Pandiarajan_701
Aug 30, 2011Nimbostratus
Syslog Message
Aug 30 03:43:19 local/bigip1 alert sshd[16707]: pam_unix(sshd:auth): check pass; user unknown. Could someone explain what is this Log message is all about ??
There should be a second log line from pamd just after that one which lists the username and remote host that someone unsuccessfully attempted to authenticate via SSH with:
Jun 24 20:57:14 bigip1 sshd(pam_unix)[10879]: check pass; user unknown
Jun 24 20:57:14 bigip1 sshd(pam_unix)[10879]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
You can check SOL11719 for steps to take to mitigate brute force SSH attacks:
sol11719: Mitigating risk from SSH brute force login attacks
https://support.f5.com/kb/en-us/solutions/public/11000/700/sol11719.html
Aaron