On 09/09/14 09:08, Chris Green wrote:
I keep getting the following in my logwatch output:-
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries** nologin: Attempted login by UNKNOWN on UNKNOWN: 1 Time(s)
[SNIP] No IP addresses there, so I'd write a cron job to run tcpdump around the time this happens and see what IP addresses are coming in on those ports... If none, then it's a local problem. If they are there, then ban them. I have no idea what's likely to be doing it, but I'm sure you'll find out! Some clues here: http://lists.freebsd.org/pipermail/freebsd-questions/2006-July/126813.html http://lists.freebsd.org/pipermail/freebsd-questions/2006-July/126886.html http://spamassassin.1065346.n5.nabble.com/nologin-Attempted-login-by-root-on... One clue that came up was: "Something running *as* root is trying to "su" to an account which has /bin/nologin as a shell" Good luck! Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------