LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Fedora (https://www.linuxquestions.org/questions/fedora-35/)
-   -   odd login error in /var/log/secure in FC3 (https://www.linuxquestions.org/questions/fedora-35/odd-login-error-in-var-log-secure-in-fc3-300641/)

zepplin611 03-12-2005 12:54 AM
odd login error in /var/log/secure in FC3
 
Greetings LQ'ers,

A question on FC3. WHen ever a user logs into the machine via ssh, the following kicks up in
/var/log/secure:

Mar 12 00:59:26 machine sshd[23654]: pam_succeed_if: requirement "uid < 100" not met by user "user-name"


so it looks like a pluggable authentication module is checking for user ids to be < 100. All of my
user ids begin at 500 and go up from there (normal for linux, fedora)...any way to stop these
errors in the /var/log/secure file from creeping up???

Thanks

zepplin

Technoslave 03-14-2005 09:25 AM
These aren't errors. This is PAM letting you know if someone under UID 100 tried logging in. This is informational, and will eventually show you some nifty things like ssh sweeps that push about 250 attempts in a 10 second time frame of about 40 different users...fun stuff like that.

So you can get fun and exciting messages like this:

Failed logins from these:
adine/password from 209.126.173.249: 1 Time(s)
admin/password from 209.126.173.249: 1 Time(s)
administrator/password from 209.126.173.249: 1 Time(s)
ahmed/password from 209.126.173.249: 1 Time(s)
alan/password from 209.126.173.249: 1 Time(s)
albert/password from 209.126.173.249: 1 Time(s)
alberto/password from 209.126.173.249: 1 Time(s)
andres/password from 209.126.173.249: 1 Time(s)
barbara/password from 209.126.173.249: 1 Time(s)
db/password from 209.126.173.249: 1 Time(s)
guest/password from 209.126.173.249: 1 Time(s)
jack/password from 209.126.173.249: 1 Time(s)
marvin/password from 209.126.173.249: 1 Time(s)
root/password from 209.126.173.249: 16 Time(s)
test/password from 209.126.173.249: 1 Time(s)

Illegal users from these:
adine/none from 209.126.173.249: 1 Time(s)
adine/password from 209.126.173.249: 1 Time(s)
admin/none from 209.126.173.249: 1 Time(s)
admin/password from 209.126.173.249: 1 Time(s)
administrator/none from 209.126.173.249: 1 Time(s)
administrator/password from 209.126.173.249: 1 Time(s)
ahmed/none from 209.126.173.249: 1 Time(s)
ahmed/password from 209.126.173.249: 1 Time(s)
alan/none from 209.126.173.249: 1 Time(s)
alan/password from 209.126.173.249: 1 Time(s)
albert/none from 209.126.173.249: 1 Time(s)
albert/password from 209.126.173.249: 1 Time(s)
alberto/none from 209.126.173.249: 1 Time(s)
alberto/password from 209.126.173.249: 1 Time(s)
andres/none from 209.126.173.249: 1 Time(s)
andres/password from 209.126.173.249: 1 Time(s)
barbara/none from 209.126.173.249: 1 Time(s)
barbara/password from 209.126.173.249: 1 Time(s)
db/none from 209.126.173.249: 1 Time(s)
db/password from 209.126.173.249: 1 Time(s)
guest/none from 209.126.173.249: 1 Time(s)


etc ...

To the point where you just create rules in your firewall to only allow a few IPs access to your box via SSH.


All times are GMT -5. The time now is 06:38 PM.