Security Question

Scott Becker scottb at bxwa.com
Tue Feb 15 22:11:53 UTC 2005 

I've already set a proper password but on a twin testing machine the !!s 
are there, before and after running my setup commands to change the 
shell. Here's the top of message with the login and logout lines:

Feb 13 04:05:24 backup syslogd 1.4.1: restart.
Feb 13 05:39:25 backup named[31607]: lame server resolving 
'191.236.191.211.in-addr.arpa' (in '236.191.211.in-addr.arpa'?): 
203.251.201.1#53
Feb 13 05:45:51 backup named[31607]: lame server resolving 
'201.32.110.61.in-addr.arpa' (in '32.110.61.in-addr.arpa'?): 
203.240.193.11#53
Feb 13 05:45:51 backup named[31607]: lame server resolving 
'201.32.110.61.in-addr.arpa' (in '32.110.61.in-addr.arpa'?): 
203.251.201.1#53
Feb 13 06:36:09 backup sshd(pam_unix)[422]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= 
rhost=dsl-82-199-133-138.dutchdsl.nl  user=apache
Feb 13 06:36:17 backup sshd(pam_unix)[425]: session opened for user 
apache by (uid=48)
Feb 13 06:53:58 backup named[31607]: lame server resolving 
'173.4.248.61.in-addr.arpa' (in '4.248.61.in-addr.arpa'?): 203.240.193.11#53
Feb 13 06:53:58 backup named[31607]: lame server resolving 
'173.4.248.61.in-addr.arpa' (in '4.248.61.in-addr.arpa'?): 203.251.201.1#53
Feb 13 07:00:44 backup sshd(pam_unix)[425]: session closed for user apache
Feb 13 07:39:19 backup sshd(pam_unix)[710]: check pass; user unknown
Feb 13 07:39:19 backup sshd(pam_unix)[710]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.184.142.131
Feb 13 07:39:23 backup sshd(pam_unix)[713]: check pass; user unknown
Feb 13 07:39:23 backup sshd(pam_unix)[713]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.184.142.131
Feb 13 07:39:27 backup sshd(pam_unix)[715]: check pass; user unknown
Feb 13 07:39:27 backup sshd(pam_unix)[715]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.184.142.131
Feb 13 07:39:31 backup sshd(pam_unix)[717]: check pass; user unknown
Feb 13 07:39:31 backup sshd(pam_unix)[717]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.184.142.131
Feb 13 07:39:34 backup sshd(pam_unix)[720]: check pass; user unknown
Feb 13 07:39:34 backup sshd(pam_unix)[720]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.184.142.131
Feb 13 07:39:38 backup sshd(pam_unix)[722]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.184.142.131  user=root
Feb 13 07:39:42 backup sshd(pam_unix)[724]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.184.142.131  user=root
Feb 13 07:39:46 backup sshd(pam_unix)[726]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.184.142.131  user=root


One failed attempt, one successful attempt and a logout 24 minutes later.

    scottb



Tomas Mraz wrote:

>On Mon, 2005-02-14 at 10:57 -0800, Scott Becker wrote:
>  
>
>>    
>>
>
>What does 'getent shadow apache' gives you if you call it from root
>account?
>If it's something like:  
>apache:!!:xxxxx::::::
>       ^^ note these. If the exclamation marks are missing it means that
>this account is without a password and nullok allows to login to it. But
>if the !! (or *) is there it means something is broken on your system if
>it allowed login to that account. Can you find the messages from
>the /var/log/ surrounding the 'apache logged in from
>dsl-82-199-133-138.dutchdsl.nl (82.199.133.138)' message?
>
>  
>

More information about the fedora-devel-list mailing list