guys, here is the outpput from 20 mins ago from auth.log. i saw this last
night. any clues what i'm doing wrong? eg., what is auxpropfunc?
i've done about as much as i can. spamassassin was not running, etc.
i did a reboot so everything should be reinitialized correctly.
Sep 26 12:00:34
Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for
michael from 89.123.165.3 po
rt 55185 ssh2
There is a user michael on the system, but whoever was doing this was not
him.
I am assuming someone tried to break in using a valid username (michael) but
with an incorrect
Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been
there. I got rid of the michael account (it wasn't used anyway), and
downloaded a new copy of chkrootkit, installed it and ran it along with
chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough
Hello,
I personally use key authentication along with DenyUsers and
AllowUsers directives
from sshd. One more thing i do regarding ssh brute force is to make
use of the max-src-conn and
max-src-conn-rate from pf firewall.
My auth logs look like:
Nov 14 11:15:36 xxx sshd[3570]: User root from
On Fri, Nov 14, 2008 at 11:37:15PM -0800, Jeremy Chadwick wrote:
On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever
been there. I got rid of the michael account (it wasn't used anyway), and
downloaded a new
Also keep in mind that the user may not have actually logged in and
gotten a shell; the message you see can also happen if the individual
simply scp'd something (e.g. no shell spawned).
but this case there are other messages about scp, not sure if in auth.log
or others. i use single file
--- On Sat, 11/15/08, Jeremy Chadwick [EMAIL PROTECTED] wrote:
From: Jeremy Chadwick [EMAIL PROTECTED]
Subject: Re: Question about entry in auth.log
To: Lisa Casey [EMAIL PROTECTED]
Cc: freebsd-questions@freebsd.org
Date: Saturday, November 15, 2008, 2:37 AM
On Fri, Nov 14, 2008 at 10:00
Hi,
I run several FreeBSD servers. Today I noticed an entry in the auth.log on
one of them that concerns me. The entry is this:
Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for
michael from 89.123.165.3 po
rt 55185 ssh2
There is a user michael on the system
Lisa Casey wrote:
Hi,
I run several FreeBSD servers. Today I noticed an entry in the auth.log
on one of them that concerns me. The entry is this:
Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for
michael from 89.123.165.3 po
rt 55185 ssh2
There is a user michael
On Nov 14, 2008, at 8:00 PM, Steven Susbauer wrote:
Lisa Casey wrote:
Hi,
I run several FreeBSD servers. Today I noticed an entry in the
auth.log
on one of them that concerns me. The entry is this:
Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam
for
michael from
On Fri, 14 Nov 2008, Tom Marchand wrote:
Or michael is vacationing in Romania.
Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever
been there. I got rid of the michael account (it wasn't used anyway), and
downloaded a new copy of chkrootkit, installed it and ran it
On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever
been there. I got rid of the michael account (it wasn't used anyway), and
downloaded a new copy of chkrootkit, installed it and ran it along with
chklastlog
/log/auth.log file.
You can create a script (route_blackholed_ip.sh) containing route
commands for all the IP address that have attacked you in the past
and save it to /usr/local/etc/rc.d/ so it will be run at boot time.
*** note **
The problem using either of the above methods
January 2006 7:58 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: auth.log intruder prevention
On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
Hi Everyone,
hello,
In auth.log of my FreeBSD boxes I got many requests to port
22, as you
can see
Hi Everyone,
In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
see below.
begin of snippet
Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking
from 65.208.188.105 port 58344 ssh2
Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal
We are talking about a few users and nobody has a permanent IP.
-IS
-Original Message-
From: Dan O'Connor [mailto:[EMAIL PROTECTED]
Sent: Dienstag, 24. Januar 2006 22:29
To: [EMAIL PROTECTED]
Subject: Re: auth.log intruder prevention
I am wondering if any script is available
On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
Hi Everyone,
hello,
In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
see below.
begin of snippet
Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking
from
PROTECTED]
Subject: Re: auth.log intruder prevention
On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
Hi Everyone,
hello,
In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
see below.
begin of snippet
Jan 22 11:21:50 zeus sshd[92900]: Failed
On 24/01/06 Ilias Sachpazidis said:
Hi Everyone,
In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
see below.
It's considered poor mailing list ettiquette to hijack a thread. Please start
a new post instead. Some of us are using threaded mail readers.
Thanks,
Mike
:11:39 asarian-host sshd[32814]: Failed password for asarian from
192.168.0.8 port 3537 ssh2
Which is curious, as the IP address no longer has a machine on it. Then I
checked, and after a while I suddenly noticed /var/log/auth.log was dated
March 8, 2004! Apparently, the security script just checks
Hello list,
when I do that:
cat /var/log/auth.log | grep listening
I got this:
Mar 3 14:23:21 mail sshd[380]: Server listening on :: port 22.
Mar 3 14:23:21 mail sshd[380]: Server listening on 0.0.0.0 port 22.
Mar 3 17:01:51 mail sshd[2364]: Server listening on :: port 22.
Mar 3 17:01:51
On Wed, 9 Mar 2005, Mark wrote:
Which is curious, as the IP address no longer has a machine on it. Then I
checked, and after a while I suddenly noticed /var/log/auth.log was dated
March 8, 2004! Apparently, the security script just checks the date, but
not the year? Is it supposed to work this way
I'm running FreeBSD 4.7 and I noticed that /var/log/auth.log does not
include year () in the log entries. My daily cron jobs recently
sent notice that there were some failed login attempts on July 3 to an
account that was removed many months ago. This raised concern, so I
did a thorough
Hey all,
The email from Mr. Gerhardt prompted me to take a look at auth.log, and
I noticed a couple things that concerned me. I just set Cyrus-SASL up,
and I see these entries in my auth.log file:
Jun 28 18:31:48 grog saslauthd[187]: START: saslauthd 1.5.28
Jun 28 18:31:48 grog saslauthd[194
Mark [EMAIL PROTECTED] writes:
Is this a stuck key or an attack??
Looks like a stuck key to me. It's on the console, so if it was an
attack, you'd've seen the attacker.
--
Lowell Gilbert, embedded/networking software engineer, Boston area:
resume/CV at
25 matches
Mail list logo