Hello. Over some days now before I by luck read my logs for some reason noticed that somebody had tried to hack my machine. He had been trying with alot of different usernames, in this case it's "robert" which is not my name :) This is his/her try 12:56:30 UTC or 14:56:30 GMT+2, the list with entries like this goes on and on...

asl.log
[Time 2006.03.26 12:56:30 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user robert.] [Level 3] [UID -2] [GID -2] [Host jb]
[Time 2006.03.26 12:56:30 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.] [Level 5] [UID -2] [GID -2] [Host jb]

secure.log
Mar 26 14:56:30 jb com.apple.SecurityServer: authinternal failed to authenticate user robert.
Mar 26 14:56:30 jb com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.

How is this possible. Been on this now for two days to try and find a IP adresse. But that is the only trace of him. Are there some exploits in 10.4.5 that enables people to hack from localhost or something ?

The log messages are referring to 'sshd' which is the server-side component of what is called "Remote Login" in the Sharing preferences.
Do you have "Remote Login" enabled?
If so, you should make sure that you have it configured to be as secure as possible - see the articles on the main macosxhints site about this (search for /etc/sshd_config) and then get used to the fact that you will have lots of attempts to break in via SSH as long as you have it enabled. It is best to enable it only when needed or only for access from certain IP addresses, etc.

I know what ssh is. That was not the question. The question was why his IP didn't appear. I'm looking into securing it better, but that was not the question :) And yes ssh is enabled.

The question was why his IP didn't appear.
I think I recall some threads on these forums discussing why the IP addresses of SSH attempts didn't appear in the logs. I think it is a matter of the logging configuration having changed with Tiger. There's a way to get it to log the IP addresses - look for those other threads. Or maybe it was an article on the main macosxhints site?

Been searching this forum and Google now. Can't seem to find anything about this.

When I try to login with wrong username and password from one of my other machines it's IP shows up in the logs.

Think I found it...

http://forums.macosxhints.com/archive/index.php/t-39527.html

I'll look more into it after some sleep...

Here's at least one relevant thread: http://forums.macosxhints.com/showthread.php?t=39527

Oh - I see you found it too.

I just looked in my logs and have the same attempts:

robert
james
john
alex
jason
justin
jessica
peter
and on, and on...

I have never seen this kind of crap in my logs again since I run sshd on a high port.

Some config work, but once it's running, you have an extra layer of security when the next bug in ssh shows up.

And cleaner logs.

Of course, if you have reason to believe that someone is specifically out to get +you+, this is not helpful, but the standard random attacks get completely filtered.