Hi freebsd people, My sshd_config file doesn' t have root listed in the AllowUsers directive.So everytime I see entries like the following in my logs: Feb 12 01:23:54 dual sshd[11016]: User root from 208.75.83.30 not allowed because not listed in AllowUsers Feb 12 04:07:43 dual sshd[11775]: Did not receive identification string from 218.65.110.180 Feb 12 04:11:05 dual sshd[11790]: User root from 218.65.110.180 not allowed because not listed in AllowUsers
That looks " normal" However,today I saw the following entries in my log: Did not receive identification string from 202.98.244.20 Feb 12 14:06:12 dual sshd[12837]: User root from 202.98.244.20 not allowed because not listed in AllowUsers Feb 12 14:06:13 dual sshd[12837]: error: PAM: authentication error for illegal user root from 202.98.244.20 Feb 12 14:06:13 dual sshd[12837]: Failed keyboard-interactive/pam for invalid user root from 202.98.244.20 port 34209 ssh2 Feb 12 14:06:14 dual sshd[12837]: error: PAM: authentication error for illegal user root from 202.98.244.20 Feb 12 14:06:14 dual sshd[12837]: Failed keyboard-interactive/pam for invalid user root from 202.98.244.20 port 34209 ssh2 Feb 12 14:06:18 dual sshd[12841]: User root from 202.98.244.20 not allowed because not listed in AllowUsers Feb 12 14:06:19 dual sshd[12841]: error: PAM: authentication error for illegal user root from 202.98.244.20 Feb 12 14:06:19 dual sshd[12841]: Failed keyboard-interactive/pam for invalid user root from 202.98.244.20 port 34245 ssh2 Feb 12 14:06:20 dual sshd[12841]: error: PAM: authentication error for illegal user root from 202.98.244.20 Feb 12 14:06:20 dual sshd[12841]: Failed keyboard-interactive/pam for invalid user root from 202.98.244.20 port 34245 ssh2 That " scared" me because I didn' t think a root session would get a password prompt, because of the fact that I have configured my sshd_config file where AllowUsers doesn' t contain root! The other thing that "scared" me was that I have this section in my pf file for ssh traffic:(max-src-conn 3, max-src-conn-rate 2/30, overload <bruteforce> flush global) It seems to me that this 202.98.244 violated that long ago but still it lasted a few times before this address was added to the bruteforce table. What do you think? Thanks in advanced. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
