Hi,

I'm using debian squeeze as a root web server. I'm checking my logs with the help of ossec. This morning I got a "possible attack warning" because of the following log (auth.log):

Its just weired for me that it comes from 127.0.0.1... I wasnt logged in into the server. How can I find out more about what happend at this time or which cron did this?

Kim

p.s: sry I wanted to put this into Security!

You don't need to, that's why you have cron jobs.


The problem is Linux doesn't come with extensive logging enabled to provide you with a full audit trail on installation. If you need it you have to configure it beforehand.



Recursively list and grep all cron job directories and crontab files (/etc/crontab, /etc/cron.*/, /var/cron/, /var/spool/cron, etc, etc) for any name or application hinting at any service checking or run the cron daemon in debug mode: '/path/to/crond -x sch,proc,test' (or 'crond -x sch,proc,test 2>&1 | tee | while read LINE; do echo "$(/bin/date +'%b %d %H:%M:%S hostname') crondebug ${LINE}"; done | tee /var/log/cron.debug' if you want to correlate things a wee bit easier). Note you should only use the latter if from your auth.log entries you have determined it is a job running at a low interval and you should not use ",test" on systems where you can not afford to not run jobs like production servers.


Yeah, but I'll find it anyway ;-p *Next time use the report button on your post to ask a moderator to move your thread for you.

Hi,

thank you! I managed to find out that this was related with stunnel. I tunnel ssh traffic through https on my server (to fool some company outgoing firewalls...). And this was some traffic from some bots that connected via stunnel/https to try yo find something... and that was transferred to sshd because of stunnel.

complicated

thx,
Kim