LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-11-2010, 11:58 PM   #1
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Rep: Reputation: 0
Baffled installing logwatch


I was advised by a fellow forum owner to install logwatch as a security precaution. Our forum runs on a dedicated server. CentOS 5.5.

I ran "yum install logwatch" and got the following:
Code:
Examining logwatch-7.3.6-1.noarch.rpm: logwatch-7.3.6-1.noarch
Marking logwatch-7.3.6-1.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package logwatch.noarch 0:7.3.6-1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
===========================
Package                   Arch                    Version                     Repository                                 Size
====================================================================================================
===========================
Installing:
logwatch                  noarch                  7.3.6-1                     /logwatch-7.3.6-1.noarch                  1.2 M

Transaction Summary
====================================================================================================
===========================
Install       1 Package(s)
Upgrade       0 Package(s)

Total size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID ab75cc45

Public key for logwatch-7.3.6-1.noarch.rpm is not installed
Help! I have public keys for various PuTTY ssh logins but no clue how to make one for logwatch.

As yet there are no files other than the rpm:
Code:
[root@www ~]# find / -name "logwatch*"
/root/logwatch-7.3.6-1.noarch.rpm
[root@www ~]#
Maybe I should put in a support ticket and ask our host to install it? (I think I'm allowed to install stuff, but maybe not. Can you tell from the yum output above?)
 
Old 09-12-2010, 06:25 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by cnmoore View Post
I have public keys for various PuTTY ssh logins but no clue how to make one for logwatch.
Completely different thing.


Quote:
Originally Posted by cnmoore View Post
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID ab75cc45
Either install the GnuPG key for this package or repo or run 'yum --nogpgcheck install logwatch'. If you're looking for the key either see the repo for info or the site you downloaded this package from. (But since this is Kirk Bauer running 'gpg --search-keys kirk@kaybee.org' and selecting the first key would get it too.)


Quote:
Originally Posted by cnmoore View Post
I think I'm allowed to install stuff
If you're root then you are.


Quote:
Originally Posted by cnmoore View Post
I was advised by a fellow forum owner to install logwatch as a security precaution. Our forum runs on a dedicated server. CentOS 5.5.
Logwatch can serve you well as a kind of early warning system but since it is an auditing tool (post-incident, passive) it is by no means a precaution. If you are interested in assessing your servers security you're invited to create a thread in the Linux Security forum.

Last edited by unSpawn; 09-12-2010 at 06:42 PM. Reason: //More *is* more
 
Old 09-12-2010, 07:49 PM   #3
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Thanks - I tried 'gpg --search-keys kirk@kaybee.org' but got gpg not found.

But to my astonishment! I find that logwatch is installed. So I had a go at putting my email address in /etc/logwatch/conf/logwatch.conf, and ran logwatch.

More astonishment! It worked.

Now, how to make it not send me a million lines.
Under Named Begin there are lots of lines like this
Code:
connection refused resolving 'ns.km33231-04.keymachine.de/A/IN ': 87.118.94.85#53: 14 Time(s)
I think those are the ones I see with lastb. Can I suppress them?

and lots of these, which I don't understand? But don't think I need to see.
Code:
network unreachable resolving '117.24.204.71.in-addr.arpa/PTR/IN': 2001:470:1a::2#53: 1 Time(s)
Interestng stuff under Users logging in through sshd:
**Unmatched Entries**
Code:
User news from fairy-valley.vn.ua not allowed because not listed in AllowUsers : 1 time(s)
 syslogin_perform_logout: logout() returned an error : 2 time(s)
 User bin from fairy-valley.vn.ua not allowed because not listed in AllowUsers : 1 time(s)
 Address 121.14.195.176 maps to www.onyx-international.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 6 time(s)
 User games from fairy-valley.vn.ua not allowed because not listed in AllowUsers : 1 time(s)
 Address 184.154.37.12 maps to 184-154-37-12.huge-dns.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 28 time(s)
Do I need to worry about those POSSIBLE BREAK-IN ATTEMPTs, or just be happy they didn't make it?

Edit: And one last question - in the default /usr/share/logwatch/default.conf/logwatch.conf it says "# Maybe you only wanted reports on PAM messages..". What are PAM messages?

Last edited by cnmoore; 09-12-2010 at 07:53 PM. Reason: Added afterthought question
 
Old 09-13-2010, 12:24 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by cnmoore View Post
Thanks - I tried 'gpg --search-keys kirk@kaybee.org' but got gpg not found.
Odd. I got it OK. BTW Centos has logwatch version 7.3-8.el5.noarch.


Quote:
Originally Posted by cnmoore View Post
Under Named Begin there are lots of lines like this
Code:
connection refused resolving 'ns.km33231-04.keymachine.de/A/IN ': 87.118.94.85#53: 14 Time(s)
I think those are the ones I see with lastb. Can I suppress them?
'lastb' is a system utility that displays bad logins. You're looking at entries made by the ISC BIND DNS application. Add this to your BIND configuration instead of suppressing them in Logwatch:
Code:
logging {
    category lame-servers { null; };
};

Quote:
Originally Posted by cnmoore View Post
and lots of these, which I don't understand? But don't think I need to see.
Code:
network unreachable resolving '117.24.204.71.in-addr.arpa/PTR/IN': 2001:470:1a::2#53: 1 Time(s)
Re-configuring BIND adding the "-4" switch to block IPv6 usage should cut down the amount of these.


Quote:
Originally Posted by cnmoore View Post
Interestng stuff under Users logging in through sshd:
**Unmatched Entries**
Code:
User news from fairy-valley.vn.ua not allowed because not listed in AllowUsers : 1 time(s)
 User bin from fairy-valley.vn.ua not allowed because not listed in AllowUsers : 1 time(s)
 Address 121.14.195.176 maps to www.onyx-international.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 6 time(s)
 User games from fairy-valley.vn.ua not allowed because not listed in AllowUsers : 1 time(s)
 Address 184.154.37.12 maps to 184-154-37-12.huge-dns.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 28 time(s)
Do I need to worry about those POSSIBLE BREAK-IN ATTEMPTs, or just be happy they didn't make it?
If you have 0) restricted access in /etc/ssh/sshd_config using PermitRoot=No, AllowUsers and AllowGroups 1), possibly restricted access to the SSH port in the firewall and 2) have additionally installed fail2ban (or an equivalent) then you need not rely on fuzzy human "worrying" as you can determine who can and can not access SSH.


Quote:
Originally Posted by cnmoore View Post
Interestng stuff under Users logging in through sshd:
**Unmatched Entries**
Code:
syslogin_perform_logout: logout() returned an error : 2 time(s)
If you use a custom compiled kernel has it got the Audit subsystem enabled?
Elif do you run Centos inside a VPS?
Else are you using a jail?
If so, does it have /var/log/wtmp and /var/run/utmp files?


Quote:
Originally Posted by cnmoore View Post
What are PAM messages?
See 'whatis pam' -> 'whereis pam' -> 'man pam'?
 
Old 09-13-2010, 12:41 PM   #5
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
unSpawn, Thank you very much - but - you are way over my newbie head.

Where is the BIND you speak of? This info http://www.howtoforge.com/bind-installation-on-centos tells me it has to do with DNS. Do I really want to mess with that? But 'Re-configuring BIND adding the "-4" switch' - would you please give me the exact command line to do that? In case I get brave.

Quote:
If you use a custom compiled kernel has it got the Audit subsystem enabled?
Elif do you run Centos inside a VPS?
Else are you using a jail?
If so, does it have /var/log/wtmp and /var/run/utmp files?
Gee, I don't know.
I have set up an additional domain and 2 subdomains on my dedicated server via DirectAdmin, so I guess maybe VPS is used?
"locate jail" doesn't find anything.

And - before making changes I wish I could back up what's there but I don't know how to back up anything except users. Other than making .bak files.

Last edited by cnmoore; 09-13-2010 at 01:10 PM. Reason: some corrections
 
Old 09-13-2010, 01:13 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by cnmoore View Post
unSpawn, Thank you very much - but - you are way over my newbie head.
Plan, read, ask.
Plan, read, ask some more.
You'll get there.


Quote:
Originally Posted by cnmoore View Post
Where is the BIND you speak of? This info http://www.howtoforge.com/bind-installation-on-centos tells me it has to do with DNS. Do I really want to mess with that?
If you are required to be the authoritative name server for domains then you need to "mess" with DNS. Else you might only be running the caching nameserver part for resolving domain names.


Quote:
Originally Posted by cnmoore View Post
But 'Re-configuring BIND adding the "-4" switch' - would you please give me the exact command line to do that? In case I get brave.
Open /etc/sysconfig/named in your editor. Note the "# OPTIONS=" tag. Remove the comment mark and make it look like "OPTIONS=-4", save, restart named.


Quote:
Originally Posted by cnmoore View Post
I have set up 4 subdomains on my dedicated server, so I guess maybe VPS is used?
"locate jail" doesn't find anything.
If you mean sub-domains as in Apache Virtual Hosts or sub-domains as in fully qualified hostnames (mail., www., etc, etc) then no.


Quote:
Originally Posted by cnmoore View Post
And - before making changes I wish I cold back up what's there but I don't know how to back up anything except users. Other than making .bak files.
Linuxquestions.org (LQ) right now exists for over ten years. That means over ten years of experience, questions and answers all at the touch of the (search!) button. Search for threads on LQ. Try other sources of information like 'yum search backup' (have at least the RPMForge and EPEL repos enabled). And search Freshmeat.net and Sourceforge.net. You'll come across product names, terms like incremental backups and "bare metal" restoring. Then look at what your server provides in terms of services and how b0rkage or outage would affect your "business" and how re-configuration could help overcome certain problems (database logs for instance). Sure this takes more time but doing it that way you get acquainted with what's what and you can ask more detailed questions whose answers (hopefully) will be better suited to your situation than doing 'tar -cjf /backup/everything.tar.bz2 / --exclude /backup --exclude /proc --exclude /sys --exclude /selinux' or 'rsync -arvSW / rsync://user@remotehost/backupdir/' or "look at Amanda, Bacula, Clonezilla, Mondo, etc."...


...and since you've just got your dedicated server, do you have a plan to configure and harden everything well? If not then I'd suggest you take a step back and see where you're heading (swamped in details) actually is where you want to be heading. Note I'm not trying to slow you down, just trying to make you see a structured, planned approach is better than jumping from topic to topic.
 
Old 09-13-2010, 01:30 PM   #7
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
We've had the dedicated server for a long time - the original owner disappeared in 2006 and I've been running the forum ever since. Gradually over the years I prevailed on host to give me root access; they also gave me login for remote hardware reboot.

Until recently I mostly relied on our host to do all maintenance and updates. However they had some system wide attacks recently, and I found out that they don't automatically do updates for a dedicated server.

They reformatted the server and installed 64-bit CentOS on August 24, and since then I have been learning my way around updates and general linux knowhow, especially security. Been reading EVERYTHING, especially here at linuxQuestions - was so happy to find your forum! But obviously I have a long way to go before I can trust myself.

Last edited by cnmoore; 09-13-2010 at 01:31 PM.
 
Old 09-13-2010, 09:46 PM   #8
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,191

Rep: Reputation: 105Reputation: 105
Quote:
Originally Posted by cnmoore View Post
...before making changes I wish I could back up what's there but I don't know how to back up anything except users. Other than making .bak files.
There's a lot of territory in that topic, especially for someone new to administering systems. One of the best overviews is the O'Reilly book "Backup and Recovery" by W. Curtis Preston and the companion web site BackupCentral.

The book's focus is open source software. The earlier edition was "Unix Backup and Recovery," but the more recent edition is more cross platform.

The web site is aimed at keeping the information more up to date, because much of the open source software mentioned has seen very active development since the book was published. The web site also has lots of stuff on commercial software.

It's well worth having and reading the book to get you into the topic. After you know where you are going, it becomes easier to navigate the web in search of specific up to date information and examples without getting lost or overwhelmed by all the crud that also lives on the web.
 
1 members found this post helpful.
Old 09-14-2010, 05:32 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by cnmoore View Post
We've had the dedicated server for a long time - the original owner disappeared in 2006 and I've been running the forum ever since.
Yes, I've read that in the forum. Must be hard to be suddenly made responsible and for that long.


Quote:
Originally Posted by cnmoore View Post
Gradually over the years I prevailed on host to give me root access; they also gave me login for remote hardware reboot. Until recently I mostly relied on our host to do all maintenance and updates. However they had some system wide attacks recently, and I found out that they don't automatically do updates for a dedicated server.
I see. So you're not *that* newbie anymore...


Quote:
Originally Posted by cnmoore View Post
They reformatted the server and installed 64-bit CentOS on August 24, and since then I have been learning my way around updates and general linux knowhow, especially security. Been reading EVERYTHING, especially here at linuxQuestions - was so happy to find your forum! But obviously I have a long way to go before I can trust myself.
The problem with reading lots and lots is that you may gradually be experiencing a loss of focus and start to hunt issue after issue. That's why I emphasized the planning part. If you like a tool to go with that then I'd recommend running GNU/Tiger. It's a good companion helping you take stock of and pinpoint issues to investigate and fix.
 
Old 09-14-2010, 10:35 PM   #10
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
New puzzle from logwatch. What are these? There are lots of them
Code:
--------------------- Named Begin ------------------------


 **Unmatched Entries**
   client 204.74.68.151 notify question section contains no SOA: 1 Time(s)
   client 204.74.68.151 query (cache) 'researchprobe1266642457-20100913203018.research.ultradns.net/A/IN
 
' denied: 1 Time(s)
   client 204.74.68.154 query (cache) 'www.transparentuptime.com/A/IN
 
' denied: 2 Time(s)
   connection refused resolving '109.77.230.125.in-addr.arpa/PTR/IN': 168.95.192.14#53: 1 Time(s)
   connection refused resolving '118-166-210-196.dynamic.hinet.net/A/IN
 
': 168.95.192.14#53: 1 Time(s)
   connection refused resolving '118-166-210-196.dynamic.hinet.net/AAAA/IN
 
': 168.95.192.14#53: 1 Time(s)
None of those IP addresses belong to the server.
 
Old 09-15-2010, 03:08 PM   #11
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
The problem with reading lots and lots is that you may gradually be experiencing a loss of focus and start to hunt issue after issue. That's why I emphasized the planning part. If you like a tool to go with that then I'd recommend running GNU/Tiger. It's a good companion helping you take stock of and pinpoint issues to investigate and fix.
Good point indeed. I'm going to concentrate on understanding iptables and PAM for the time being.

I don't know how to install Tiger - and I'm not sure about installing stuff, probably the right way to do it is ask host to install it.
 
Old 09-15-2010, 08:04 PM   #12
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Really curious what those 'named' entries are. Would that be people in our forum clicking links to other sites? In that case, of no interest.
 
Old 09-16-2010, 07:25 AM   #13
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,191

Rep: Reputation: 105Reputation: 105
People in your forum clicking links to other sites would be activity on their desktops, not activity on your server. It should have no affect on your server and your server would be unaware of it.

Looking at the specific links you quoted from logwatch, it seems your server settings might be what is called paranoid. That is, your server does a forward and reverse lookup of connecting IP addresses. If they don't match, the connection is refused. The assumption is that any legitimate connection will be coming from a properly managed ISP and that anything that mismatches represents an attempt to fake one's address. Unfortunately, some of the major ISP's really screw up their DNS configurations from time to time.

Anyway, if you play with nslookup a bit with those entries you quoted, some of them are really weird.
 
Old 09-16-2010, 12:05 PM   #14
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
So what I am trying to understand is where those entries come from. They aren't in the Apache error log.

Take a simple one like this:
' denied: 1 Time(s)
client 204.74.68.154 query (cache) 'www.transparentuptime.com/A/IN

It appears to me that 204.74.68.154 was trying to run a query. So my question: is 204.74.68.154 someone's desktop?

I think these items might be accesses stopped by .htaccess? There are a great many .htaccess files in the Invision forum code.

Ones like this are even more mysterious to me:
Code:
network unreachable resolving 'vl-mo-dn011-fae1.mo.videotron.ca/AAAA/IN': 2001:500:83::1#53: 1 Time(s)
   network unreachable resolving 'web.hpage.co.uk/AAAA/IN': 2001:630:181:35::83#53: 1 Time(s)
   network unreachable resolving 'web104.boysgo.com/AAAA/IN': 2001:503:a83e::2:30#53: 1 Time(s)
   network unreachable resolving 'ws-fra1.win-ip.dfn.de/A/IN': 2001:608:6:6::10#53: 1 Time(s)
   network unreachable resolving 'ws-fra1.win-ip.dfn.de/A/IN': 2001:668:1f:11::105#53: 1 Time(s)
I just want to understand who is trying to do what to whom. Who originates those? I don't mean what writes the error, I mean who is trying to reach a network.

Last edited by cnmoore; 09-16-2010 at 04:13 PM.
 
Old 09-17-2010, 01:17 PM   #15
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Smile

Today the whole 'named' section has disappeared from the logwatch report. I didn't change anything..

The iptables AUTOBAN has worked wonders! Lastb shows just three or four entries for the last few days, instead of the hundreds it used to show.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I want to disable logwatch on our RHEL servers to stop the logwatch mail svik Linux - Enterprise 10 08-27-2009 03:51 PM
Does logwatch run automatically? How can I reset logwatch? abefroman Linux - Software 4 06-17-2009 03:17 AM
Installing logwatch Old_Fogie Slackware 3 10-02-2006 02:27 PM
Baffled by Gaim fails Linux - Software 7 06-04-2006 07:47 AM
Baffled w/Debian 3.1 zdwc01 Linux - Software 2 12-30-2005 01:30 AM


All times are GMT -5. The time now is 05:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration