I keep getting the following in my logwatch output:-
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries** nologin: Attempted login by UNKNOWN on UNKNOWN: 1 Time(s)
Does anyone have any idea what might be causing it? It's separate from the sshd report so isn't an ssh attempt from 'outside'.
... and here's the /var/log record of it:-
auth.log:Sep 8 08:20:04 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log:Sep 9 08:27:00 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 2 08:05:26 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 3 08:31:55 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 4 08:26:50 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 5 08:21:08 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 6 08:24:48 chris nologin: Attempted login by UNKNOWN on UNKNOWN auth.log.1:Sep 7 08:23:18 chris nologin: Attempted login by UNKNOWN on UNKNOWN
So it's happening some time after eight every morning.
... and further, here's the context from auth.log :-
Sep 8 08:20:01 chris CRON[16693]: pam_unix(cron:session): session opened for user chris by (uid=0) Sep 8 08:20:02 chris CRON[16693]: pam_unix(cron:session): session closed for user chris Sep 8 08:20:03 chris su[16743]: Successful su for news by root Sep 8 08:20:03 chris su[16743]: + ??? root:news Sep 8 08:20:03 chris su[16743]: pam_unix(su:session): session opened for user news by (uid=0) Sep 8 08:20:03 chris systemd-logind[1106]: Removed session c6. Sep 8 08:20:03 chris systemd-logind[1106]: New session c7 of user news. Sep 8 08:20:04 chris nologin: Attempted login by UNKNOWN on UNKNOWN Sep 8 08:20:04 chris su[16743]: pam_unix(su:session): session closed for user news Sep 8 08:20:04 chris su[16800]: Successful su for nobody by root Sep 8 08:20:04 chris su[16800]: + ??? root:nobody Sep 8 08:20:04 chris su[16800]: pam_unix(su:session): session opened for user nobody by (uid=0) Sep 8 08:20:04 chris systemd-logind[1106]: Removed session c7. Sep 8 08:20:04 chris systemd-logind[1106]: New session c8 of user nobody. Sep 8 08:20:04 chris su[16800]: pam_unix(su:session): session closed for user nobody Sep 8 08:20:04 chris su[16813]: Successful su for nobody by root Sep 8 08:20:04 chris su[16813]: + ??? root:nobody Sep 8 08:20:04 chris su[16813]: pam_unix(su:session): session opened for user nobody by (uid=0) Sep 8 08:20:04 chris systemd-logind[1106]: Removed session c8. Sep 8 08:20:04 chris systemd-logind[1106]: New session c9 of user nobody. Sep 8 08:20:04 chris su[16813]: pam_unix(su:session): session closed for user nobody Sep 8 08:20:04 chris su[16834]: Successful su for nobody by root Sep 8 08:20:04 chris su[16834]: + ??? root:nobody Sep 8 08:20:04 chris su[16834]: pam_unix(su:session): session opened for user nobody by (uid=0) Sep 8 08:20:04 chris systemd-logind[1106]: Removed session c9. Sep 8 08:20:04 chris systemd-logind[1106]: New session c10 of user nobody. Sep 8 08:25:01 chris CRON[16935]: pam_unix(cron:session): session opened for user chris by (uid=0) Sep 8 08:30:34 chris CRON[16935]: pam_unix(cron:session): session closed for user chris Sep 8 08:31:39 chris su[16834]: pam_unix(su:session): session closed for user nobody
On 09/09/14 09:08, Chris Green wrote:
I keep getting the following in my logwatch output:-
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries** nologin: Attempted login by UNKNOWN on UNKNOWN: 1 Time(s)
[SNIP]
No IP addresses there, so I'd write a cron job to run tcpdump around the time this happens and see what IP addresses are coming in on those ports... If none, then it's a local problem. If they are there, then ban them.
I have no idea what's likely to be doing it, but I'm sure you'll find out!
Some clues here:
http://lists.freebsd.org/pipermail/freebsd-questions/2006-July/126813.html http://lists.freebsd.org/pipermail/freebsd-questions/2006-July/126886.html http://spamassassin.1065346.n5.nabble.com/nologin-Attempted-login-by-root-on...
One clue that came up was:
"Something running *as* root is trying to "su" to an account which has /bin/nologin as a shell"
Good luck!
Cheers, Laurie.