Raquel wrote:
On Thu, 12 Feb 2009 19:40:16 +1100
Alex Samad wrote:
this is ssh complaining about incorrect password being supplied, I
presume you do not allow password authentication for root !
This is some script kiddie or mutant pc try brute attack against
your sshd server, try fail2ban
I
On Thu, 12 Feb 2009 19:40:16 +1100
Alex Samad wrote:
> this is ssh complaining about incorrect password being supplied, I
> presume you do not allow password authentication for root !
>
> This is some script kiddie or mutant pc try brute attack against
> your sshd server, try fail2ban
I used to
* Kevin Philp [2009 Feb 12 05:25 -0600]:
> 6. If its convenient switch to a different port - the brute force
> attackers just scan blocks of IP addresses at port 22 - if you are using
> port 22 you are much less likely to be scanned.
Perhaps you meant, "if you are _not_ using port 22 you are
e been blocked for a few minutes - they just move on.
Kevin.
Jochen Schulz wrote:
Norman Bird:
I decided to check the auth.log and started freaking out because I saw alot
of POSSIBLE BREAK-IN lines.
It says "possible break-in *attempt*". But either way, it is harmless.
A
Norman Bird:
> I decided to check the auth.log and started freaking out because I saw alot
> of POSSIBLE BREAK-IN lines.
It says "possible break-in *attempt*". But either way, it is harmless.
And, by the way: do you think a smart attacker who gained root on your
machine would
On Thu, Feb 12, 2009 at 12:57:21AM -0500, Norman Bird wrote:
> I decided to check the auth.log and started freaking out because I saw alot
> of POSSIBLE BREAK-IN lines. then I saw roon loging in so I was panicking.
> But as I really reviewed them it seems that the actual root logins were
I decided to check the auth.log and started freaking out because I saw alot
of POSSIBLE BREAK-IN lines. then I saw roon loging in so I was panicking.
But as I really reviewed them it seems that the actual root logins were by
CRON and the nobody logins were system related. Please look this over and
Does anyone know why syslog, auth.log, and other similar system log files
are each rotated by their own separate cron job rather by logrotate? Is
there any reason not to have logrotate handle all of those log files?
--
Adam Rosi-Kessel
http://adam.rosi-kessel.org
signature.asc
Description
On Fri, Dec 02, 2005 at 06:34:04PM -0500, Roberto C. Sanchez wrote:
> On Fri, Dec 02, 2005 at 06:30:46PM -0500, Amish Rughoonundon wrote:
> > Hi,
> > I delete auth.log file by mistake and although I created it again,programs
> > don't write anything to it anymore. Any s
0 +1100, Arafangion escreveu:
> > > On Sat, 3 Dec 2005 10:42 am, René Seindal wrote:
> > > > Roberto C. Sanchez wrote (03-12-2005 00:34):
> > >
> > >
> > >
> > > > > That is because, although auth.log is gone, any file descriptors t
On Sat, 3 Dec 2005 10:55 am, Frank Gevaerts wrote:
> On Sat, Dec 03, 2005 at 09:50:28AM +1100, Arafangion wrote:
> > This leads to an interesting question - are there any tools that can
> > reveal "lost" files - those who no-longer have an entry in the fs, but
> > are still open?
>
> lsof can do th
ing the entry available.
>
> Em Sáb, 2005-12-03 às 09:50 +1100, Arafangion escreveu:
> > On Sat, 3 Dec 2005 10:42 am, René Seindal wrote:
> > > Roberto C. Sanchez wrote (03-12-2005 00:34):
> >
> >
> >
> > > > That is because, although auth.log is g
On Sat, Dec 03, 2005 at 09:50:28AM +1100, Arafangion wrote:
> This leads to an interesting question - are there any tools that can reveal
> "lost" files - those who no-longer have an entry in the fs, but are still
> open?
lsof can do that
Frank
--
"Debugging is twice as hard as writing the c
Roberto C. Sanchez wrote (03-12-2005 00:34):
>
> > > That is because, although auth.log is gone, any file descriptors that
> > > were open to it are still available. Thus, until all the file
> > > descriptors have also been released, the file still "exi
Roberto C. Sanchez wrote (03-12-2005 00:34):
On Fri, Dec 02, 2005 at 06:30:46PM -0500, Amish Rughoonundon wrote:
Hi,
I delete auth.log file by mistake and although I created it
again,programs don't write anything to it anymore. Any suggestions.
Thanks a bunch
Amish
That is be
On Sat, 3 Dec 2005 10:42 am, René Seindal wrote:
> Roberto C. Sanchez wrote (03-12-2005 00:34):
> > That is because, although auth.log is gone, any file descriptors that
> > were open to it are still available. Thus, until all the file
> > descriptors have also been rel
Roberto C. Sanchez wrote (03-12-2005 00:34):
On Fri, Dec 02, 2005 at 06:30:46PM -0500, Amish Rughoonundon wrote:
Hi,
I delete auth.log file by mistake and although I created it again,programs
don't write anything to it anymore. Any suggestions. Thanks a bunch
Amish
That is be
On Fri, Dec 02, 2005 at 06:30:46PM -0500, Amish Rughoonundon wrote:
> Hi,
> I delete auth.log file by mistake and although I created it again,programs
> don't write anything to it anymore. Any suggestions. Thanks a bunch
> Amish
>
That is because, although auth.l
Hi,
I delete auth.log file by mistake and although I created it again,programs
don't write anything to it anymore. Any suggestions. Thanks a bunch
Amish
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
I've sshd running, with RSA authentication and I use
fail2ban. I don't think anyone can get in.
But very often I find in auth.log messages like these:
Oct 24 23:55:33 HS10 sshd[306]: reverse mapping
checking getaddrinfo for
-31-1.customhostingservers.com failed - POSSIBLE
BREAK
ot login, but I want to show
> > some stats to management to elevate the need to be security
> > conscious, are there any packages which will analyse these logs
> > and produce a nice report, a summary perhaps ?
> >
>
> I d
"Matthew Joyce" <[EMAIL PROTECTED]> writes:
> I have ssh configured so root cannot login, but I want to show some
> stats to management to elevate the need to be security conscious, are
> there any packages which will analyse these logs and produce a nice
> report, a summary perhaps ?
apt-cache s
On Fri, 5 Nov 2004 12:34:38 +1100, Matthew Joyce
<[EMAIL PROTECTED]> wrote:
>
>
> Hi,
>
> I was just checking some logs on a woody box and just want to clarify
> something.
>
> Stuff like this :
>
[...]
> Nov 3 00:06:25 donate sshd[3666]: Failed password for root from
> 61.218.125.178 port
Hi,
I was just checking some logs on a woody box and just want to clarify
something.
Stuff like this :
Nov 3 00:05:59 donate PAM_unix[3656]: authentication failure; (uid=0)
-> root for ssh service
Nov 3 00:06:00 donate sshd[3656]: Failed password for root from
61.218.125.178 port 39086 ssh2
On Fri, 24 Sep 2004, Robert S wrote:
> I've installed webmin 1.16 (from the webmin site) on woody. I have the
> webmin daemon running but haven't used webmin for several days, but I keep
> getting these messages in my /var/log/auth.log - which are reported to me by
> logche
I've installed webmin 1.16 (from the webmin site) on woody. I have the
webmin daemon running but haven't used webmin for several days, but I keep
getting these messages in my /var/log/auth.log - which are reported to me by
logcheck.
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Sep 2
$LOG
> |fi
> | done
> |
> | # Restart syslogd
> | #
> | /etc/init.d/sysklogd reload-or-restart > /dev/null
> | $ /usr/sbin/syslogd-listfiles --auth
> | /var/log/auth.log
Thanks. I didn't that syslog had its own rotation scheme.
--
To UNSUBSCRIBE, email to [EMAIL PROTE
Hello Adam, hello list!
On Mon, Sep 13, 2004 at 08:43:18AM +, Adam Funk wrote:
> What causes /var/log/auth.log to be rotated?
>
> `grep -R auth.log /etc/` lists only the /etc/syslog.conf file entry to
> produce the auth.log file. It *is* being rotated weekly on my system,
>
On Monday 13 September 2004 10:40, Lukas Ruf wrote:
>> Adam Funk <[EMAIL PROTECTED]> [2004-09-13 11:06]:
>>
>> What causes /var/log/auth.log to be rotated?
>>
>> `grep -R auth.log /etc/` lists only the /etc/syslog.conf file entry
>> to produce the auth.
On Monday 13 September 2004 10:50, Andreas Janssen wrote:
> Hello
>
> Adam Funk (<[EMAIL PROTECTED]>) wrote:
>
>> What causes /var/log/auth.log to be rotated?
>>
>> `grep -R auth.log /etc/` lists only the /etc/syslog.conf file entry
>> to
>> p
Hello
Adam Funk (<[EMAIL PROTECTED]>) wrote:
> What causes /var/log/auth.log to be rotated?
>
> `grep -R auth.log /etc/` lists only the /etc/syslog.conf file entry to
> produce the auth.log file. It *is* being rotated weekly on my system,
> but I want to add to the rotati
> Adam Funk <[EMAIL PROTECTED]> [2004-09-13 11:06]:
>
> What causes /var/log/auth.log to be rotated?
>
> `grep -R auth.log /etc/` lists only the /etc/syslog.conf file entry
> to produce the auth.log file. It *is* being rotated weekly on my
> system, but I want to add
What causes /var/log/auth.log to be rotated?
`grep -R auth.log /etc/` lists only the /etc/syslog.conf file entry to
produce the auth.log file. It *is* being rotated weekly on my system,
but I want to add to the rotation procedure a script to mail me a log
analysis.
--
Thanks,
Adam
--
To
I am running sid, and have the .76-8 version of pam installed.
I have noticed that since the upgrade from .76-7, everytime I ssh into
my box from another, a pam_limits message (such as below) is logged in
/var/log/auth.log
pam_limits[5134]: setrlimit limit #7 to soft=-1, hard=-1 failed
On Tue, 2002-09-10 at 11:37, Frederik Vanrenterghem wrote:
> Hi all,
>
> I'm rather lost with this problem, which has caused cron to stop
> functioning on my debian unstable system. No ideas really on what might
> be going on, but /var/log/auth.log is filled with messages lik
Hi all,
I'm rather lost with this problem, which has caused cron to stop
functioning on my debian unstable system. No ideas really on what might
be going on, but /var/log/auth.log is filled with messages like:
Sep 10 20:32:01 maui cron(pam_unix)[22140]: session opened for user root
by (
Hello,
I've just installed snort package,
and for some reason it sends alerts to me into
/var/log/auth.log . I don't really like alerts going there,
beacuse when I look there I expect to see auth and login information,
not alerts about portscans, etc
How can I change this?
On Thu, Apr 26, 2001 at 11:26:41AM -0400, B.C.J.O wrote:
> Apr 26 06:25:03 cain su[2536]: + ??? root-nobody
>
> ... and I can't figure out what the heck caused it. I haven't seen a line
> like it before. Any ideas what kind of event would have caused this line
> to be logged? all clues welcome. =)
One of the machines that I'm involved with had the following line in it's
authlog:
Apr 26 06:25:03 cain su[2536]: + ??? root-nobody
... and I can't figure out what the heck caused it. I haven't seen a line
like it before. Any ideas what kind of event would have caused this line
to be logged? all
Hello
What would cause this error to be put in my /var/log/auth.log file?
Mar 26 06:52:17 mrfan /sbin/getty[15828]: /dev/tty4: cannot open as standard
input: No such device
These are the facts:
ls -l /dev/tty5
crw-rw 1 root dialout4, 5 Mar 4 16:48 /dev/tty5
>From my /
On Sat, 14 Jun 1997, joost witteveen wrote:
>
> >From my /var/adm/log.auth:
> Jun 12 23:05:57 rulcmc su: FAILED SU (to root) joost on none
> Jun 12 23:06:28 rulcmc last message repeated 552 times
Looks like a program caught in an infinite loop. Check for processes
under your user name that are
>From my /var/adm/log.auth:
Jun 12 20:53:57 rulcmc su: (to root) joost on /dev/ttyp6
Jun 12 21:00:20 rulcmc su: (to root) joost on /dev/ttyp6
Jun 12 23:05:57 rulcmc su: FAILED SU (to root) joost on none
Jun 12 23:06:28 rulcmc last message repeated 552 times
Jun 12 23:07:29 rulcmc last message rep
42 matches
Mail list logo
