LogWatch query..

N

Newbee

Verified User
Joined
Feb 18, 2005
Messages
35
Hi

I've been sent a logWatch the last two days (had this server a few weeks now, but only recently created some 'accounts' on it). I have a few questions which I hope someone can help me with.

The main question is why does the 'Log' refer to the domain:

server.server.com

As this is not my domain (it was in the Admin control panel at the start as the server name but I replaced these details with my own server name). Interestingly at the top of the LogWatch it actually displays the correct domain name: "Logfiles for Host: Mycorrectdomainname.com"

At the bottom of the file you can see that someone has been trying to 'login' !! Is there anyway to automatically ban failed login attempts after say 5 tries? I have the APF firewall running, should it have stepped in? Is this a Hack attempt?

Also, if anyone can see any probs in this log I'd be grateful if you could let me know as I'm quite new to this.

Thanks in Advance.

------------
################### LogWatch 4.3.2 (02/18/03) ####################
Processing Initiated: Tue Mar 15 04:02:03 2005
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: Mycorrectdomainname.com
################################################################

--------------------- Kernel Begin ------------------------

Dropped 446 packets on interface eth0
(lists packets)

Logged 488 packets on interface eth0
(lists packets)

---------------------- Kernel End -------------------------





--------------------- ModProbe Begin ------------------------


Can't locate these modules:
char-major-188: 4 Time(s)

---------------------- ModProbe End -------------------------




--------------------- Named Begin ------------------------


**Unmatched Entries**
stopping command channel on 127.0.0.1#953: 4 Time(s)
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700: 4 Time(s)

(lists zones)
zone mysiteone.com/IN: loaded serial 2005031200: 4 Time(s)


---------------------- Named End -------------------------



--------------------- pam_unix Begin ------------------------

su:
Sessions Opened:
admin(uid=500) -> root: 7 Time(s)
Authentication Failures:
admin(500) -> root: 2 Time(s)

sshd:
Invalid Users:
Unknown Account: 223 Time(s)
Authentication Failures:
unknown (45-dzi-4.acn.waw.pl ): 217 Time(s)
unknown (210.80.96.184 ): 6 Time(s)
root (45-dzi-4.acn.waw.pl ): 249 Time(s)


---------------------- pam_unix End -------------------------



--------------------- proftpd-messages Begin ------------------------


**Unmatched Entries**
server.server.com (199.72.200.14[199.72.200.14]) - no such user 'anonymous'
server.server.com (199.72.200.14[199.72.200.14]) - no such user 'anonymous'
server.server.com (199.72.200.14[199.72.200.14]) - no such user 'anonymous'
server.server.com (199.72.200.14[199.72.200.14]) - no such user 'anonymous'
server.server.com (199.72.200.14[199.72.200.14]) - no such user 'anonymous'
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1): User not known to the underlying authentication module.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1): User not known to the underlying authentication module.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1): User not known to the underlying authentication module.
(repeats above live about 40 times)

server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1): User not known to the underlying authentication module.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1): User not known to the underlying authentication module.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1): User not known to the underlying authentication module.
(repeats line about above 30 times)



server.server.com (82.2.122.179[82.2.122.179]) - FTP login timed out, disconnected
server.server.com (82.2.122.179[82.2.122.179]) - no such user 'ftp@one-of-my-sites-2'
server.server.com (82.2.122.179[82.2.122.179]) - no such user 'ftp@one-of-my-sites-2'
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-2'
): User not known to the underlying authentication module.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1): User not known to the underlying authentication module.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1) User not known to the underlying authentication module.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1)User not known to the underlying authentication module.
(repeats line about 100 times)


server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1): User not known to the underlying authentication module.
(repeats line again about 100 times)

server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - PAM((ftp@one-of-my-sites-1)): User not known to the underlying authentication module.
(repeats line again about 30 times)

server.server.com (82.2.122.179[82.2.122.179]) - FTP session idle timeout, disconnected.
server.server.com (82.2.122.179[82.2.122.179]) - PAM(ftp@one-of-my-sites-1)): User not known to the underlying authentication module.
server.server.com - ProFTPD killed (signal 15)
server.server.com - ProFTPD 1.2.9 standalone mode SHUTDOWN
proftpd shutdown succeeded
proftpd startup succeeded
server.server.com - ProFTPD 1.2.9 (stable) (built Wed Apr 21 13:41:02 MDT 2004) standalone mode STARTUP
server.server.com - ProFTPD killed (signal 15)
server.server.com - ProFTPD 1.2.9 standalone mode SHUTDOWN
proftpd shutdown succeeded
proftpd startup succeeded



---------------------- proftpd-messages End -------------------------



--------------------- SSHD Begin ------------------------


SSHD Killed: 4 Time(s)

SSHD Started: 4 Time(s)

Failed logins from these:
account/password from 62.121.67.45: 4 Time(s)
adam/password from 62.121.67.45: 4 Time(s)
adm/password from 62.121.67.45: 10 Time(s)
alan/password from 62.121.67.45: 4 Time(s)
apache/password from 62.121.67.45: 5 Time(s)
backup/password from 62.121.67.45: 4 Time(s)
cip51/password from 62.121.67.45: 4 Time(s)
cip52/password from 62.121.67.45: 4 Time(s)
cosmin/password from 62.121.67.45: 5 Time(s)
cyrus/password from 62.121.67.45: 5 Time(s)
data/password from 62.121.67.45: 4 Time(s)
frank/password from 62.121.67.45: 4 Time(s)
george/password from 62.121.67.45: 4 Time(s)
guest/password from 210.80.96.184: 3 Time(s)
henry/password from 62.121.67.45: 4 Time(s)
horde/password from 62.121.67.45: 5 Time(s)
iceuser/password from 62.121.67.45: 5 Time(s)
irc/password from 62.121.67.45: 10 Time(s)
jane/password from 62.121.67.45: 5 Time(s)
john/password from 62.121.67.45: 4 Time(s)
master/password from 62.121.67.45: 4 Time(s)
matt/password from 62.121.67.45: 5 Time(s)
mysql/password from 62.121.67.45: 5 Time(s)
nobody/password from 62.121.67.45: 5 Time(s)
noc/password from 62.121.67.45: 4 Time(s)
operator/password from 62.121.67.45: 5 Time(s)
oracle/password from 62.121.67.45: 4 Time(s)
pamela/password from 62.121.67.45: 5 Time(s)
patrick/password from 62.121.67.45: 10 Time(s)
rolo/password from 62.121.67.45: 5 Time(s)
root/password from 62.121.67.45: 249 Time(s)
server/password from 62.121.67.45: 4 Time(s)
sybase/password from 62.121.67.45: 4 Time(s)
test/password from 210.80.96.184: 3 Time(s)
test/password from 62.121.67.45: 24 Time(s)
user/password from 62.121.67.45: 12 Time(s)
web/password from 62.121.67.45: 8 Time(s)
webmaster/password from 62.121.67.45: 4 Time(s)
www-data/password from 62.121.67.45: 5 Time(s)
www/password from 62.121.67.45: 5 Time(s)
wwwrun/password from 62.121.67.45: 5 Time(s)

Users logging in through sshd:
admin logged in from [mydetails] using password: 6 Time(s)
admin logged in from [mydetails] using password: 1 Time(s)

**Unmatched Entries**
User nobody not allowed because not listed in AllowUsers
Illegal user patrick from 62.121.67.45
User nobody not allowed because not listed in AllowUsers
User nobody not allowed because not listed in AllowUsers
Illegal user patrick from 62.121.67.45
User nobody not allowed because not listed in AllowUsers
Illegal user patrick from 62.121.67.45
User nobody not allowed because not listed in AllowUsers
Illegal user patrick from 62.121.67.45
Illegal user patrick from 62.121.67.45
Illegal user patrick from 62.121.67.45
Illegal user patrick from 62.121.67.45
Illegal user patrick from 62.121.67.45
Illegal user patrick from 62.121.67.45
Illegal user patrick from 62.121.67.45
Illegal user rolo from 62.121.67.45
Illegal user iceuser from 62.121.67.45
Illegal user rolo from 62.121.67.45
Illegal user horde from 62.121.67.45
Illegal user rolo from 62.121.67.45
Illegal user iceuser from 62.121.67.45
Illegal user rolo from 62.121.67.45
Illegal user rolo from 62.121.67.45
Illegal user cyrus from 62.121.67.45
Illegal user iceuser from 62.121.67.45
Illegal user horde from 62.121.67.45
Illegal user iceuser from 62.121.67.45
Illegal user iceuser from 62.121.67.45
Illegal user www from 62.121.67.45
Illegal user horde from 62.121.67.45
Illegal user horde from 62.121.67.45
Illegal user horde from 62.121.67.45
Illegal user wwwrun from 62.121.67.45
Illegal user cyrus from 62.121.67.45
Illegal user cyrus from 62.121.67.45
Illegal user cyrus from 62.121.67.45
Illegal user cyrus from 62.121.67.45
Illegal user matt from 62.121.67.45
Illegal user www from 62.121.67.45
Illegal user www from 62.121.67.45
Illegal user www from 62.121.67.45
Illegal user www from 62.121.67.45
Illegal user wwwrun from 62.121.67.45
Illegal user wwwrun from 62.121.67.45
Illegal user wwwrun from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user wwwrun from 62.121.67.45
Illegal user matt from 62.121.67.45
Illegal user matt from 62.121.67.45
Illegal user matt from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user matt from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user www-data from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
User mysql not allowed because not listed in AllowUsers
Illegal user www-data from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user www-data from 62.121.67.45
Illegal user test from 62.121.67.45
User operator not allowed because not listed in AllowUsers
User mysql not allowed because not listed in AllowUsers
Illegal user www-data from 62.121.67.45
User mysql not allowed because not listed in AllowUsers
Illegal user www-data from 62.121.67.45
User adm not allowed because not listed in AllowUsers
User operator not allowed because not listed in AllowUsers
User mysql not allowed because not listed in AllowUsers
User operator not allowed because not listed in AllowUsers
User mysql not allowed because not listed in AllowUsers
User apache not allowed because not listed in AllowUsers
User adm not allowed because not listed in AllowUsers
User operator not allowed because not listed in AllowUsers
User adm not allowed because not listed in AllowUsers
User operator not allowed because not listed in AllowUsers
Illegal user irc from 62.121.67.45
User apache not allowed because not listed in AllowUsers
User adm not allowed because not listed in AllowUsers
User apache not allowed because not listed in AllowUsers
User adm not allowed because not listed in AllowUsers
Illegal user irc from 62.121.67.45
Illegal user irc from 62.121.67.45
User apache not allowed because not listed in AllowUsers
Illegal user irc from 62.121.67.45
User apache not allowed because not listed in AllowUsers
User adm not allowed because not listed in AllowUsers
Illegal user irc from 62.121.67.45
Illegal user irc from 62.121.67.45
Illegal user irc from 62.121.67.45
Illegal user irc from 62.121.67.45
User adm not allowed because not listed in AllowUsers
Illegal user irc from 62.121.67.45
User adm not allowed because not listed in AllowUsers
Illegal user irc from 62.121.67.45
User adm not allowed because not listed in AllowUsers
User adm not allowed because not listed in AllowUsers
Illegal user jane from 62.121.67.45
Illegal user pamela from 62.121.67.45
Illegal user jane from 62.121.67.45
Illegal user jane from 62.121.67.45
Illegal user pamela from 62.121.67.45
Illegal user pamela from 62.121.67.45
Illegal user jane from 62.121.67.45
Illegal user jane from 62.121.67.45
Illegal user pamela from 62.121.67.45
Illegal user pamela from 62.121.67.45
Illegal user cosmin from 62.121.67.45
Illegal user cosmin from 62.121.67.45
Illegal user cosmin from 62.121.67.45
Illegal user cosmin from 62.121.67.45
Illegal user cosmin from 62.121.67.45
Illegal user cip52 from 62.121.67.45
Illegal user cip52 from 62.121.67.45
Illegal user cip51 from 62.121.67.45
Illegal user cip51 from 62.121.67.45
Illegal user cip52 from 62.121.67.45
Illegal user cip52 from 62.121.67.45
Illegal user noc from 62.121.67.45
Illegal user cip51 from 62.121.67.45
Illegal user cip51 from 62.121.67.45
Illegal user noc from 62.121.67.45
Illegal user noc from 62.121.67.45
Illegal user noc from 62.121.67.45
Illegal user webmaster from 62.121.67.45
Illegal user webmaster from 62.121.67.45
Illegal user data from 62.121.67.45
Illegal user data from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user webmaster from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user webmaster from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user data from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user data from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user web from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user web from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user web from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user web from 62.121.67.45
Illegal user user from 62.121.67.45
Illegal user oracle from 62.121.67.45
Illegal user web from 62.121.67.45
Illegal user oracle from 62.121.67.45
Illegal user web from 62.121.67.45
Illegal user sybase from 62.121.67.45
Illegal user web from 62.121.67.45
Illegal user sybase from 62.121.67.45
Illegal user web from 62.121.67.45
Illegal user master from 62.121.67.45
Illegal user oracle from 62.121.67.45
Illegal user master from 62.121.67.45
Illegal user oracle from 62.121.67.45
Illegal user account from 62.121.67.45
Illegal user sybase from 62.121.67.45
Illegal user account from 62.121.67.45
Illegal user sybase from 62.121.67.45
Illegal user backup from 62.121.67.45
Illegal user master from 62.121.67.45
Illegal user backup from 62.121.67.45
Illegal user master from 62.121.67.45
Illegal user server from 62.121.67.45
Illegal user account from 62.121.67.45
Illegal user server from 62.121.67.45
Illegal user account from 62.121.67.45
Illegal user adam from 62.121.67.45
Illegal user backup from 62.121.67.45
Illegal user adam from 62.121.67.45
Illegal user alan from 62.121.67.45
Illegal user backup from 62.121.67.45
Illegal user server from 62.121.67.45
Illegal user alan from 62.121.67.45
Illegal user frank from 62.121.67.45
Illegal user server from 62.121.67.45
Illegal user adam from 62.121.67.45
Illegal user frank from 62.121.67.45
Illegal user george from 62.121.67.45
Illegal user adam from 62.121.67.45
Illegal user alan from 62.121.67.45
Illegal user george from 62.121.67.45
Illegal user henry from 62.121.67.45
Illegal user alan from 62.121.67.45
Illegal user frank from 62.121.67.45
Illegal user henry from 62.121.67.45
Illegal user john from 62.121.67.45
Illegal user frank from 62.121.67.45
Illegal user george from 62.121.67.45
Illegal user john from 62.121.67.45
Illegal user george from 62.121.67.45
Illegal user henry from 62.121.67.45
Illegal user henry from 62.121.67.45
Illegal user john from 62.121.67.45
Illegal user john from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 62.121.67.45
Illegal user test from 210.80.96.184
Illegal user test from 210.80.96.184
Illegal user test from 210.80.96.184
Illegal user guest from 210.80.96.184
Illegal user guest from 210.80.96.184
Illegal user guest from 210.80.96.184

---------------------- SSHD End -------------------------



------------------ Disk Space --------------------

Filesystem Size Used Avail Use% Mounted on
/dev/hda2 28G 2.9G 24G 12% /
/dev/hda1 99M 9.0M 85M 10% /boot
none 124M 0 124M 0% /dev/shm


###################### LogWatch End #########################
 
There doesn't seem to be anything unusual here.

The failed login attempts are likely from ssh (which should be open to apf) and is likely a script kiddie looking for default logins. You'll get these a lot--don't worry about them (unless you see a an actual login for one of these users...)

The server.server.com thing is weird... What does DA think your hostname is? Anything weird in /etc/hosts? What does the ftp server think your domain is? What does the "domainname" command show you?
 
Hi Ballyn, thanks for replying.

When I type in hostname it tells me the correct server name, however when I type in 'domainname' it says: none

Right.... when I: emacs hosts in the etc file it says:


# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
44.33.404.85 server.server.com
44.33.404.85 my-correct-domain here.com

should I change the server.server.com to my own domain name?
How comes DA didn't do it automatically? Also, how comes they are both showing the same IP? ( I thought they were meant to b different? - so should I add one of our other IPs by changing it there?).

Thanks for your help :-)
 
Last edited:
You shouldn't have two entries in /etc/hosts with the same IP address. I would delete the incorrect line.
 
Newbee said:
When I type in hostname it tells me the correct server name, however when I type in 'domainname' it says: none
Click to expand...
If you look at "man domainname you'll find (among other stuff) this:

domainname - show or set the system’s NIS/YP domain name

It's unlikely you're using NIS or YP on your server, so none is the right answer.
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
44.33.404.85 server.server.com
44.33.404.85 my-correct-domain here.com

should I change the server.server.com to my own domain name?
Click to expand...
Is the last line of the file your own domain name? If so, then just delete the incorrect line.

If the last line isn't your domain name, then what is it?
How comes DA didn't do it automatically?
Click to expand...
Because it doesn't. DA doesn't change it doesn't fully manage, because doing so could change something you've entered.

Fixing it won't change the number of lines in your logwatch email; it'll just let them show up with the right domain name (it's a local form of reverse DNS).

Also, how comes they are both showing the same IP? ( I thought they were meant to b different? - so should I add one of our other IPs by changing it there?)
Click to expand...
/etc/hosts maps hosts and services to IP#s. You can have lots of hosts and services on the same IP#; so there's no reason to delete one before adding another.

Jeff
 
Hi Both, thanks for replying.

Yes Jeff the second line was showing the correct domain, so I've deleted the line above it.

Also, is it a good idea to place another one of my other IPs in there for the same domain?

So it would read:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
44.33.404.85 my-correct-domain-is-here.com
44.33.404.86 my-correct-domain-is-here.com

Sorry to sound like such a thicko.
Thanks in advance.
 
You don't really need either of them. DA puts them there so everything will work before you put your domain into DNS, or even if you never do (some admins buy a domain just for the server and then forget to put it into DNS).

They also come in handy when reverse DNS isn't set up properly.

I'd leave it alone.

Jeff
 
Hi

The same thing happened in last nights email :-(

So I had another look and found that in etc/hosts.tmp it said:

127.0.0.1 localhost.localdomain localhost
44.33.404.85 server.server.com

so I changed that to my owndomain name. Should I have?

Also i did: locate server.server
and it showed this:

/var/lib/mysql/server.server.com.err
/var/lib/mysql/server.server.com.pid
/etc/virtual/server.server.com

should these be deleted or changed?

Thanks in advance.
 
Newbee said:
So I had another look and found that in etc/hosts.tmp it said:

127.0.0.1 localhost.localdomain localhost
44.33.404.85 server.server.com

so I changed that to my owndomain name. Should I have?
Click to expand...
/etc/hosts.tmp isn't used for anything.

Are you still getting the entries?

Also i did: locate server.server
and it showed this:

/var/lib/mysql/server.server.com.err
/var/lib/mysql/server.server.com.pid
/etc/virtual/server.server.com

should these be deleted or changed?
Click to expand...
It really doesn't matter. I'd leave them alone.

Jeff
 
Hi Jeff

It seems to have sorted itself out now. Apologies because I meant to come back and report but have been busy with a bunch of sites lately.

Thanks for all your help!
 
You must log in or register to reply here.
Back
Top