What is this I'm seeing in /var/log/secure.log

B

bbolin

Registered
Feb 2 12:01:33 Mac com.apple.SecurityServer: authinternal failed to authenticate user hate.
Feb 2 12:01:33 Mac com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Feb 2 12:01:35 Mac com.apple.SecurityServer: authinternal failed to authenticate user fuck.
Feb 2 12:01:35 Mac com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Feb 2 12:01:38 Mac com.apple.SecurityServer: authinternal failed to authenticate user image.
Feb 2 12:01:38 Mac com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.


Attemped logins via ssh are nothing new. The above indicate there comming from com.apple.securityserver

When I attempt to simulate with a bogus login and password noting appears in the log.

Any ideas ?
 
No. See: It's com.apple.SecurityServer - that's your local "SecurityServer" service for you.
 
Well, no, those are probably trying to do something from the outside. But you made it sound as if com.apple.securityserver were an outside internet node. It's not that is all I'm saying.
 
Do you have "Remote Login" enabled in the "Sharing" pane of the System Preferences? If not, then you're completely safe from ssh attacks.

Could it also be possible that someone else tried to log in locally on your machine? Or perhaps a little brother/cousin/friend/enemy/space alien was just messing around at the login screen, seeing if anything worked or would let them in?
 
sshd is enabled. I use it for remote windoze tunneled vnc session into the mac.

It's just interesting the way Darwin reports the attempted login. Below is more of a unixy way of reporting it.

Feb 3 10:51:50 mail sshd[65841]: Failed password for illegal user foobar from x.x.x.x port 49482 ssh2

Local server name is mail. The remote host is x.x.x.x
 
All that is going on is that Apple is using the Java-esque qualified name for the service. In your original message the server name was Mac (mail in the second) and the process was com.apple.SecurityServer (sshd in the second) the original log entries did not contain any mention of the remote host.

This is exactly the same as the unixy way in your second example you are just getting thrown by the logging service name looking a bit different.
 
You must log in or register to reply here.
Back
Top