Re: Messages in my log file.

From: Me Here (Me_at_here.com)
Date: 03/22/05 

Date: Tue, 22 Mar 2005 12:18:03 -0500

karldavidson@gmail.com wrote:
> Hello,
>
> I am pretty comfortable with UNIX but not by any means an expert. So I
> ask this of the experts:
>
> INFO: I am running a fedora core 3 machine. I keep my packges up to
> date using YUM. all my packages are currently up to date. My fedora
> machine is running on a static IP behind a linksys broadband router.
> The ports I have forwarded through ssh, web, and ftp. My machine has
> only been up and running for about a week.
>
> Problem: I recently came across this in my log file.
>
> Mar 21 08:00:13 home unix_chkpwd[6867]: check pass; user unknown
> Mar 21 08:00:13 home sshd(pam_unix)[6865]: authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=host83-149.pool82185.interbusiness.it
> Mar 21 08:01:01 home crond(pam_unix)[6868]: session opened for user
> root by (uid=0)
> Mar 21 08:01:01 home crond(pam_unix)[6868]: session closed for user
> root
> Mar 21 09:01:01 home crond(pam_unix)[6872]: session opened for user
> root by (uid=0)
> Mar 21 09:01:01 home crond(pam_unix)[6872]: session closed for user
> root
> Mar 21 10:00:21 home sshd(pam_unix)[6878]: session opened for user root
> by root(uid=0)
> Mar 21 10:01:01 home crond(pam_unix)[6913]: session opened for user
> root by (uid=0)
> Mar 21 10:01:01 home crond(pam_unix)[6913]: session closed for user
> root
> Mar 21 10:02:22 home sshd(pam_unix)[6916]: authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=205.144.73.254 user=root
> (session oppened?)
>
> And more:
>
> Mar 21 08:00:13 home sshd(pam_unix)[6865]: authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=host83-149.pool82185.interbusiness.it
> (Many many many more of these from interbusiness.it)
>
> What is going on? It appears from the log that someone is accessing my
> server as root. I have a complex non dictionary word as my root
> password. I have my ports blocked, my packages are up to date. *sigh*
> what did I do wrong to allow this?
>
> Help would be appreciated.
>

You can ignore the cron messages. The SSHD messages however are from a
very common ssh scanner used by kiddies. If you have a good password
and read your logs you're most likely fine.

Try installing tripwire or another filesystem auditing system for your
peace of mind.

Me.

Relevant Pages

  • Re: Fedora Core 5 and Xen
    ... title Fedora Core ... root ... You might want to try that first to prove that it boots correctly before moving onto a xen hypervisor boot. ... For some reason the Xen0 kernel is unable to find the LVM volume. ...
    (Fedora)
  • Re: Fedora Core 5 and Xen
    ... title Fedora Core ... root ... For some reason the Xen0 kernel is unable to find the LVM volume. ... Mounting root filesystem. ...
    (Fedora)
  • Re: FC6 not connecting -- Big-Hammered, sort of
    ... grub instructions to dope out precisely enough how to make the FC ... The has to be set for where your /boot partition is, the root= ... here're a couple fedora stanzas from /etc/grub.conf on the machine ... title Fedora Core ...
    (Fedora)
  • AW: Problem with killing processes
    ... Sorry i did not said but it tried to kill the processes as root. ... Im Auftrag von Andy Pieters ... For users of Fedora Core releases ...
    (Fedora)
  • Error When Booting: Resize Inode Not Valid
    ... I can mount and unmount root and the rest of the ... and the PBR of my root partition is entirely null. ... title Fedora Core ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)