Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello everyone, my first post on here, go easy on me :-)
I am getting the following in my /var/log/auth.log file (see below). This is repeated every 5 minutes. I have put the bit I am concerned about in red. I have tried puting root in my AllowedUsers section of sshd_config and tried setting PermitRootLogin yes too. It makes no difference. In either case I want to find out what process is trying to connect from my local host (assume) to my local host on ssh2, why it wants too, and why it is failing. This has been driving me mad for 24hrs now. Any ideas gratefully recieved.
Thanks D.
Jun 1 14:40:02 SDSHU CRON[23875]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 1 14:40:02 SDSHU CRON[23874]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 1 14:40:02 SDSHU CRON[23876]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 1 14:40:05 SDSHU sshd[23964]: Connection from 127.0.0.1 port 38136
Jun 1 14:40:05 SDSHU CRON[23874]: pam_unix(cron:session): session closed for user root
Jun 1 14:40:05 SDSHU sshd[23964]: Failed none for root from 127.0.0.1 port 38136 ssh2
Jun 1 14:40:05 SDSHU sshd[23964]: Failed password for root from 127.0.0.1 port 38136 ssh2
Jun 1 14:40:06 SDSHU sshd[23964]: last message repeated 2 times
Jun 1 14:40:06 SDSHU CRON[23876]: pam_unix(cron:session): session closed for user root
Jun 1 14:40:13 SDSHU CRON[23875]: pam_unix(cron:session): session closed for user root
Hi, yes there are a number of from cron jobs, but if its one of these which is making the request to SSH I wouldn't know how to tell which one, what its doing and why it failed. Any further help gratefully received. Thanks.
OK, thanks. I'm using the security onion distro. Having searched around the security onion forums I found there is a cron job that runs every 5 minutes. It calls a script to restart sensors when needed. I'll take a look at that script for clues. With regard to the root password, no, I never set one and apparently one isn't set as default, and the account should be locked according to Doug who put the Security Onion together. Which is odd as I can access it with sudo su. I did install the remote access server NX and recall having a fight getting that to work with ssh2, not sure if something I did there has caused a problem. I'll investigate that too. Thanks for your help so far.
unSpawn, thanks, I am aware of that. However, there is a process trying to use ssh with root. Security onion has permitrootlogin as yes by default. Changing it to no was one of the changes I made originally, I thought it could have some bearing on this issue so to changed it back. Doing so removed other errors, notably one telling logging in from root wasn't in permitted. I agree whatever is using it shouldn't be using it, if I can find what it is I'll try and amend it to not use root.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.