LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-30-2016, 11:02 PM   #1
ameran
LQ Newbie
 
Registered: Jan 2016
Posts: 3

Rep: Reputation: Disabled
Logwatch question.


Hi guys,
I have a VPS and run few websites on it. I always receive log information from my server, but mostly I don't understand them. This is one of them and I really appreciate it if you could let me know what this mean, if it is something serious, and what I should do. Thank you.

Code:
################### Logwatch 7.3.6 (05/19/07) ####################
        Processing Initiated: Sun Jan 31 03:31:06 2016
        Date Range Processed: yesterday
                              ( 2016-Jan-30 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: server.domain.com
  ##################################################################

 --------------------- Dovecot Begin ------------------------

 Dovecot disconnects:
    Inactivity: 5 Time(s)
    Logged out in=11, out=434,: 286 Time(s)
    Logged out in=1363, out=121959,: 1 Time(s)
    Logged out in=3429, out=1768,: 1 Time(s)
    Logged out in=36625, out=1735,: 1 Time(s)
    Logged out in=401, out=3457,: 1 Time(s)
    Logged out in=401, out=3490,: 4 Time(s)
    Logged out in=401, out=3507,: 1 Time(s)
    Logged out in=401, out=3556,: 2 Time(s)
    Logged out in=401, out=3573,: 1 Time(s)
    Logged out in=401, out=3616,: 9 Time(s)
    Logged out in=54488, out=1801,: 1 Time(s)
    Logged out in=71932, out=4301,: 1 Time(s)
    Logged out in=88680, out=9104,: 1 Time(s)
    auth failed, 1 attempts in 2 secs: 1 Time(s)
    no auth attempts in 0 secs: 5 Time(s)
    no auth attempts in 1 secs: 1 Time(s)

 **Unmatched Entries**
    dovecot: auth: Error: Cpanel::MailAuth: Brute force checking was skipped because cphulkd failed to process “info@domain.com” from “IP '216.23.8.2'” for the “pop3” service.: 1 Time(s)

 ---------------------- Dovecot End -------------------------


 --------------------- iptables firewall Begin ------------------------


  Listed by source hosts:
 Logged 729 packets on interface eth0
   From 1.55.16.250 - 3 packets to udp(53413)
   From 1.172.210.215 - 3 packets to udp(53413)
   From 5.39.222.253 - 1 packet to tcp(3306)
   From 5.79.69.72 - 2 packets to udp(5060)
   From 5.189.167.114 - 2 packets to udp(5060)
   From 14.34.243.156 - 3 packets to tcp(23)
   From 14.49.164.243 - 3 packets to tcp(23)
   From 14.50.114.109 - 3 packets to udp(53413)
   From 14.177.153.76 - 3 packets to udp(53413)
   From 14.198.114.249 - 3 packets to tcp(23)
   From 23.31.139.127 - 4 packets to tcp(23)
   From 23.239.64.15 - 1 packet to udp(19)
   From 23.239.65.210 - 2 packets to udp(5060)
   From 24.1.244.41 - 3 packets to tcp(23)
   From 27.34.84.42 - 3 packets to tcp(23)
   From 31.145.83.5 - 3 packets to udp(53413)
   From 37.34.82.6 - 2 packets to udp(53413)
   From 41.59.32.212 - 4 packets to tcp(23)
   From 41.214.166.194 - 3 packets to tcp(23)
   From 42.200.37.18 - 2 packets to tcp(1433)
   From 45.34.1.201 - 4 packets to tcp(3306)
   From 45.79.143.81 - 2 packets to tcp(5432,5985)
   From 45.121.210.90 - 2 packets to udp(123)
   From 46.37.72.102 - 2 packets to tcp(23)
   From 46.55.152.56 - 3 packets to udp(53413)
   From 46.62.245.178 - 3 packets to tcp(23)
   From 46.148.22.26 - 2 packets to tcp(22)
   From 46.228.207.18 - 2 packets to tcp(5900)
   From 47.21.4.134 - 2 packets to udp(53413)
   From 51.255.25.159 - 2 packets to udp(5060)
   From 58.140.208.17 - 3 packets to tcp(23)
   From 58.140.210.84 - 3 packets to tcp(23)
   From 58.140.210.254 - 3 packets to tcp(23)
   From 58.140.211.85 - 3 packets to tcp(23)
   From 58.140.211.193 - 3 packets to tcp(23)
   From 58.140.211.214 - 3 packets to tcp(23)
   From 58.176.97.205 - 3 packets to tcp(23)
   From 58.239.164.234 - 3 packets to udp(53413)
   From 59.22.81.128 - 3 packets to tcp(23)
   From 59.148.126.76 - 3 packets to udp(53413)
   From 60.249.197.221 - 3 packets to udp(53413)
   From 61.238.87.49 - 3 packets to tcp(23)
   From 61.244.86.56 - 2 packets to udp(53413)
   From 62.98.117.24 - 3 packets to tcp(23)
   From 63.141.238.58 - 6 packets to udp(5060)
   From 64.251.30.100 - 2 packets to tcp(7778)
   From 65.34.34.95 - 3 packets to tcp(23)
   From 66.240.192.138 - 5 packets to udp(2222,5353) tcp(3749,13579,21025)
   From 66.240.219.146 - 2 packets to tcp(7657,8060)
   From 66.240.236.119 - 4 packets to tcp(2181,8333,8443,9200)
   From 67.23.71.125 - 3 packets to tcp(23)
   From 69.90.140.226 - 2 packets to tcp(7778)
   From 71.6.135.131 - 2 packets to udp(2123) tcp(27015)
   From 71.6.165.200 - 3 packets to tcp(3790,7547,9051)
   From 71.6.167.142 - 3 packets to tcp(2222,8889,55554)
   From 71.41.82.139 - 2 packets to tcp(3389)
   From 74.82.47.9 - 1 packet to udp(19)
   From 74.82.47.23 - 1 packet to tcp(6379)
   From 74.82.47.33 - 1 packet to udp(17)
   From 74.82.47.34 - 1 packet to tcp(9200)
   From 74.82.47.40 - 1 packet to tcp(11211)
   From 74.82.47.57 - 1 packet to udp(19)
   From 74.82.47.61 - 1 packet to udp(17)
   From 74.94.157.212 - 3 packets to tcp(23)
   From 78.181.151.75 - 3 packets to tcp(23)
   From 78.188.23.62 - 3 packets to udp(53413)
   From 78.188.166.46 - 3 packets to udp(53413)
   From 80.82.70.24 - 14 packets to tcp(3128,3129,8000,8088,8090,8123,9064,21320)
   From 80.82.70.198 - 4 packets to tcp(4840,49320)
   From 80.82.78.8 - 2 packets to tcp(3389)
   From 80.82.79.104 - 4 packets to tcp(1080,8080)
   From 80.229.207.62 - 6 packets to tcp(23)
   From 81.214.66.103 - 3 packets to udp(53413)
   From 82.221.105.7 - 1 packet to tcp(1177)
   From 84.88.32.67 - 1 packet to tcp(8443)
   From 85.25.196.60 - 2 packets to udp(5060)
   From 85.90.245.5 - 2 packets to tcp(5632,9944)
   From 85.96.197.49 - 3 packets to udp(53413)
   From 85.97.108.16 - 4 packets to tcp(23)
   From 85.105.22.74 - 3 packets to udp(53413)
   From 88.247.11.254 - 4 packets to tcp(23)
   From 88.247.46.85 - 3 packets to udp(53413)
   From 88.247.144.24 - 3 packets to udp(53413)
   From 88.248.173.35 - 3 packets to udp(53413)
   From 88.250.184.152 - 3 packets to udp(53413)
   From 89.32.137.120 - 3 packets to tcp(23)
   From 91.121.39.149 - 1 packet to udp(11458)
   From 92.27.201.38 - 2 packets to udp(53413)
   From 93.171.205.11 - 5 packets to tcp(1000,1081,7777,8080,10000)
   From 93.174.93.17 - 2 packets to tcp(3389)
   From 93.174.93.130 - 2 packets to tcp(3389)
   From 93.174.93.181 - 2 packets to tcp(5900)
   From 93.174.93.225 - 2 packets to tcp(5900)
   From 95.9.167.25 - 3 packets to udp(53413)
   From 95.170.18.229 - 1 packet to udp(53413)
   From 96.7.49.67 - 1 packet to udp(40740)
   From 96.46.10.230 - 2 packets to tcp(3306)
   From 98.81.72.249 - 3 packets to tcp(23)
   From 101.109.151.177 - 3 packets to tcp(23)
   From 101.162.37.184 - 2 packets to tcp(23)
   From 103.224.167.155 - 4 packets to tcp(23)
   From 104.217.216.134 - 2 packets to tcp(3306)
   From 105.105.49.148 - 3 packets to udp(53413)
   From 106.141.76.88 - 3 packets to tcp(23)
   From 107.3.185.6 - 3 packets to tcp(23)
   From 108.59.4.195 - 2 packets to udp(5060)
   From 110.47.196.53 - 3 packets to tcp(23)
   From 110.54.7.76 - 3 packets to udp(53413)
   From 111.243.32.149 - 3 packets to tcp(23)
   From 113.170.57.162 - 4 packets to tcp(23)
   From 113.173.191.23 - 3 packets to tcp(23)
   From 113.190.125.103 - 4 packets to tcp(23)
   From 114.33.197.251 - 3 packets to udp(53413)
   From 114.33.250.82 - 3 packets to tcp(23)
   From 114.204.197.228 - 3 packets to udp(53413)
   From 115.165.198.132 - 3 packets to udp(53413)
   From 118.38.99.55 - 3 packets to tcp(23)
   From 118.39.73.224 - 3 packets to tcp(23)
   From 118.105.104.15 - 1 packet to udp(33850)
   From 118.173.138.45 - 3 packets to tcp(23)
   From 119.42.114.243 - 3 packets to udp(53413)
   From 119.236.240.12 - 3 packets to udp(53413)
   From 121.135.19.23 - 3 packets to tcp(23)
   From 121.146.165.96 - 2 packets to udp(53413)
   From 122.50.43.163 - 7 packets to udp(33850)
   From 124.120.172.174 - 3 packets to tcp(23)
   From 125.24.56.56 - 1 packet to tcp(23)
   From 139.162.142.121 - 1 packet to tcp(9944)
   From 141.212.122.86 - 1 packet to tcp(20000)
   From 141.212.122.93 - 1 packet to tcp(20000)
   From 141.212.122.119 - 1 packet to tcp(502)
   From 141.212.122.120 - 1 packet to tcp(502)
   From 141.212.122.133 - 1 packet to udp(47808)
   From 141.212.122.134 - 1 packet to udp(47808)
   From 141.212.122.140 - 1 packet to udp(47808)
   From 141.212.122.141 - 1 packet to udp(47808)
   From 149.202.61.97 - 2 packets to udp(5060)
   From 151.0.20.43 - 5 packets to tcp(23)
   From 151.236.221.126 - 1 packet to tcp(5632)
   From 152.204.9.123 - 3 packets to tcp(23)
   From 152.204.24.213 - 3 packets to tcp(23)
   From 155.94.64.106 - 2 packets to udp(5060)
   From 155.94.224.214 - 2 packets to tcp(3306)
   From 158.69.123.26 - 1 packet to udp(5072)
   From 162.248.100.195 - 1 packet to udp(123)
   From 168.62.238.153 - 2 packets to tcp(6661,6667)
   From 171.96.196.254 - 3 packets to tcp(23)
   From 173.208.176.26 - 2 packets to udp(5060)
   From 174.143.241.87 - 2 packets to tcp(23)
   From 175.203.140.112 - 3 packets to tcp(23)
   From 176.219.179.72 - 3 packets to udp(53413)
   From 177.36.248.37 - 4 packets to tcp(23)
   From 179.43.141.234 - 2 packets to udp(19)
   From 179.43.144.21 - 2 packets to udp(161)
   From 179.215.172.185 - 3 packets to tcp(4899)
   From 179.216.83.84 - 3 packets to tcp(23)
   From 180.94.129.12 - 4 packets to udp(53413)
   From 180.128.252.1 - 2 packets to tcp(22)
   From 181.28.70.105 - 3 packets to udp(53413)
   From 181.194.71.84 - 3 packets to tcp(23)
   From 181.194.72.124 - 3 packets to tcp(23)
   From 181.194.111.214 - 3 packets to tcp(23)
   From 181.196.76.202 - 3 packets to udp(53413)
   From 184.26.161.65 - 1 packet to udp(39579)
   From 184.105.139.67 - 2 packets to udp(161)
   From 184.105.139.72 - 1 packet to udp(123)
   From 184.105.139.73 - 1 packet to udp(1900)
   From 184.105.139.76 - 1 packet to udp(123)
   From 184.105.139.87 - 1 packet to tcp(11211)
   From 184.105.139.95 - 2 packets to tcp(9200,27017)
   From 184.105.139.101 - 1 packet to udp(1900)
   From 184.105.247.196 - 1 packet to udp(53413)
   From 184.105.247.215 - 1 packet to udp(5351)
   From 184.105.247.223 - 1 packet to udp(5351)
   From 184.105.247.232 - 1 packet to udp(53413)
   From 184.105.247.242 - 1 packet to udp(623)
   From 184.105.247.244 - 1 packet to tcp(6379)
   From 184.105.247.250 - 1 packet to udp(623)
   From 185.25.204.84 - 2 packets to udp(5093)
   From 185.35.62.137 - 1 packet to udp(123)
   From 185.35.62.186 - 1 packet to udp(123)
   From 185.56.82.22 - 2 packets to tcp(5631)
   From 185.130.5.201 - 11 packets to udp(53413)
   From 185.130.5.224 - 20 packets to udp(53413)
   From 186.78.34.179 - 3 packets to udp(53413)
   From 186.115.22.131 - 3 packets to tcp(23)
   From 186.182.100.224 - 3 packets to tcp(23)
   From 186.202.182.102 - 4 packets to tcp(8080)
   From 187.35.156.114 - 1 packet to tcp(23)
   From 188.72.99.99 - 2 packets to tcp(23)
   From 188.138.102.149 - 2 packets to udp(5060)
   From 188.138.118.21 - 2 packets to udp(5060)
   From 189.29.1.88 - 4 packets to tcp(23)
   From 190.43.40.183 - 3 packets to udp(53413)
   From 190.156.228.246 - 2 packets to udp(53413)
   From 190.197.117.254 - 2 packets to tcp(23)
   From 190.221.243.232 - 3 packets to tcp(23)
   From 190.221.255.133 - 3 packets to tcp(23)
   From 190.253.70.146 - 2 packets to udp(53413)
   From 191.83.245.52 - 3 packets to udp(53413)
   From 192.154.177.254 - 3 packets to tcp(23)
   From 193.105.134.220 - 8 packets to tcp(3128,8123,8888,21320)
   From 193.201.225.91 - 3 packets to tcp(22)
   From 193.201.225.93 - 6 packets to tcp(22)
   From 195.154.214.162 - 2 packets to tcp(8443)
   From 197.45.65.58 - 3 packets to tcp(23)
   From 197.149.26.144 - 3 packets to tcp(23)
   From 198.20.69.74 - 1 packet to tcp(8443)
   From 198.20.70.114 - 4 packets to udp(80,6881) tcp(5001,9051)
   From 198.20.99.130 - 2 packets to udp(5008) tcp(8080)
   From 199.115.117.88 - 4 packets to tcp(5038,5060)
   From 199.217.118.83 - 4 packets to udp(5060)
   From 200.91.130.57 - 3 packets to tcp(23)
   From 200.206.220.174 - 3 packets to tcp(23)
   From 200.229.208.250 - 4 packets to tcp(10000)
   From 201.191.93.176 - 3 packets to tcp(23)
   From 201.191.165.152 - 3 packets to tcp(23)
   From 201.192.6.25 - 3 packets to tcp(23)
   From 201.192.220.238 - 3 packets to tcp(23)
   From 201.196.211.50 - 3 packets to tcp(23)
   From 201.197.52.30 - 2 packets to tcp(23)
   From 201.197.121.186 - 3 packets to tcp(23)
   From 201.199.186.194 - 3 packets to tcp(23)
   From 201.203.57.84 - 3 packets to tcp(23)
   From 201.203.141.245 - 3 packets to tcp(23)
   From 201.206.144.59 - 3 packets to tcp(23)
   From 201.207.230.250 - 2 packets to tcp(23)
   From 201.237.194.2 - 3 packets to tcp(23)
   From 203.152.125.187 - 3 packets to tcp(23)
   From 203.236.50.12 - 2 packets to tcp(3306)
   From 206.125.76.108 - 3 packets to tcp(23)
   From 207.46.138.2 - 1 packet to tcp(9200)
   From 208.25.111.69 - 42 packets to tcp(22)
   From 208.67.1.11 - 2 packets to udp(1900)
   From 208.67.1.39 - 2 packets to tcp(22)
   From 208.73.206.244 - 4 packets to udp(5060)
   From 208.109.178.226 - 2 packets to tcp(22)
   From 209.126.101.29 - 2 packets to udp(5060)
   From 209.239.112.201 - 2 packets to udp(5060)
   From 209.239.123.101 - 2 packets to udp(6060)
   From 210.7.17.114 - 3 packets to tcp(23)
   From 210.66.64.166 - 4 packets to tcp(23)
   From 210.105.135.25 - 3 packets to tcp(23)
   From 210.201.219.22 - 2 packets to tcp(23)
   From 211.204.196.226 - 2 packets to udp(53413)
   From 212.83.187.236 - 2 packets to udp(5060)
   From 212.83.188.161 - 4 packets to udp(5060)
   From 216.218.206.105 - 1 packet to udp(1434)
   From 216.218.206.113 - 1 packet to udp(1434)
   From 216.218.206.122 - 1 packet to tcp(27017)
   From 217.23.10.231 - 2 packets to udp(5060)
   From 217.23.14.193 - 1 packet to udp(123)
   From 219.248.17.6 - 2 packets to udp(53413)
   From 220.79.120.164 - 3 packets to tcp(23)
   From 220.85.189.22 - 3 packets to tcp(23)
   From 220.94.70.40 - 1 packet to tcp(23)
   From 220.133.172.99 - 3 packets to udp(53413)
   From 221.145.254.178 - 2 packets to udp(53413)
   From 221.147.143.218 - 3 packets to tcp(23)

 ---------------------- iptables firewall End -------------------------


 --------------------- MailScanner Begin ------------------------


 MailScanner Status:
        52 messages Scanned by MailScanner
        393.4 Total KB
        2 Content Problems found by MailScanner
        52 Messages delivered by MailScanner

        52 Messages logged to MailWatch database

 Content Report: (Total Seen = 2)
     web bug tags: 2 Time(s)

 **Unmatched Entries**
    Deleted 1 messages from processing-database: 50 Time(s)
    Found 0 messages in the Processing Attempts Database: 15 Time(s)
    Connected to Processing Attempts Database: 15 Time(s)
    Reading configuration file /usr/mailscanner/etc/conf.d/README: 15 Time(s)
    Reading configuration file /usr/mailscanner/etc/MailScanner.conf: 15 Time(s)
    Deleted 2 messages from processing-database: 1 Time(s)

 ---------------------- MailScanner End -------------------------


 ###################### Logwatch End #########################

Last edited by unSpawn; 01-31-2016 at 03:06 AM. Reason: //vBB code tags
 
Old 01-31-2016, 05:14 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by ameran View Post
I have a VPS and run few websites on it.
For how long?


Quote:
Originally Posted by ameran View Post
I always receive log information from my server, but mostly I don't understand them.
...because running web services and reporting without understanding how to keep things safe isn't a good thing to do. Good you asked.


Quote:
Originally Posted by ameran View Post
Code:
 --------------------- Dovecot Begin ------------------------

 Dovecot disconnects:
    auth failed, 1 attempts in 2 secs: 1 Time(s)
    no auth attempts in 0 secs: 5 Time(s)
    no auth attempts in 1 secs: 1 Time(s)

 **Unmatched Entries**
    dovecot: auth: Error: Cpanel::MailAuth: Brute force checking was skipped because cphulkd failed to process “info@domain.com” from “IP '216.23.8.2'” for the “pop3” service.: 1 Time(s)

 ---------------------- Dovecot End -------------------------
You're running a web-based management panel. Consult its documentation. Check its user forum or other support options. Also ticket 184113 may apply and if that's the case you may have to update it.


Quote:
Originally Posted by ameran View Post
Code:
 --------------------- iptables firewall Begin ------------------------


  Listed by source hosts:
 Logged 729 packets on interface eth0
   From 1.55.16.250 - 3 packets to udp(53413)

   From 80.82.70.24 - 14 packets to tcp(3128,3129,8000,8088,8090,8123,9064,21320)

   From 200.229.208.250 - 4 packets to tcp(10000)

   From 217.23.14.193 - 1 packet to udp(123)

 ---------------------- iptables firewall End -------------------------
Your firewall (prolly via your web-based management panel) is set to log traffic. Check which criteria are used. Check your services access control lists to ensure no unauthorized access is possible.


Quote:
Originally Posted by ameran View Post
Code:
--------------------- MailScanner Begin ------------------------

 MailScanner Status:

        2 Content Problems found by MailScanner

 Content Report: (Total Seen = 2)
     web bug tags: 2 Time(s)

 **Unmatched Entries**
    Deleted 1 messages from processing-database: 50 Time(s)

    Deleted 2 messages from processing-database: 1 Time(s)

 ---------------------- MailScanner End -------------------------
web bug tags are a given due to how online marketing works so either you may judge MailScanner is configured well blocking those else if you don't care you may have to reconfigure it.
 
Old 01-31-2016, 05:29 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Apparently you crossposted your question: https://www.linuxquestions.org/quest...og-4175568853/ which is against the LQ Rules you agreed to adhere to when you signed up. Please do not do that ever again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
logwatch question deeneyc09 Linux - Server 2 11-04-2011 11:30 PM
I want to disable logwatch on our RHEL servers to stop the logwatch mail svik Linux - Enterprise 10 08-27-2009 02:51 PM
Logwatch Question Munkee Linux - Networking 9 04-23-2009 02:20 PM
Logwatch & Postfix Question msjenkins Linux - General 0 11-27-2005 08:04 PM
LogWatch ftp question prozach Linux - Security 0 02-26-2002 07:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration