could you help interpret my logs?

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Sun Oct 3 16:44:03 UTC 2004 

Am So, den 03.10.2004 schrieb Julian Underwood um 17:12:

> Well I know someone was trying to gain access to my FC 2 server:

A known person?

> sshd:
>    Authentication Failures:
>       root (209.67.215.146): 59 Time(s)
>       adm (209.67.215.146): 2 Time(s)
>       apache (209.67.215.146): 1 Time(s)
>       cyrus (209.67.215.146): 1 Time(s)
>       matt (209.67.215.146): 1 Time(s)
>       mysql (209.67.215.146): 1 Time(s)
>       nobody (209.67.215.146): 1 Time(s)
>       operator (209.67.215.146): 1 Time(s)

Hm, this looks like a strategic attempt. The SSH attacks I know do not
try accounts like cyrus or apache.

> su:
>    Sessions Opened:
>       (uid=0) -> julian: 2 Time(s)
>       (uid=0) -> cyrus: 1 Time(s)
>       (uid=0) -> news: 1 Time(s)
>       julian(uid=500) -> root: 1 Time(s)
> 
> It also looks like the attacker was successful in logging in as cyrus
> and news.  Is this possible?  Could this be potentially damaging to my
> system?  Or is this something normal which I am overlooking?

From what do you conclude that the attacker logged in as cyrus and news?
I would think it was you as root doing so by running "su - $username".
(One time su'ing from julian to root.) The logwatch entries point to su
actions. If it wasn't you, then switch off the machine from net, as a
foreign person has root control over the host.

> Second question about my log are the following entries:
> 
> dovecot-auth: pam_succeed_if: requirement "uid < 100" not met by user

> I get about 50 of these daily, how can I make them go away?

You could comment the line 
account     sufficient   /lib/security/$ISA/pam_succeed_if.so uid < 100

in /etc/pam.d/system-auth. See
/usr/share/doc/pam-0.77/txts/README.pam_succeed_if

BUT: be very careful "hacking" in the PAM configuration! You can easily
get a state where not any login is possible due to misconfiguration.

> Julian

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp 
Serendipity 18:32:19 up 3 days, 20:58, load average: 0.21, 0.32, 0.42 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041003/d8b30f6e/attachment-0001.sig>

More information about the fedora-list mailing list