attempted login by root on UNKNOWN

[TimberWolf]

Noticed there is a much older thread with this same message, but followed the recommendations to now avail. I used "ps aug -U root | less" to kill pids one at a time until messages quit. they were appearing every minute. Got messages whether or not I was connected to network. The file causing the problem is /usr/sbin/cron -s. Since this is binary, I am not sure what it does, but renaming stops the messages and I get a new one on boot that says "/usr/sbin/cron" could not be run. This message only appears once. I am running FreeBSD 13.2-RELEASE-P4 GENERIC amd64. Does anyone know if renaming this file will hurt anything?

 

[chrbr]

cron(8) is a tool which runs once per minute to execute tasks which are specified in crontab(1) files. If you rename it scheduled tasks are not executed. The tasks may be from the system itself or specified by users.

 

[SirDice]

Attempted login implies they haven't actually logged in, only tried. Please stop randomly killing processes running as root. They're probably all supposed to be there.

Post the exact message you keep seeing. A couple of messages before and after would be nice to see too.

 

[ralphbsz]

Can you please explain what you saw and where?

From where is root attempting to log in? Hint: There are logs that keep track of that, learn how to find them.

If you don't know what cron does, you need to do some studying before attempting to administer a Unix system.

Imagine you had asked the following question: "I got a car, and I'm getting warning messages about running into obstacles. I took a chainsaw and removed all the houses nearby, and then most of the warnings stopped. Should I delete all trees too? And what is this "steering wheel" thing in the middle of the dashboard?" Do you expect me to answer your question by giving you a lesson about trees: "There are two kinds of trees, evergreen and deciduous. Most trees have a single large trunk, which is very sturdy. Running into the tree with the car can be fatal. The correct brand of chainsaw to use on a giant redwood trees is Stihl, and on lofty flowering cherries a Homelite." No, in this situation you need a basic driving class and understand the theory of ops of cars: Accelerator pedal, brake pedal, gear shift, steering wheel. Then indicator lights and gauges, and lights and mirrors and windows to observe the surroundings.

 

[TimberWolf]

Attempted login implies they haven't actually logged in, only tried. Please stop randomly killing processes running as root. They're probably all supposed to be there.

Post the exact message you keep seeing. A couple of messages before and after would be nice to see too.

Oct 11 07:45:12 Gypsy kernel: ipfw2 (+ipv6) initialized, divert loadable, nat loadable, default to deny, logging disabled
Oct 11 07:45:18 Gypsy nologin[98811]: Attempted login by root on /dev/console
Oct 11 07:45:18 Gypsy kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
Oct 11 07:45:18 Gypsy root[21]: /etc/rc: WARNING: failed to start ntpd
Oct 11 07:46:00 Gypsy nologin[47251]: Attempted login by root on UNKNOWN
Oct 11 07:47:00 Gypsy nologin[59376]: Attempted login by root on UNKNOWN
Oct 11 07:48:00 Gypsy nologin[69004]: Attempted login by root on UNKNOWN
Oct 11 07:49:00 Gypsy nologin[75402]: Attempted login by root on UNKNOWN
Oct 11 07:50:00 Gypsy nologin[83046]: Attempted login by root on UNKNOWN
Oct 11 07:51:00 Gypsy nologin[88745]: Attempted login by root on UNKNOWN
Oct 11 07:52:00 Gypsy nologin[94816]: Attempted login by root on UNKNOWN
Oct 11 07:53:00 Gypsy nologin[1136]: Attempted login by root on UNKNOWN
Oct 11 07:54:00 Gypsy nologin[10239]: Attempted login by root on UNKNOWN
Oct 11 07:55:00 Gypsy nologin[23484]: Attempted login by root on UNKNOWN
Oct 11 07:56:00 Gypsy nologin[30651]: Attempted login by root on UNKNOWN
Oct 11 07:57:00 Gypsy nologin[37037]: Attempted login by root on UNKNOWN
Oct 11 07:58:00 Gypsy nologin[43225]: Attempted login by root on UNKNOWN
Oct 11 07:59:00 Gypsy nologin[48269]: Attempted login by root on UNKNOWN
Oct 11 08:00:00 Gypsy nologin[60341]: Attempted login by root on UNKNOWN
Oct 11 08:01:00 Gypsy nologin[65799]: Attempted login by root on UNKNOWN
Oct 11 08:02:00 Gypsy nologin[72017]: Attempted login by root on UNKNOWN
Oct 11 08:03:00 Gypsy nologin[77641]: Attempted login by root on UNKNOWN
Oct 11 08:04:00 Gypsy nologin[84067]: Attempted login by root on UNKNOWN
Oct 11 08:05:00 Gypsy nologin[91995]: Attempted login by root on UNKNOWN
Oct 11 08:05:16 Gypsy power_profile[96338]: changed to 'performance'

 

[TimberWolf]

Oct 11 07:45:12 Gypsy kernel: ipfw2 (+ipv6) initialized, divert loadable, nat loadable, default to deny, logging disabled
Oct 11 07:45:18 Gypsy nologin[98811]: Attempted login by root on /dev/console
Oct 11 07:45:18 Gypsy kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
Oct 11 07:45:18 Gypsy root[21]: /etc/rc: WARNING: failed to start ntpd
Oct 11 07:46:00 Gypsy nologin[47251]: Attempted login by root on UNKNOWN
Oct 11 07:47:00 Gypsy nologin[59376]: Attempted login by root on UNKNOWN
Oct 11 07:48:00 Gypsy nologin[69004]: Attempted login by root on UNKNOWN
Oct 11 07:49:00 Gypsy nologin[75402]: Attempted login by root on UNKNOWN
Oct 11 07:50:00 Gypsy nologin[83046]: Attempted login by root on UNKNOWN
Oct 11 07:51:00 Gypsy nologin[88745]: Attempted login by root on UNKNOWN
Oct 11 07:52:00 Gypsy nologin[94816]: Attempted login by root on UNKNOWN
Oct 11 07:53:00 Gypsy nologin[1136]: Attempted login by root on UNKNOWN
Oct 11 07:54:00 Gypsy nologin[10239]: Attempted login by root on UNKNOWN
Oct 11 07:55:00 Gypsy nologin[23484]: Attempted login by root on UNKNOWN
Oct 11 07:56:00 Gypsy nologin[30651]: Attempted login by root on UNKNOWN
Oct 11 07:57:00 Gypsy nologin[37037]: Attempted login by root on UNKNOWN
Oct 11 07:58:00 Gypsy nologin[43225]: Attempted login by root on UNKNOWN
Oct 11 07:59:00 Gypsy nologin[48269]: Attempted login by root on UNKNOWN
Oct 11 08:00:00 Gypsy nologin[60341]: Attempted login by root on UNKNOWN
Oct 11 08:01:00 Gypsy nologin[65799]: Attempted login by root on UNKNOWN
Oct 11 08:02:00 Gypsy nologin[72017]: Attempted login by root on UNKNOWN
Oct 11 08:03:00 Gypsy nologin[77641]: Attempted login by root on UNKNOWN
Oct 11 08:04:00 Gypsy nologin[84067]: Attempted login by root on UNKNOWN
Oct 11 08:05:00 Gypsy nologin[91995]: Attempted login by root on UNKNOWN
Oct 11 08:05:16 Gypsy power_profile[96338]: changed to 'performance'

Should also say that I disabled root login with vipw and changed shell to /usr/sbin/nologin.

 

[TimberWolf]

Should also say that I disabled root login with vipw and changed shell to /usr/sbin/nologin.

But didn't start getting these messages until after an update

 

[ralphbsz]

The "logins" (which probably aren't what a normal person would call login) are every minute, on the minute. That makes it very likely that they are not actual logins, but a process getting started that tries to run root's shell. The fact that the seconds part is zero makes it very likely that this is being started by cron. Read the man pages for cron to see how it works (hint: in the crontab(5) documentation, there is no entry for seconds!).

Then check the actual log file for logins to see whether these logins are real or not. That file is /var/log/auth.log and older version.

Finally, read the messages up there. Who is printing then? A process that is running the nologin program (the process ID is in there too). Read the man page for nologin, and it is described there: nologin will record in the syslog that it was run.

Finally, try to understand how cron starts each process. Again, the man page for cron has that somewhere. Then you'll see that changing root's login shell to /usr/sbin/nologin is what I call a "foot shaped gun": an idea what is likely to hurt.

 

[smithi]

Should also say that I disabled root login with vipw and changed shell to /usr/sbin/nologin.

But didn't start getting these messages until after an update

Disabling root logins is a very bad idea, as you've found.

Why did you want to do that?

[edit] And you probably didn't reboot until after the update?

 

[TimberWolf]

Disabling root logins is a very bad idea, as you've found.

Why did you want to do that?

[edit] And you probably didn't reboot until after the update?

Disabled root login so no one could login remotely. Is it better to *Lock* root account?

 

[SirDice]

Disabled root login so no one could login remotely.

Nobody can anyway, not with the default sshd_config(5). Root login (PermitRootLogin) is disabled by default. And for obvious reasons it should be kept that way.

 

[dr3mro]

for me it was a cron job that tries to detect battey level and it fails to login as root

 

[smithi]

for me it was a cron job that tries to detect battey level and it fails to login as root

Why would it need to login as root to detect battery level, time remaining at present load or present discharge rate, when acpiconf -i0 provides all that at normal user privileges?

 

[Cath O'Deray]

after an update

An update to the operating system, or an upgrade of packages?

bectl list -c creation

freebsd-version -kru ; uname -aKU

pkg -vv | grep -e url -e enabled -e priority

grep pkg /var/log/messages

zgrep pkg /var/log/messages.0.bz2

Hint: /var/log/messages.0.bz2 might be far from the history that will be of interest.

 

[BlueNGray]

Encountered this message after installing FreeBSD 14.1-RELEASE on a new boot disk. For me, on this particular installation, it's happening twice every hour, on the hour. (It started once every hour, but after about 5 days of the first hourly occurrence, started doing it twice every hour on the hour.) The cron job that runs at that time is 'newsyslog'. Trying to nail down if it's a particular file that newsyslog is attempting to access, or one of the other activities within /etc/newsyslog.conf that is causing the attempted login. I added the -v flag to the newsyslog command in /etc/crontab to see if it tells me anything. So far, no joy....