On 09/09/14 09:08, Chris Green wrote:
I keep getting the following in my logwatch output:-
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries** nologin: Attempted login by UNKNOWN on UNKNOWN: 1 Time(s)
[SNIP]
No IP addresses there, so I'd write a cron job to run tcpdump around the time this happens and see what IP addresses are coming in on those ports... If none, then it's a local problem. If they are there, then ban them.
I have no idea what's likely to be doing it, but I'm sure you'll find out!
Some clues here:
http://lists.freebsd.org/pipermail/freebsd-questions/2006-July/126813.html http://lists.freebsd.org/pipermail/freebsd-questions/2006-July/126886.html http://spamassassin.1065346.n5.nabble.com/nologin-Attempted-login-by-root-on...
One clue that came up was:
"Something running *as* root is trying to "su" to an account which has /bin/nologin as a shell"
Good luck!
Cheers, Laurie.