<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Helvetica, Arial, sans-serif">Greetings.<br>
<br>
I'm running CentOS on multiple machines and a few third-party VPS's and
have some odd logging issues today. It all started when tcpwrappers
couldn't seem to recognize my PC's hostname as being a valid hostname
for access. Fortunately I was able to get in with a direct IP.<br>
<br>
When trying to discover what's going on, I found some very odd entries
in the secure log...<br>
(IP's changed to protect the identity of my PC and the machines)<br>
<br>
Mar 8 17:55:53 server123 sshd[3053]: Failed publickey for root from
::ffff:192.168.87.119 port 45686 ssh2<br>
Mar 8 17:55:55 server123 sshd[3053]: Accepted password for root from
::ffff:192.168.87.119 port 45686 ssh2<br>
Mar 8 09:55:55 server123 sshd[3052]: Accepted password for root from
::ffff:192.168.87.119 port 45686 ssh2<br>
Mar 8 18:01:18 server123 sshd[4743]: Failed publickey for root from
::ffff:192.168.87.119 port 45692 ssh2<br>
Mar 8 18:01:20 server123 sshd[4743]: Accepted password for root from
::ffff:192.168.87.119 port 45692 ssh2<br>
Mar 8 10:01:20 server123 sshd[4742]: Accepted password for root from
::ffff:192.168.87.119 port 45692 ssh2<br>
Mar 8 10:01:38 server123 sshd[4792]: reverse mapping checking
getaddrinfo for s0106001111e058c2.myispdomain.net failed - POSSIBLE
BREAKIN ATTEMPT!<br>
Mar 8 10:01:38 server123 sshd[4792]: Accepted password for root from
::ffff:10.10..161.102 port 57689 ssh2<br>
Mar 8 10:01:38 server123 sshd[4793]: Accepted password for root from
::ffff:10.10..161.102 port 57689 ssh2<br>
Mar 8 18:07:19 server123 sshd[6411]: Connection closed by
::ffff:10.10..161.102<br>
Mar 8 18:09:02 server123 sshd[6699]: Accepted password for root from
::ffff:10.10..161.102 port 58017 ssh2<br>
Mar 8 10:09:02 server123 sshd[6698]: Accepted password for root from
::ffff:10.10..161.102 port 58017 ssh2<br>
<br>
This snippet is in order that it appears in the database. Notice the
timestamp. It starts off thinking it's almost 6pm then reverts th the
correct time of almost 10am, then to 6pm, then back to 10am and so on
and so forth.<br>
Upon looking back even further, I can see that this has been happening
as far back as the secure logs go... Early February.<br>
<br>
Checking through other machines, most seem to have this behavior, but
some do not. The machines I've updated using "yum update" recently
seem to be the ones with this odd behavior. Machines that are less
up-to-date don't seem to have any weird logging and accept my SSH as
expected.<br>
<br>
I've been watching the server time using date and it seems to always
report what it should...<br>
</font>
<pre class="moz-signature" cols="72">--
Mike</pre>
</body>
</html>