Root session opened every 3 minutes

gillian gillian.bennett at celentia.com
Thu Nov 4 20:54:46 UTC 2004 

On Thu, 2004-11-04 at 23:00, Neil Marjoram wrote:
> No, not yet. So it's a bit worrying.
> 
> Neil.
> On Thu, 2004-11-04 at 09:54, Alexander Apprich wrote:
> > Neil,
> > 
> > Neil Marjoram wrote:
> > > I am a bit concerned about what appears to be a login every three
> > > minutes on my server. Can anyone help with this? Heres a bit of my log
> > > :(host is the servers hostname)
> > > 
> > > Nov  4 08:17:54 host sshd(pam_unix)[2945]: session opened for user root
> > > by (uid=0)
> > > Nov  4 08:17:55 host sshd(pam_unix)[2945]: session closed for user root
> > > Nov  4 08:20:55 host sshd(pam_unix)[2991]: session opened for user root
> > > by (uid=0)
> > > Nov  4 08:20:55 host sshd(pam_unix)[2991]: session closed for user root
> > > Nov  4 08:23:56 host sshd(pam_unix)[3035]: session opened for user root
> > > by (uid=0)
> > > Nov  4 08:23:56 host sshd(pam_unix)[3035]: session closed for user root
> > > Nov  4 08:26:56 host sshd(pam_unix)[3205]: session opened for user root
> > > by (uid=0)
> > > Nov  4 08:26:57 host sshd(pam_unix)[3205]: session closed for user root
> > > Nov  4 08:29:57 host sshd(pam_unix)[3249]: session opened for user root
> > > by (uid=0)
> > > Nov  4 08:29:57 host sshd(pam_unix)[3249]: session closed for user root
> > > 
> > 
> > Do you have any kind of monitoring tool (e.g. nagios) running on that
> > server that checks the exitens of your sshd? We have nagios running here
> > and my logfile is packed w/those messages.
> > 
> > > Thanks,
> > > 
> > > Neil.
> > 

Hi Neil,

what have you got in your /etc/hosts.allow file? If you put a line in
that will log attempts then you might be able to grab the IP. I use this
to log all blocked attempts, but you should be able to  do something
similar to allow "allowed" ssh attempts too.
 
ALL : ALL : spawn (/bin/echo Attempt from %u %a to %d at `date` | tee -a
/var/log/tcp.log|mail root) & : DENY

Perhaps ethereal will give you a trace on the network traffic for that
port or tcpdump? Just thinking of the things I would try.

Thanks, gb

More information about the users mailing list