LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 10-03-2008, 12:25 AM   #1
Shwick
Member
 
Registered: Jun 2008
Posts: 111

Rep: Reputation: 15
pam_unix filling up auth.log


Running ubuntu 8.04 desktop.

I have sshd server running and there's a cron job that seems to be running every 10 seconds. It keeps opening and closing a session and it logs this every time to /var/log/auth.log.

Oct 2 14:45:01 desktop CRON[7760]: pam_unix(cron:session): session closed for user root
Oct 2 14:55:01 desktop CRON[7762]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 2 14:55:01 desktop CRON[7762]: pam_unix(cron:session): session closed for user root
Oct 2 15:05:01 desktop CRON[7764]: pam_unix(cron:session): session opened for user root by (uid=0)

Is there an elegant way to stop this, I don't think this is supposed to happen.
 
Old 10-03-2008, 12:35 AM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
Looks more like every 10 mins to me. Check your crontabs. 1 Minute is the smallest time you can specify in cron.
In addition, there should be a cron job that rotates your logs regularly, so disc space shouldn't be an issue.
 
Old 10-04-2008, 12:44 PM   #3
Shwick
Member
 
Registered: Jun 2008
Posts: 111

Original Poster
Rep: Reputation: 15
I've read how pam can block brute force ssh attacks but I already have an iptables configuration doing that.

I don't really know what it's doing logging into ssh as root every 10 minutes, and I don't think I need it doing that either.

I tried Try sudo crontab -l and it comes up blank.
 
Old 10-07-2008, 10:37 PM   #4
Shwick
Member
 
Registered: Jun 2008
Posts: 111

Original Poster
Rep: Reputation: 15
Anyone encounter this problem before?
 
Old 10-07-2008, 10:48 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
login as root, cd /etc and do

ls -l |grep cron

you'll get something like
Code:
-rw-r--r--  1 root root     321 2007-12-11 18:41 anacrontab
drwxr-xr-x  2 root root    4096 2008-02-13 17:24 cron.d
drwxr-xr-x  2 root root    4096 2008-09-03 18:53 cron.daily
-rw-r--r--  1 root root       0 2008-02-13 17:24 cron.deny
drwxr-xr-x  2 root root    4096 2007-09-25 18:38 cron.hourly
drwxr-xr-x  2 root root    4096 2008-07-23 21:25 cron.monthly
drwxr-xr-x  2 root root    4096 2008-07-23 21:25 cron.weekly
-rw-r--r--  1 root root     255 2007-09-25 18:38 crontab
you need to check all those files/dirs. Something is running and you need to know what.
Also, you can predict from that log you've shown when its going to run, so run

top

in an xterm and keep an eye out when you expect it.
 
Old 10-08-2008, 09:38 PM   #6
Shwick
Member
 
Registered: Jun 2008
Posts: 111

Original Poster
Rep: Reputation: 15
Finally. Stupid sysstat, some package that supplies mpstat, iostat and sar commands.

It had a script in /etc/cron.d/sysstat which sent machine statistics every 10 minutes to an ubuntu central server where they analyzed the information to gear the next release to the most common machine hardware against your will!!!!

No wait... just the first part about it logging stats to a file every 10 minutes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
kern.log filling up fast subigo Linux - Newbie 1 05-14-2007 05:22 PM
suspicious entry in /var/log/auth.log buehler Linux - Security 5 04-27-2005 06:11 PM
weird stuff in /var/log/auth.log bschiett Linux - Security 3 03-12-2005 09:29 AM
Cron Log filling up barnzenen AIX 3 10-09-2004 07:04 PM
Samba Errors Are Filling My Log Files Help :( Carlm81 Linux - Networking 6 06-04-2004 07:47 AM


All times are GMT -5. The time now is 01:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration