On AIX, a place in the /etc directory has recently disappeared, the culprit was the /etc/security/failedlogin .

Unloaded all to a file for analysis:

 who -a /etc/security/failedlogin >/tmp/failedlogin superadmin β€” ssh Sep 22 16:30 ? superadmin β€” ssh Sep 22 16:31 ? superadmin β€” ssh Sep 22 16:31 ? superadmin β€” ssh Sep 22 16:31 ? superadmin β€” ssh Sep 22 16:31 ? superadmin β€” ssh Sep 22 16:31 ? superadmin β€” ssh Sep 22 16:31 ?

It turned out that one user scored the entire log. This is a service on another host that constantly monitors whether there are any files for it using SFTP protocol. This service runs smoothly. In manual mode, you can also log in via SFTP under the user superuser .

For further analysis, I included debugging to see the details in the /var/log/auth.log file:

 Sep 4 17:10:41 db-bo-test auth|security:info syslog: ssh: failed login attempt for superadmin from 192.168.33.175 Sep 4 17:10:41 db-bo-test auth|security:info sshd[37945458]: Accepted password for superadmin from 192.168.33.175 port 52260 ssh2 Sep 4 17:10:44 db-bo-test auth|security:info syslog: ssh: failed login attempt for superadmin from 192.168.33.175 Sep 4 17:10:44 db-bo-test auth|security:info sshd[34144358]: Accepted password for superadmin from 192.168.33.175 port 52261 ssh2 Sep 4 17:10:56 db-bo-test auth|security:info syslog: ssh: failed login attempt for superadmin from 192.168.33.175 Sep 4 17:10:56 db-bo-test auth|security:info sshd[34013270]: Accepted password for superadmin from 192.168.33.175 port 52266 ssh2

As you can see, the password passes, but there are also records with failed login .

Here I don’t know where to look further, it’s necessary to understand why these records appear at all. Please help knowledgeable people.

cat / etc / ssh / sshd_config

 PasswordAuthentication yes Match Group staff ForceCommand internal-sftp -u 73 Match User superuser ForceCommand internal-sftp -u 73

crontab -l

 #0 3 * * * /usr/sbin/skulker #45 2 * * 0 /usr/lib/spell/compress #45 23 * * * ulimit 5000; /usr/lib/smdemon.cleanu > /dev/null 0 11 * * * /usr/bin/errclear -d S,O 30 0 12 * * * /usr/bin/errclear -d H 90 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/sbin/dumpctrl -k >/dev/null 2>/dev/null 0 15 * * * /usr/lib/ras/dumpcheck >/dev/null 2>&1 55 23 * * * /var/perf/pm/bin/pmcfg >/dev/null 2>&1 #Enable PM Data Collection
  • Honestly, I'm not sure what the result will bring, but try tcpdump to see what comes with 192.168.33.175. Suddenly, what is interesting will see. - MANKK
  • you have a new child process does not start? could crontab -l output? what's in sshd_config PermitRootLogin ? - Senior Pomidor
  • Added crontab -l and ssd_config - igaraev to the question body
  • Processes are started, it is not clear why the log writes that failed login. - igaraev
  • What do you get when running ssh -v -l superadmin etr6506l3-aix93.ca.com ? - Senior Pomidor

0