
 Something running *as* root is trying to su to an account which has 
 /bin/nologin as a shell
 
 e.g. # su avahi
 
 cartman nologin: Attempted login by alex on /dev/ttyp7
 
 avahi:*:558:558:Avahi Daemon User:/nonexistent:/sbin/nologin

Thats what I was thinking...
 
 If it were running detached from a terminal (in the background; started 
 from an rc script) then it would have no terminal to report, hence UNKNOWN.

Makes sense. :)
 
 Tracking down what, is another matter.  ps uagx and kill processes one 
 by one until the message stops!  Or try ktracing suspects for a less 
 drastic approach.
 
I'm pretty sure it has to do with my sendmail. Why all of a sudden
its done this I'm not sure. I shut down sendmail for an hour and the messages
stopped. When I started it back up, it started again. I'm running :

sendmail / procmail / SpamAssassin

If I was to ktrace sendmail, what would I be looking for? What
options do I pass to it to get all the sub processes?

Thanks, Tuc
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: nologin: Attempted login by root on UNKNOWN

2006-07-18 Thread doug

On Tue, 18 Jul 2006, Tuc at T-B-O-H wrote:


Hi,

All of a sudden today I'm getting :

nologin: Attempted login by root on UNKNOWN


on a server... Its happening QUITE a bit :

Jul 18 13:16:01 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:16:01 asgard kernel: Jul 18 13:16:01 asgard nologin: Attempted login b
y root on UNKNOWN
Jul 18 13:18:23 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:18:23 asgard kernel: Jul 18 13:18:23 asgard nologin: Attempted login b
y root on UNKNOWN
Jul 18 13:19:25 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:19:25 asgard kernel: Jul 18 13:19:25 asgard nologin: Attempted login b
y root on UNKNOWN
Jul 18 13:19:25 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:21:27 asgard kernel: Jul 18 13:19:25 asgard nologin: Attempted login b
y root on UNKNOWN
Jul 18 13:30:56 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:30:56 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:55:11 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:55:11 asgard kernel: Jul 18 13:55:11 asgard nologin: Attempted login b
y root on UNKNOWN
Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 14:08:47 asgard kernel: Jul 18 14:08:47 asgard nologin: Attempted login b
y root on UNKNOWN
Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: Attempted login b
y root on UNKNOWN

 I'm not sure who/what/where to start looking.  Ideas?


What does /var/log/auth.log show?


Thanks, Tuc
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: nologin: Attempted login by root on UNKNOWN

2006-07-18 Thread Darek M

doug wrote:

On Tue, 18 Jul 2006, Tuc at T-B-O-H wrote:


Hi,

All of a sudden today I'm getting :

nologin: Attempted login by root on UNKNOWN


on a server... Its happening QUITE a bit :

Jul 18 13:16:01 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:16:01 asgard kernel: Jul 18 13:16:01 asgard nologin: 
Attempted login b

y root on UNKNOWN
Jul 18 13:18:23 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:18:23 asgard kernel: Jul 18 13:18:23 asgard nologin: 
Attempted login b

y root on UNKNOWN
Jul 18 13:19:25 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:19:25 asgard kernel: Jul 18 13:19:25 asgard nologin: 
Attempted login b

y root on UNKNOWN
Jul 18 13:19:25 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:21:27 asgard kernel: Jul 18 13:19:25 asgard nologin: 
Attempted login b

y root on UNKNOWN
Jul 18 13:30:56 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:30:56 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:55:11 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 13:55:11 asgard kernel: Jul 18 13:55:11 asgard nologin: 
Attempted login b

y root on UNKNOWN
Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 14:08:47 asgard kernel: Jul 18 14:08:47 asgard nologin: 
Attempted login b

y root on UNKNOWN
Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: 
Attempted login b

y root on UNKNOWN

 I'm not sure who/what/where to start looking.  Ideas?


I believe that I've seen this before.  If I remember correctly, the 
UNKNOWN part happens because the connection was closed before sshd or 
the system got info on the client's host.  This is probably not very 
accurate, but the overall result was that it was not cause for concern.


The only thing that this shows is that ssh is open to anyone, so you 
might want to close it with a firewall, or within /etc/ssh/sshd_config 
with the AllowUsers directive.  Also within that file, you probably 
should have PermitRootLogin set to no.


Also look at the output of 'last' and 'last -f /var/log/wtmp.0 ... 
wtmp.N' just to make sure root didn't log in.


- Darek

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: nologin: Attempted login by root on UNKNOWN

2006-07-18 Thread Tuc at T-B-O-H.NET
  Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
  Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: 
  Attempted login by root on UNKNOWN
 
   I'm not sure who/what/where to start looking.  Ideas?

Hey Darek,

Good to hear from NYI. :)
 
 I believe that I've seen this before.  If I remember correctly, the 
 UNKNOWN part happens because the connection was closed before sshd or 
 the system got info on the client's host.  This is probably not very 
 accurate, but the overall result was that it was not cause for concern.
 
 The only thing that this shows is that ssh is open to anyone, so you 
 might want to close it with a firewall, or within /etc/ssh/sshd_config 
 with the AllowUsers directive.  Also within that file, you probably 
 should have PermitRootLogin set to no.

SSH is TCPWrapper'd, and only *1* machine in the entire
datacenter can access it (Typical jump box configuration). 

 Also look at the output of 'last' and 'last -f /var/log/wtmp.0 ... 
 wtmp.N' just to make sure root didn't log in.
 
Nope, root didn't.

Its just really weird that all of a sudden it started @1:30
today and hasn't stopped since.

Tuc/TBOH
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: nologin: Attempted login by root on UNKNOWN

2006-07-18 Thread Tuc at T-B-O-H.NET
  Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN
  Jul 18 14:08:47 asgard kernel: Jul 18 14:08:47 asgard nologin: Attempted 
  login by root on UNKNOWN
  Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
  Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: Attempted 
  login by root on UNKNOWN
 
   I'm not sure who/what/where to start looking.  Ideas?
 
 What does /var/log/auth.log show?
 
Nothing since I send everything to a single file and
a syslog server.

*.debug /var/log/spool
*.debug @syslog.t-b-o-h.net
*.err;kern.debug;auth.notice;mail.crit  /dev/console
*.emerg *


Tuc/TBOH
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: nologin: Attempted login by root on UNKNOWN

2006-07-18 Thread Darek M

Tuc at T-B-O-H.NET wrote:

Jul 18 14:21:02 asgard nologin: Attempted login by root on UNKNOWN
Jul 18 14:21:02 asgard kernel: Jul 18 14:21:02 asgard nologin: 
Attempted login by root on UNKNOWN


 I'm not sure who/what/where to start looking.  Ideas?


Hey Darek,

Good to hear from NYI. :)
  


Heh, are you a customer, or just familiar with the company?


SSH is TCPWrapper'd, and only *1* machine in the entire
datacenter can access it (Typical jump box configuration). 
  


http://lists.debian.org/debian-wnpp/2006/05/msg00092.html

Does root have /bin/nologin for the shell?  If it does, then the UNKNOWN 
would refer to the terminal,  Just the way the 'nologin' binary is set 
to log to syslog.  Basically means that someone tried to log in as root, 
but before they could even provide a password, the nologin binary kicked 
them off.  That's why the terminal type is set to UNKNOWN because it 
hadn't been set yet.


You'll have to figure out how that person is getting access as 
apparently they are reaching the box.


- Darek
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]