I keep getting the following in my logwatch output:-
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries** nologin: Attempted login by UNKNOWN on UNKNOWN: 1 Time(s)
Does anyone have any idea what might be causing it? It's separate from the sshd report so isn't an ssh attempt from 'outside'.
... and here's the /var/log record of it:-
auth.log:Sep 8 08:20:04 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log:Sep 9 08:27:00 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 2 08:05:26 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 3 08:31:55 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 4 08:26:50 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 5 08:21:08 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 6 08:24:48 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 7 08:23:18 chris nologin: Attempted login by UNKNOWN on UNKNOWN
So it's happening some time after eight every morning.
... and further, here's the context from auth.log :-
Sep 8 08:20:01 chris CRON[16693]: pam_unix(cron:session): session opened for user chris by (uid=0) Sep 8 08:20:02 chris CRON[16693]: pam_unix(cron:session): session closed for user chris Sep 8 08:20:03 chris su[16743]: Successful su for news by root Sep 8 08:20:03 chris su[16743]: + ??? root:news Sep 8 08:20:03 chris su[16743]: pam_unix(su:session): session opened for user news by (uid=0) Sep 8 08:20:03 chris systemd-logind[1106]: Removed session c6. Sep 8 08:20:03 chris systemd-logind[1106]: New session c7 of user news. Sep 8 08:20:04 chris nologin: Attempted login by UNKNOWN on UNKNOWN Sep 8 08:20:04 chris su[16743]: pam_unix(su:session): session closed for user news Sep 8 08:20:04 chris su[16800]: Successful su for nobody by root Sep 8 08:20:04 chris su[16800]: + ??? root:nobody Sep 8 08:20:04 chris su[16800]: pam_unix(su:session): session opened for user nobody by (uid=0) Sep 8 08:20:04 chris systemd-logind[1106]: Removed session c7. Sep 8 08:20:04 chris systemd-logind[1106]: New session c8 of user nobody. Sep 8 08:20:04 chris su[16800]: pam_unix(su:session): session closed for user nobody Sep 8 08:20:04 chris su[16813]: Successful su for nobody by root Sep 8 08:20:04 chris su[16813]: + ??? root:nobody Sep 8 08:20:04 chris su[16813]: pam_unix(su:session): session opened for user nobody by (uid=0) Sep 8 08:20:04 chris systemd-logind[1106]: Removed session c8. Sep 8 08:20:04 chris systemd-logind[1106]: New session c9 of user nobody. Sep 8 08:20:04 chris su[16813]: pam_unix(su:session): session closed for user nobody Sep 8 08:20:04 chris su[16834]: Successful su for nobody by root Sep 8 08:20:04 chris su[16834]: + ??? root:nobody Sep 8 08:20:04 chris su[16834]: pam_unix(su:session): session opened for user nobody by (uid=0) Sep 8 08:20:04 chris systemd-logind[1106]: Removed session c9. Sep 8 08:20:04 chris systemd-logind[1106]: New session c10 of user nobody. Sep 8 08:25:01 chris CRON[16935]: pam_unix(cron:session): session opened for user chris by (uid=0) Sep 8 08:30:34 chris CRON[16935]: pam_unix(cron:session): session closed for user chris Sep 8 08:31:39 chris su[16834]: pam_unix(su:session): session closed for user nobody