A few days ago I got a message from ASL that my firewall had been restared. At first I assumed that my power had cycled and the machine simply rebooted. After checking my other machines, I found this was not the case. I looked at the log files and am concerned about the following:
The Admin Access log has the following:
Oct 28 03:40:37 (none) sshd[172]: Server listening on 0.0.0.0 port 22.
Oct 28 03:40:38 (none) su: (to nobody) root on /dev/console
The Notification log reads:
Oct 28 03:45:00 firewall anotifier[1602]: T:EMAIL S:[firewall.DOMAIN] [INF 000] System was restarted F:/tmp/boot.13.tmp
(EMAIL and DOMAIN replace actual data, the 'anotifier' is not a typo on my part)
So, here is the odd part... I did not login to ASL at that time (or within weeks of that time). The e-mail notification reported my last login correctly (several weeks earlier). Assuming I were sleepwalking, it is unlikely that I would have used the console (machine is physically not easy to reach).
My configuration should be pretty secure. I do not allow SSH at all and the only incoming traffic that is allowed is DNS, which is forwarded. I have scanned the machine externally and no ports (other than DNS) appear open. As web is disabled externally, web login should not be possible. I am 99.999% sure nobody was in my house at 3:15AM.
So, any help / reassurances would be greatly appreciated.
B-
This thread was automatically locked due to age.
