LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-26-2006, 06:39 AM   #1
tony1139
LQ Newbie
 
Registered: May 2006
Posts: 2

Rep: Reputation: 0
Question unknown user on f5 log


I would like to know why I have a user on my activity log
called "nfsnobody" should I be worried I am using o/s fedora 5 and have recently used rpm to download some packages thanking you for any help
yours
Tony1139
 
Old 05-26-2006, 06:59 AM   #2
rch
Member
 
Registered: Feb 2003
Location: Santa Clara,CA
Distribution: Mandriva
Posts: 909

Rep: Reputation: 48
nfs=network file system
nfsnobody = anonymous user of nfs (if allowed ie ,if configured)
try searching a bit before coming here.
 
Old 05-26-2006, 08:32 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
While it is easy to just provide info on the generic name I think it would be "better" to provide info on how to check it yourself. I mean, what if you don't have NFS installed? Is the info still valid then? (Not) What if it is a name that cannot be traced to a package easily?.. Also because this is about the single most important part of Linux user authentication I think a more detailed response would be beneficial to those who need it.

1. Login as root and read the password entry: "getent passwd nfsnobody". This (and "man 5 passwd") gives you info about the account. Note that if the second field reads "x" you're using shadowed passwords (good). Note the third entry which is the UID. User "root" has "0", on regular boxes lesser-privileged users have an UID between 1 and 500 (see UID_MIN in /etc/login.defs) and unprivileged users have one over 500. Note the last entry wich should read "/sbin/nologin" which means it's login is disabled (if so, for this account: good).
2. Move on and read the shadow entry: "getent shadow nfsnobody". Note the second entry starts with an exclamation mark which means the account is locked (for more see "man 5 shadow").
3. Even if impossible given the account can't be used, you could still check if anyone tried to login using this account, a sign of someone trying to break in using "lastlog -u nfsnobody" (should read "Never logged in") and the commands "last" and "lastb". Finally "w" and "who" give info on who is logged in.

Finally there are some packages that can audit your auth data and more, the best choice would be "Tiger". Running it periodically from cron and mailing reports to whoever reads root account email helps you keep tabs on what happens on your system.
 
Old 05-26-2006, 10:42 AM   #4
tony1139
LQ Newbie
 
Registered: May 2006
Posts: 2

Original Poster
Rep: Reputation: 0
to unSpawn
Thank you for your explanation
Tony1139
 
Old 05-28-2006, 01:47 AM   #5
rch
Member
 
Registered: Feb 2003
Location: Santa Clara,CA
Distribution: Mandriva
Posts: 909

Rep: Reputation: 48
just to add here
the passwd file is /etc/passwd( check if there is a nfsnobody field) and what shell they have (is it /sbin/nologin)
The shadow password file is /etc/shadow(only readable by root)
if your password is not shadowed you can convert to shadow through pwconv
man 8 pwconv
(by the way I did not mean to be offensive,just thought that if you really had searched you could have figured that nfsnobody is a anonymous nfs account, which is
already present in most distributions)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
User Unknown Gnux *BSD 4 04-19-2006 02:04 PM
C program to see user log on in system and print user with real user name also naveen245 Programming 2 12-21-2005 01:53 AM
unknown user twallstr Linux - General 4 05-17-2005 01:20 PM
SuSE Firewall - unknown log message ithawtewrong Linux - Security 1 10-14-2004 04:47 PM
Unknown sendmail log entry error robeb Linux - General 5 06-26-2003 06:23 PM


All times are GMT -5. The time now is 06:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration