LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-02-2008, 11:25 PM   #1
Shwick
Member
 
Registered: Jun 2008
Posts: 114

Rep: Reputation: 15
pam_unix filling up auth.log


Running ubuntu 8.04 desktop.

I have sshd server running and there's a cron job that seems to be running every 10 seconds. It keeps opening and closing a session and it logs this every time to /var/log/auth.log.

Oct 2 14:45:01 desktop CRON[7760]: pam_unix(cron:session): session closed for user root
Oct 2 14:55:01 desktop CRON[7762]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 2 14:55:01 desktop CRON[7762]: pam_unix(cron:session): session closed for user root
Oct 2 15:05:01 desktop CRON[7764]: pam_unix(cron:session): session opened for user root by (uid=0)

Is there an elegant way to stop this, I don't think this is supposed to happen.
 
Old 10-02-2008, 11:35 PM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.x
Posts: 18,443

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Looks more like every 10 mins to me. Check your crontabs. 1 Minute is the smallest time you can specify in cron.
In addition, there should be a cron job that rotates your logs regularly, so disc space shouldn't be an issue.
 
Old 10-04-2008, 11:44 AM   #3
Shwick
Member
 
Registered: Jun 2008
Posts: 114

Original Poster
Rep: Reputation: 15
I've read how pam can block brute force ssh attacks but I already have an iptables configuration doing that.

I don't really know what it's doing logging into ssh as root every 10 minutes, and I don't think I need it doing that either.

I tried Try sudo crontab -l and it comes up blank.
 
Old 10-07-2008, 09:37 PM   #4
Shwick
Member
 
Registered: Jun 2008
Posts: 114

Original Poster
Rep: Reputation: 15
Anyone encounter this problem before?
 
Old 10-07-2008, 09:48 PM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.x
Posts: 18,443

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
login as root, cd /etc and do

ls -l |grep cron

you'll get something like
Code:
-rw-r--r--  1 root root     321 2007-12-11 18:41 anacrontab
drwxr-xr-x  2 root root    4096 2008-02-13 17:24 cron.d
drwxr-xr-x  2 root root    4096 2008-09-03 18:53 cron.daily
-rw-r--r--  1 root root       0 2008-02-13 17:24 cron.deny
drwxr-xr-x  2 root root    4096 2007-09-25 18:38 cron.hourly
drwxr-xr-x  2 root root    4096 2008-07-23 21:25 cron.monthly
drwxr-xr-x  2 root root    4096 2008-07-23 21:25 cron.weekly
-rw-r--r--  1 root root     255 2007-09-25 18:38 crontab
you need to check all those files/dirs. Something is running and you need to know what.
Also, you can predict from that log you've shown when its going to run, so run

top

in an xterm and keep an eye out when you expect it.
 
Old 10-08-2008, 08:38 PM   #6
Shwick
Member
 
Registered: Jun 2008
Posts: 114

Original Poster
Rep: Reputation: 15
Finally. Stupid sysstat, some package that supplies mpstat, iostat and sar commands.

It had a script in /etc/cron.d/sysstat which sent machine statistics every 10 minutes to an ubuntu central server where they analyzed the information to gear the next release to the most common machine hardware against your will!!!!

No wait... just the first part about it logging stats to a file every 10 minutes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
kern.log filling up fast subigo Linux - Newbie 1 05-14-2007 04:22 PM
suspicious entry in /var/log/auth.log buehler Linux - Security 5 04-27-2005 05:11 PM
weird stuff in /var/log/auth.log bschiett Linux - Security 3 03-12-2005 08:29 AM
Cron Log filling up barnzenen AIX 3 10-09-2004 06:04 PM
Samba Errors Are Filling My Log Files Help :( Carlm81 Linux - Networking 6 06-04-2004 06:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration