could you help interpret my logs?
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Sun Oct 3 16:44:03 UTC 2004
Am So, den 03.10.2004 schrieb Julian Underwood um 17:12:
> Well I know someone was trying to gain access to my FC 2 server:
A known person?
> sshd:
> Authentication Failures:
> root (209.67.215.146): 59 Time(s)
> adm (209.67.215.146): 2 Time(s)
> apache (209.67.215.146): 1 Time(s)
> cyrus (209.67.215.146): 1 Time(s)
> matt (209.67.215.146): 1 Time(s)
> mysql (209.67.215.146): 1 Time(s)
> nobody (209.67.215.146): 1 Time(s)
> operator (209.67.215.146): 1 Time(s)
Hm, this looks like a strategic attempt. The SSH attacks I know do not
try accounts like cyrus or apache.
> su:
> Sessions Opened:
> (uid=0) -> julian: 2 Time(s)
> (uid=0) -> cyrus: 1 Time(s)
> (uid=0) -> news: 1 Time(s)
> julian(uid=500) -> root: 1 Time(s)
>
> It also looks like the attacker was successful in logging in as cyrus
> and news. Is this possible? Could this be potentially damaging to my
> system? Or is this something normal which I am overlooking?
From what do you conclude that the attacker logged in as cyrus and news?
I would think it was you as root doing so by running "su - $username".
(One time su'ing from julian to root.) The logwatch entries point to su
actions. If it wasn't you, then switch off the machine from net, as a
foreign person has root control over the host.
> Second question about my log are the following entries:
>
> dovecot-auth: pam_succeed_if: requirement "uid < 100" not met by user
> I get about 50 of these daily, how can I make them go away?
You could comment the line
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
in /etc/pam.d/system-auth. See
/usr/share/doc/pam-0.77/txts/README.pam_succeed_if
BUT: be very careful "hacking" in the PAM configuration! You can easily
get a state where not any login is possible due to misconfiguration.
> Julian
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp
Serendipity 18:32:19 up 3 days, 20:58, load average: 0.21, 0.32, 0.42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041003/d8b30f6e/attachment-0001.sig>
More information about the fedora-list
mailing list