Hi,
login via ssh (putty) to a SLES 12 SP4 Server gave me these messages:
“login as: root
Using keyboard-interactive authentication.
Password:
Last failed login: Sat Mar 14 23:39:31 CET 2020 <===============
There were 136 failed login attempts since the last successful login. <=====================
Last login: Sat Mar 14 22:48:58 2020 from 146.107.158.156
ha-idg-1:~ #”
I never got messages like that before.
The host is running fine for already several months and not accessible from the internet.
Neither /var/log/messages nor lastlog gave me any clue for the reason for that.
In /var/log/messages i don’t find any information at the timestamp 03/14/2020 23:39:31 !?!
Where/what else can i look for ?
Is it helpful to install fail2ban, for what reason ?
Bernd
I found /var/log/faillog, but didn’t find an executable named faillog to read it.
It’s a binary logfile.
Neither via zypper nor https://software.opensuse.org/package/.
Bernd
Hi
Is /var/log/wtmp present? If so can use the last and lastb commands.
Hi Malcom,
i knew last, but not lastb.
This is what i got:
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:38 - 23:38 (00:00)
root Sat Mar 14 23:38 - 23:38 (00:00)
…
Exact 136 lines like that. But what do they tell me ?
Bernd
[QUOTE=berndgsflinux;59661]Hi Malcom,
i knew last, but not lastb.
This is what i got:
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:39 - 23:39 (00:00)
root Sat Mar 14 23:38 - 23:38 (00:00)
root Sat Mar 14 23:38 - 23:38 (00:00)
…
Exact 136 lines like that. But what do they tell me ?
Bernd[/QUOTE]
Hi
Those are the only entries relating to failed attempts? Use the -F option for more info as well as the ip address…
lastb -F | more
Hi,
lastb -awF:
root Sat Mar 14 23:39:31 2020 - Sat Mar 14 23:39:31 2020 (00:00)
root Sat Mar 14 23:39:29 2020 - Sat Mar 14 23:39:29 2020 (00:00)
root Sat Mar 14 23:39:26 2020 - Sat Mar 14 23:39:26 2020 (00:00)
root Sat Mar 14 23:39:24 2020 - Sat Mar 14 23:39:24 2020 (00:00)
root Sat Mar 14 23:39:21 2020 - Sat Mar 14 23:39:21 2020 (00:00)
root Sat Mar 14 23:39:19 2020 - Sat Mar 14 23:39:19 2020 (00:00)
root Sat Mar 14 23:39:16 2020 - Sat Mar 14 23:39:16 2020 (00:00)
root Sat Mar 14 23:39:13 2020 - Sat Mar 14 23:39:13 2020 (00:00)
root Sat Mar 14 23:39:11 2020 - Sat Mar 14 23:39:11 2020 (00:00)
root Sat Mar 14 23:39:08 2020 - Sat Mar 14 23:39:08 2020 (00:00)
root Sat Mar 14 23:39:06 2020 - Sat Mar 14 23:39:06 2020 (00:00)
root Sat Mar 14 23:39:03 2020 - Sat Mar 14 23:39:03 2020 (00:00)
root Sat Mar 14 23:39:01 2020 - Sat Mar 14 23:39:01 2020 (00:00)
root Sat Mar 14 23:38:58 2020 - Sat Mar 14 23:38:58 2020 (00:00)
…
not really more clearifying.
Bernd
Hi
Do you have both btmp and wtmp?
I see;
cat /etc/os-release
NAME="SLES"
VERSION="12-SP4"
VERSION_ID="12.4"
PRETTY_NAME="SUSE Linux Enterprise Server 12 SP4"
ID="sles"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:12:sp4"
ls /var/log/*tmp
/var/log/btmp /var/log/wtmp
lastb -awF
username ssh:notty Wed Jan 15 16:21:16 2020 - Wed Jan 15 16:21:16 2020 (00:00) 192.168.10.50
btmp begins Wed Jan 15 16:21:16 2020
Maybe a local cron job gone wayward, or log rotation since it’s at midnight?