Hello everyone, my first post on here, go easy on me :-)

I am getting the following in my /var/log/auth.log file (see below). This is repeated every 5 minutes. I have put the bit I am concerned about in red. I have tried puting root in my AllowedUsers section of sshd_config and tried setting PermitRootLogin yes too. It makes no difference. In either case I want to find out what process is trying to connect from my local host (assume) to my local host on ssh2, why it wants too, and why it is failing. This has been driving me mad for 24hrs now. Any ideas gratefully recieved.

Thanks D.

Jun 1 14:40:02 SDSHU CRON[23875]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 1 14:40:02 SDSHU CRON[23874]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 1 14:40:02 SDSHU CRON[23876]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 1 14:40:05 SDSHU sshd[23964]: Connection from 127.0.0.1 port 38136
Jun 1 14:40:05 SDSHU CRON[23874]: pam_unix(cron:session): session closed for user root
Jun 1 14:40:05 SDSHU sshd[23964]: Failed none for root from 127.0.0.1 port 38136 ssh2
Jun 1 14:40:05 SDSHU sshd[23964]: Failed password for root from 127.0.0.1 port 38136 ssh2
Jun 1 14:40:06 SDSHU sshd[23964]: last message repeated 2 times
Jun 1 14:40:06 SDSHU CRON[23876]: pam_unix(cron:session): session closed for user root
Jun 1 14:40:13 SDSHU CRON[23875]: pam_unix(cron:session): session closed for user root

Hi,

is there any cronjob running on the system?

Hi, yes there are a number of from cron jobs, but if its one of these which is making the request to SSH I wouldn't know how to tell which one, what its doing and why it failed. Any further help gratefully received. Thanks.

--
Well it seems that your cronjobs were trying to connect to sshd on port 38136 and failed. Did you change the root password recently?

I'd suggest that you inspect those cron scripts to see what they are really doing.

OK, thanks. I'm using the security onion distro. Having searched around the security onion forums I found there is a cron job that runs every 5 minutes. It calls a script to restart sensors when needed. I'll take a look at that script for clues. With regard to the root password, no, I never set one and apparently one isn't set as default, and the account should be locked according to Doug who put the Security Onion together. Which is odd as I can access it with sudo su. I did install the remote access server NX and recall having a fight getting that to work with ssh2, not sure if something I did there has caused a problem. I'll investigate that too. Thanks for your help so far.

...additionally while you're at it please undo this:
Security best practices say root should not log in over the network: use an unprivileged user account and pubkey auth only.

unSpawn, thanks, I am aware of that. However, there is a process trying to use ssh with root. Security onion has permitrootlogin as yes by default. Changing it to no was one of the changes I made originally, I thought it could have some bearing on this issue so to changed it back. Doing so removed other errors, notably one telling logging in from root wasn't in permitted. I agree whatever is using it shouldn't be using it, if I can find what it is I'll try and amend it to not use root.