On Thu, 2004-11-04 at 23:00, Neil Marjoram wrote: > No, not yet. So it's a bit worrying. > > Neil. > On Thu, 2004-11-04 at 09:54, Alexander Apprich wrote: > > Neil, > > > > Neil Marjoram wrote: > > > I am a bit concerned about what appears to be a login every three > > > minutes on my server. Can anyone help with this? Heres a bit of my log > > > :(host is the servers hostname) > > > > > > Nov 4 08:17:54 host sshd(pam_unix)[2945]: session opened for user root > > > by (uid=0) > > > Nov 4 08:17:55 host sshd(pam_unix)[2945]: session closed for user root > > > Nov 4 08:20:55 host sshd(pam_unix)[2991]: session opened for user root > > > by (uid=0) > > > Nov 4 08:20:55 host sshd(pam_unix)[2991]: session closed for user root > > > Nov 4 08:23:56 host sshd(pam_unix)[3035]: session opened for user root > > > by (uid=0) > > > Nov 4 08:23:56 host sshd(pam_unix)[3035]: session closed for user root > > > Nov 4 08:26:56 host sshd(pam_unix)[3205]: session opened for user root > > > by (uid=0) > > > Nov 4 08:26:57 host sshd(pam_unix)[3205]: session closed for user root > > > Nov 4 08:29:57 host sshd(pam_unix)[3249]: session opened for user root > > > by (uid=0) > > > Nov 4 08:29:57 host sshd(pam_unix)[3249]: session closed for user root > > > > > > > Do you have any kind of monitoring tool (e.g. nagios) running on that > > server that checks the exitens of your sshd? We have nagios running here > > and my logfile is packed w/those messages. > > > > > Thanks, > > > > > > Neil. > > Hi Neil, what have you got in your /etc/hosts.allow file? If you put a line in that will log attempts then you might be able to grab the IP. I use this to log all blocked attempts, but you should be able to do something similar to allow "allowed" ssh attempts too. ALL : ALL : spawn (/bin/echo Attempt from %u %a to %d at `date` | tee -a /var/log/tcp.log|mail root) & : DENY Perhaps ethereal will give you a trace on the network traffic for that port or tcpdump? Just thinking of the things I would try. Thanks, gb
