LogWatch & PAM

L

luppie

Verified User
Joined
Jul 28, 2005
Messages
41
In my logging that i get from Logwatch a few weird entrys pop up every day about proftpd.

The message is User not known to the underlying authentication module.

Does somebody knows what causes this and how i can prevent it from happening ?




  • --------------------- proftpd-messages Begin ------------------------


    **Unmatched Entries**
    lupsrv01.luppie.net (82.75.102.250[82.75.102.250]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (82.75.102.250[82.75.102.250]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (82.75.102.250[82.75.102.250]) - FTP session idle timeout, disconnected.
    lupsrv01.luppie.net (82.75.102.250[82.75.102.250]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (213.84.101.57[213.84.101.57]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (213.84.101.57[213.84.101.57]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (131.151.186.238[131.151.186.238]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (131.151.186.238[131.151.186.238]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (131.151.186.238[131.151.186.238]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (131.151.186.238[131.151.186.238]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (131.151.186.238[131.151.186.238]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (131.151.186.238[131.151.186.238]) - PAM([email protected]): User not known to the underlying authentication module.
    lupsrv01.luppie.net (131.151.186.238[131.151.186.238]) - FTP session idle timeout, disconnected.
    80.69.85.28 (213.84.93.197[213.84.93.197]) - FTP no transfer timeout, disconnected
    80.69.85.28 (213.84.93.197[213.84.93.197]) - FTP no transfer timeout, disconnected

    ---------------------- proftpd-messages End -------------------------
 
I'd guess that people are trying to log into your server under nonexistent accounts.

Jeff
 
Well, these accounts all excist on my FTP server and the login on the FTP is succesfull.
 
I can confirm this. When I ftp site changes, I can guarantee an entry in logwatch like:

**Unmatched Entries**
domain.net (IP[IP]) - PAM([email protected]): User not known to the underlying authentication module.

The IP is my cox.net IP so I KNOW it means me.

DaveR~
 
Okay, I just did a bit of research.

Your program (perhaps FTP) tries several different login methods. It first finds one (or more) that doesn't work, so it goes on to the next, until it finds one that works.

The ones that don't work of course never get logged out so they're unmatched entries.

Byproduct of using PAM. Which you're doing because the program is compiled to use it.

Jeff
 
Well, it's a clean install of CentOS with DA on top of it, nothing more nothing less. Maybee it's because of CentOS.

But does any one know how to change the order of login methods so this non-error is'nt showing in the logs ?

Just trying to make the logs more readable.
 
It's probably aCentOS issue; I don't have any log output in front of me right now.

Changing the authentication order? Probably needs to be done by rewriting something in the PAM library. There may be a config issue; I'm not sure.

You can probably configure LogWatch to ignore it. In fact we may have; I really don't remember.

Jeff
 
You must log in or register to reply here.
Back
Top