LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-25-2005, 07:27 PM   #1
blizunt7
Member
 
Registered: Mar 2004
Distribution: Fedora Core 1,2,3, RHEL3,4,5 Ubuntu
Posts: 272

Rep: Reputation: 30
/var/log/messages weird entries


Hey all,
Got 2 questions both deal with /var/log/messages

A) I have entries every hour from root, saying a crond is openeing a sessions for root by root, and then at the exact same time, crond is closing the session

Code:
Oct 23 17:01:01 localhost crond(pam_unix)[5913]: session opened for user root by
(uid=0)
Oct 23 17:01:01 localhost crond(pam_unix)[5913]: session closed for user root
Why is this happening?? There are no crontab jobs for root.

B) I also have entries from annonymous users, obviously trying to hack any machine they can. Is there a way to sto this from happening (Aside from blocking all IPs)??

Thanks so much!!!

Josh
 
Old 10-25-2005, 08:07 PM   #2
solveit
Member
 
Registered: Jan 2005
Posts: 83

Rep: Reputation: 15
How do the entries from anonymous users look ?
 
Old 11-01-2005, 11:47 AM   #3
blizunt7
Member
 
Registered: Mar 2004
Distribution: Fedora Core 1,2,3, RHEL3,4,5 Ubuntu
Posts: 272

Original Poster
Rep: Reputation: 30
Sorry for the long wait, had other server issues:
Annonymouns user entried look like this:
Code:
Oct 30 21:20:15 localhost sshd(pam_unix)[3697]: authentication failure; logname= uid=0 euid
=0 tty=ssh ruser= rhost=211.61.138.34  user=root

and then there are some that look like this, almost the same:
Code:
Oct 30 21:23:12 localhost sshd(pam_unix)[3795]: check pass; user unknown
Oct 30 21:23:12 localhost sshd(pam_unix)[3795]: authentication failure; logname= uid=0 euid
=0 tty=ssh ruser= rhost=211.61.138.34

does anyone know how to prevent this from happening, without simply blocking this specific IP?

THanks
 
Old 11-01-2005, 02:46 PM   #4
solveit
Member
 
Registered: Jan 2005
Posts: 83

Rep: Reputation: 15
Add a line like this in /etc/ssh/sshd_config :

AllowUsers user1 user2


Try "man sshd_config" for details.
 
Old 11-01-2005, 05:50 PM   #5
blizunt7
Member
 
Registered: Mar 2004
Distribution: Fedora Core 1,2,3, RHEL3,4,5 Ubuntu
Posts: 272

Original Poster
Rep: Reputation: 30
Yes thats great.
I have already implemented this security measure.

THanks
 
Old 11-01-2005, 05:56 PM   #6
blizunt7
Member
 
Registered: Mar 2004
Distribution: Fedora Core 1,2,3, RHEL3,4,5 Ubuntu
Posts: 272

Original Poster
Rep: Reputation: 30
Yes thats great.
I have already implemented this security measure.

THanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 06:39 PM
/var/log/auth.log entries buehler Linux - Security 1 04-23-2005 04:45 PM
weird network jibberish in /var/log/messages - how to remove? chibi Linux - Networking 3 09-22-2004 10:17 AM
entries in /var/log/secure zepplin611 Linux - Newbie 1 07-20-2004 05:57 PM
/var/log/messages full of these messages. Should I be concerned? mdavis Linux - Security 5 04-16-2004 10:08 AM


All times are GMT -5. The time now is 07:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration